==DNSNINJA== Version 0.1.1 / 24.05.2012 --=[ Disclaimer ]=-----------------------------------------------------// This document describes DNSNINJA, a tool to perform dictionary based queries against DNS servers. The author of this document provides the software AS IS and and cannot be made responsible for any damage that may occur while using this tool. This software may contain errors or may not work properly in certain circumstances. Therefore, use this tool at your own risk. You can use this tool free of charge and you are allowed to freely modify and distribute it. Please check section "License" for more details. --[ Contents ]---------------------------------------------------------- 1 - Introduction 2 - The Tool 2.1 - Overview 2.2 - Features 2.3 - Usage 2.3.1 - Command-line Arguments 2.3.2 - Doing Forward DNS Lookups 2.3.3 - Doing Reverse DNS Lookups 2.3.4 - Saving Results to a File 2.4 - Building from Source 2.5 - License 2.6 - Source Code Repository 2.7 - Similar Tools 2.8 - Reporting Bugs and Features 3 - Bibliography 4 - Contact --[ 1 - Introduction ]-------------------------------------------------- DNS servers are an important source of information during information gathering in a penetration testing project. Attackers / penetration testers use data in DNS servers to obtain knowledge about live systems. DNS servers become even more important in the IPv6 world, where simple subnet scanning won't be possible anymore due to the huge address space provided. This tool shall support penetration testers during their information gathering activities and reduce the need for manual, repetitive tasks. --[ 2 - The Tool ]------------------------------------------------------ ----[ 2.1 - Overview ]-------------------------------------------------- DNSNINJA is a tool to query DNS servers by either using a prepared word list to send forward DNS lookup queries or a list of ip addresses to send reverse DNS lookup queries. It allows the user to quickly enumerate hosts in a DNS domain or an ip range. The tool is mainly aimed at pentesters and shall provide support in their daily job during information gathering. A tool like this can generate heavy load on the target. It is therefore adviced to take caution. System administrators at the target's site could interpret such scans as a certain type of attack and take counter- measures. Therefore, use with caution. You have been warned. ----[ 2.2 - Features ]-------------------------------------------------- the current version of DNSNINJA offers the following features: + Supports multi-threading + Do forward DNS lookups based on wordlist + Do reverse DNS lookups based on a list of ip addresses + Query up to five DNS servers in parallel to distribute the load + Save the results to a text file + Supports different log levels ----[ 2.3 - Usage ]----------------------------------------------------- This chapter explains basic usage of DNSNINJA. ----[ 2.3.1 - Command-line Arguments ]---------------------------------- The following command-line arguments are supported: --reverse, -r Do a reverse DNS lookup. If not specified, a forward DNS lookup will be performed. --servers=<ip1,ip2,...>, -s <ip1,ip2,...> List of DNS servers, which shall be used as targets for DNS queries. --domain=<domain name>, -d <domain name> Specify the domain to be queried. Only used when doing forward DNS lookups (e.g. -d foo.org). --inputfile=<filename>, -i <filename> The file containing either a list of ip addresses or host names, depending on the lookup mode (reverse, forward). --outputfile=<filename>, -o <filename> Allows you to write the query results into a simple, comma-separated text file. This allows you to further process the results in other tools. --loglevel=<level>, -l <level> Specifies the desired log level. The following levels are supported: 1 = ERROR (Log errors only) 2 = INFO (Log additional information) 3 = DEBUG (Log debug level information) --version, -v Displays version information. --help, -h Display help page. ----[ 2.3.2 - Doing Forward DNS Lookups ]------------------------------- Usage of this tool is quite simple. Do do a simple forward DNS lookup search based on a wordlist, run the following command: $ ./dnsninja -s 111.222.333.444 -d mydomain.com -i myhosts.txt This connects to the DNS server 111.222.333.444 and sends queries for the mydomain.com domain. It uses the file myhosts.txt which contains entries like these: $ cat myhosts.txt www backup mail webmail gatekeeper www1 www2 www3 The myhosts.txt file and the specified domain are used to form DNS queries such as: www.mydomain.com backup.mydomain.com ... If a host has been found, the ip address of this host is returned. ----[ 2.3.3 - Doing Reverse DNS Lookups ]------------------------------- Doing reverse DNS lookups works similar. To do reverse DNS lookups based on a list of ip addresses, run the following command: $ ./dnsninja -r -s 111.222.333.444 -i myips.txt Again, the DNS server 111.222.333.444 is contacted to DNS PTR queries will be sent to this machine. As a result, you will receive the name of the domains associated with that ip. ----[ 2.3.4 - Saving Output to a File ]--------------------------------- DNSNINJA displays the results on screen. But sometimes it is desirable to save the results to a text file. You can do this by specifying the -o option on the command line like this: $ ./dnsninja -s 111.222.333.444 -d mydomain.com -i myhosts.txt -o results.txt ----[ 2.4 - Building from Source ]-------------------------------------- Befor you can build the tool from source, your system must meet some preconditions. Currently they are: + gcc must be installed. + make must be installed. The source distribution can be built from source by conducting the following steps on your box: 1. Copy the file dnsninja-<version>.tar.gz to your linux box. Make sure, it is located in a dedicated directory, since extraction will put the files directly in there. 2. Extract the tarball using: $ tar xvf dnsninja-<version>.tar.gz 3. Compile the source code using: $ make Optionally, you can compile it in debug mode in order to add debug information to the resulting binary. You'll need that only if you like to debug using gdb. To create a debug binary invoke: $ make DEBUG=1 The resulting binary is now ready to use. As for now, I've tested the binary on the following platforms and it just runs fine: + Arch Linux + Debian 6 Squeeze + Cygwin ----[ 2.5 - License ]--------------------------------------------------- Copyright 2012 André Gasser DNSNINJA is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. DNSNINJA is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with DNSNINJA. If not, see <http://www.gnu.org/licenses/>. ----[ 2.6 - Source Code Repository ]------------------------------------ The latest version of the tool is always available here: + https://github.com/shoka/dnsninja ----[ 2.7 - Similar Tools ]--------------------------------------------- This tool was partly inspired by other tools like this. These are: + dnsmap by pagvac (http://code.google.com/p/dnsmap + dns-discovery by m0nad (http://code.google.com/p/dns-discovery) ----[ 2.8 - Reporting Bugs and Features ]------------------------------- This software is probably far away from a bug-free state. Because of this, I am very glad to receive feedback from you regarding DNSNINJA. You can either contact me by mail or, even better, open a new issue on github.com. ----[ 3 - Bibliography ]------------------------------------------------ [1] Reverse DNS lookups http://www.xinotes.org/notes/note/1665/ [2] RFC 1034 - Domain Names - Concepts and Facilities http://www.ietf.org/rfc/rfc1035.txt [3] RFC 1035 - Domain Implementation and Specification http://www.ietf.org/rfc/rfc1035.txt ----[ 4 - Contact ]----------------------------------------------------- Mail: andre.gasser@gmx.ch Jabber: sh0ka@jabber.ccc.de Blog: http://blog.andregasser.net