ReverseRaider domain scanner - Backtrack 5 R3

Introduction

ReverseRaider is a domain scanner, which is used enumerate sub-domains of a given particular domain. In this tool, you can find three types of wordlists :-

• Fast.list wordlist
• Services.list wordlist and
• Word.list wordlist

Objectives

In this tutorial, we will tell you how to enumerate sub-domains using three wordlists (which are named above).

Procedure

How to open it:-

• To open it, goto Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> reverseraider and you can also open it through Terminal, open Terminal and open this directory path cd /pentest/enumeration/reverseraider .

  

  ReverseRaider domain scanner - Backtrack 5 R3

  
  

How to use it :-

• To enumerate domains by fast.list, run this command ./reverseraider -d <domain name> -w wordlists/fast.list.
  
  
• To enumerate domains by services.list, run this command  ./reverseraider -d <domain name> -w wordlists/services.list.
  
  
     
• To enumerate domains by word.list, run this command  ./reverseraider -d <domain name> -w wordlists/word.list.
  
  
  
  

To see more available options run this command, ./reverseraider. This will show all available options and usages. 

This is only for educational purpose. !!
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!

Read more

How to use Load Balancing Detector (lbd)

Introduction

Load Balancing Detector (lbd) is a tool which checks, if a given domain use load balancing or not. This tool is mainly used by pentesters and hackers to checks site is dosable or not.

Objectives

In this tutorial we will learn how to use Load Balancing Detector (lbd).

Procedure

How to open it :-

• Open it through Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> lbd .You can also it through Terminal, open Terminal then type cd /pentest/enumeration/web/lbd. Hit Enter.

How to use it :-

• To use it, you have to use this command ./lbd.sh <domain name>.


• This tool will first scans for DNS-Load Balancing and then HTTP-Load Balancing.


• Atlast, it will show the result.

Conclusion

In the end of this tutorial we know how to use this tool and why this tool is used

Read more

SubDomain Enumeration With fierce Tool-Backtrack 5 R3

Introduction

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.  It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Procedure Of Using This Tool

How To Open it :-

• To open it goto Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> fierce. Or you can open it through Terminal, type "cd /pentest/enumeration/dns/fierce". Hit Enter.

 

Simple Usage:-

• To use this tool we have to use this command, ./fierce.pl -dns <domain>

 

What Happen If Zone Transfer Falied :-

• If Zone Transfer Fails, it will automatically start brute-forcing the Domain.

 

 

Usage With Options:-

• To see the available options, type ./fierce.pl -dns <domain name> <option>. One example ./fierce.pl -dns xyz.com -wordlist <wordlist path>

 

Conclusion :-

In this tutorial we have learn how to use enumerate sub domains using fierce tool. Feel free to ask if you have any question.

This tutorial is only for educational purpose. Im not responsible for any type of illegal activity done by you.

Read more

Information Gathering With dnsrecon-Backtrack 5 Rx

dnsrecon is a tool for enumeration, coded in python.Features of dnsrecon:-

1. You can brute force Sub Domains by inbuilt wordlist or by your own wordlist.


2. You can enumerate general record types, like  SOA, NS, A, AAAA, MX and SRV.


3. You can Reverse Look Up a given CIDR IP range.


4. You can test all NS Servers in a domain for misconfigured zone transfers.


5. You can also search Sub domains through Google query.


6. You can enumerate Top Level Domains.

In this tutorial we will only discuss:-

1. std:- To enumerate general records types.


2. srv:- To Enumerate records.


3. axfr:- Test all NS Servers in a domain for misconfigured zone               transfer.


4. goo:- Search Sub Domains from Google.


5. tld:- Enumerate Top Level Domains.

So Lets begin:-

• Open dnsrecon through  Backtrack >> Information Gathering >> Network Analysis >> Dns Analysis >> dnsrecon and can also open through Terminal cd /pentest/enumeration/dns/dnsrecon

• For std, type ./dnsrecon.py -t std -d


• For srv, type ./dnsrecon.py -t srv -d


• For axfr, type ./dnsrecon.py -t axfr -d


• For goo, type ./dnsrecon.py -t goo -d


• For tld, type ./dnsrecon.py -t tld -d

 

Points to be noted:-

• -d is used for denoting domain.


• -t is used to specify, which type of enumerations you want to use.

This is only for Educational Purpose.

Read more

DNS Network Mapper by dnsmap Tool-Backtrack 5 Rx

Hello Friends !! Today I'm gonna tell you, how to use dnsmap tool.

Features of dnsmap:-

1. Obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain.
2. Abort the bruteforcing process in case the target domain uses wildcards.
3. Ability to be able to run the tool without providing a wordlist by using a built-in list of keywords.
4. Bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist).
5. Saving the results in human-readable and CSV format for easy processing.
6. Improved built-in subdomains wordlist.
7. New bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion.
8. Bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards.

