[dns-operations] dnsmap: subdomain bruteforcer for stealth enumeration (fwd)

John Kristoff jtk at ultradns.net
Mon Sep 18 21:46:51 UTC 2006


On Mon, 18 Sep 2006 15:53:46 +0000
Paul Vixie <paul at vix.com> wrote:

> (thanks to gadi evron for forwarding a copy of this.)

I took a quick look at the code and it seems pretty basic.  It seems
to boil down to this:

  #!/bin/sh

  if [ $# -ne 2 ]
  then
      echo $0 zone dictionary_file
      exit 1
  fi

  dom=$1

  if [ `host pseudorandsubabcdef1234dnsmap.$dom | grep -c NXDOMAIN` = 0 ]
  then
      echo Lame wildcard detection triggered, exiting...
      exit 1
  fi

  dict_file=$2
  for each in `cat $dict_file`
  do
      host $each.$dom
  done

If you want to see if some newbie is running this tool against a zone,
look for the following first label in queries:

   pseudorandsubabcdef1234dnsmap

John



More information about the dns-operations mailing list