dnsrecon使用说明

dnsrecon是一款DNS记录的工具，其中一个特色是通过Google查出站点的子域名与IP信息。与dnsmap暴力破解子域名是不一样的,因此速度比dnsmap快，缺点是返回结果不如dnsmap全面。

kali终端直接输入“dnsrecon -h”可以查看其相关参数用法：

light@kali:~# dnsrecon 
Version: 0.8.8
Usage: dnsrecon.py <options>
 
Options:
   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.
 
                               rvl      To Reverse Look Up a given CIDR IP range.
 
                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.
 
                               srv      To Enumerate common SRV Records for a given 
 
                                        domain.
 
                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.
 
                               goo      Perform Google search for sub-domains and hosts.
 
                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.
 
                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA
 
                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
 
   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
                               discovered.
   -c, --csv          <file>   Comma separated value file.
   -j, --json         <file>   JSON file.
   -v                          Show attempts in the bruteforce modes.

参数解释：

• -d : 选项是指定域名
• -x –axfr: AXFR请求枚举
• -s –dospf: 反向查询SPF记录 * -g –google: 通过google枚举子域名与IP * -w –dowhois: 查whois
• –lifetime: 响应时间，这个选项是必须的

查询1ight.co的DNS信息：

root@kali:~# dnsrecon -d 1ight.co --lifetime 3
[*] Performing General Enumeration of Domain: 1ight.co
....

dnsrecon git