So now lets come to our tutorial:-

• First, open dnsmap through Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> dnsmap or by terminal cd /pentest/enumeration/dns/dnsmap/ 
• Type ./dnsmap and hit Enter to see the all available options and usages.
• Now type ./dnsmap , this will bruteforce the subdomains.
  
  
  
• To save your results in a text file, type ./dnsmap -r
  
  
  
• In my case, result text file be saved in Home Folder(root folder).
• To save results in csv file, type ./dnsmap -c  
  
  
  
• If you want to bruteforce subdomains by your own wordlist, type ./dnsmap google.com -w  

Stay Tunned For Next Tutorial :)

Read more

DNS Information Gathering With DNSENUM - Backtrack 5 Rx

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host's addresse (A record). 
2) Get the namservers (threaded). 
3) Get the MX record (threaded). 
4) Perform axfr queries on nameservers and get BIND versions(threaded). 
5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain"). 
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). 
7) Calculate C class domain network ranges and perform whois queries on them (threaded). 
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 
9) Write to domain_ips.txt file ip-blocks.

Lets begin:-

• Firstly open the dnsenum tool from Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> dnsenum
  
  
• Basic usage of dnsenum is ./dnsenum.pl
  
  
• As you can see in the image, it will tell you all the available Host's addresses, Name Servers and Mail (MX) Servers and it will also try to find zone transfer using listed name servers.

Now lets come to the Google Scraping option:-

• For Google Scraping, type ./dnsenum.pl -p 1 -s 1 example.com, but this option doesn't works for me.
  
  

Note:-

• -p is used to tell dnsenum, number of google search pages to process when scraping names.

• To bruteforce, type ./dnsenum.pl -f dns.txt example.com
  
  
  

Here is all the options, which are available in dnsenum tool 

Usage: dnsenum.pl [Options]  

[Options]:

Note: the brute force -f switch is obligatory.

GENERAL OPTIONS:

  --dnsserver  Use this DNS server for A, NS and MX queries.

  --enum Shortcut option equivalent to --threads 5 -s 20 -w.

  -h, --help Print this help message.

  --noreverse Skip the reverse lookup operations.

  --private Show and save private ips at the end of the file domain_ips.txt.

  --subfile Write all valid subdomains to this file.

  -t, --timeout The tcp and udp timeout values in seconds (default: 10s).

  --threads The number of threads that will perform different queries.

  -v, --verbose Be verbose: show all the progress and all the error messages.                         GOOGLE SCRAPING OPTIONS:

  -p, --pages The number of google search pages to process when scraping names, 

the default is 20 pages, the -s switch must be specified.

  -s, --scrap The maximum number of subdomains that will be scraped from Google.

BRUTE FORCE OPTIONS:

  -f, --file Read subdomains from this file to perform brute force.

  -u, --update Update the file specified with the -f switch with valid subdomains.

a (all) Update using all results.

g Update using only google scraping results.

r Update using only reverse lookup results.

z Update using only zonetransfer results.

  -r, --recursion Recursion on subdomains, brute force all discovred subdomains that                         have an NS record.

WHOIS NETRANGE OPTIONS:

-d, --delay The maximum value of seconds to wait between whois queries, the                         value is defined randomly, default: 3s.

  -w, --whois Perform the whois queries on c class network ranges.

REVERSE LOOKUP OPTIONS:

  -e, --exclude Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.

OUTPUT OPTIONS:

  -o --output Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Read more

How To Enumerate Domains by dnsdict6 - Backtrack 5 Rx

Hello Readers!! Today im gonna tell you how to find domains or subdomains using dnsdict6 tool which comes under Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> dnsdict6  

dnsdict6 tool is mainly used for gathering information of a particular domain and finds subdomains which is invisible to public but still exist, these domains could be forgotten by admin and may have high vulnerabilities.

So now lets come to our Topic:-

• Firstly open the dnsdict6 tool from Backtrack >> Information Gathering >> Network Analysis >> DNS Analysis >> dnsdict6 or you can also open it by typing in Terminal dnsdict6, then hit Enter.
  
  

Note:-

1. -d is used to display information on Name Servers and MX Records
2. -4 is used to dump IPv4 addresses.
3. There are four types of dictionary which are already inbuilt in this tool. -s(mall=50), -m(edium=796) (DEFAULT) -l(arge=1416), or -x(treme=3211).
4. -t is used to specify no. of threads.

• To enumerate the domains, type dnsdict6 -d46 -s -x -t 25 www.example.com. Then hit Enter.
  
  
• Wait for few minutes, until it completes.
• After completion, it will show, approximately all the subdomains, name servers etc..

Stay Tunned For More Tutorials And Latest Songs and Albums.

Read more