Tool for performing lots of DNS queries quickly.
Download dns-grind v1.0 here.
SHA1sum: db2beb7ca6caf4343f81936d78617f02b87da024
MD5sum: f145a5acf5cc53507d9be147adbe384e
User documentation is also available in PDF format.
dns-grind User Documentation
Contents
Overview
dns-grind is a tool for performs lots of DNS queries quickly. In particular:
- Bruteforce guessing of hostnames within a domain, e.g. if foobar.com doesn’t allow zone transfers, you can dns-grind to start guessing hostnames: www.foobar.com, test.foobar.com, ftp.foobar.com, etc.
- Quickly search a list of potential domain names for those that have name servers, e.g. If you’re testing for Foobar Enterprises Ltd, might want to search a list of domain like foobar.ac, foobar.ad, etc.
- Look for interesting hosts in a list of IP addresses by searching for PTR records – the manual equivalent of ‘dig -x 10.0.0.1′, ‘dig -x 10.0.0.2′, etc.
You can instruct dns-grind to only query a specific nameserver you’re testing, or to act like a normal DNS client and use the DNS configuration from your OS.
You can pass it a simple list of records to look up or you can give prefixes (e.g. www, test, ftp, …) and suffixes (foobar.com, foo-bar.com). The examples below should make this a bit clearer.
Installation
dns-grind is just a stand alone PERL script, so installation is as simple as copying it to your path. It has only been tested under Linux so far.
It depends on the following PERL modules which you may need to install first:
- Net::DNS
- Socket
- IO::Handle
- IO::Select
- Getopt::Std
If you have PERL installed, you should be able to install the modules from CPAN:
# perl -MCPAN -e shell cpan> install Net::DNS
Usage
dns-grind should first be passed either a file of records to look up or a combination of prefixes and suffixes. The last parameter should be passed is the DNS query type. Only a few are supported currently.
Usage: ./dns-grind.pl -f file | (( -p prefix | -P file ) | ( -s suffix | -S file )) query-type
query-type is one of:
A
NS
MX
PTR
options are:
-m n Maximum number of resolver processes (default: 25)
-p Prefix of hostname or domain
-P file File of hostname or domain prefixes
-s Suffix of hostname or domain
-S file File of hostname of domain suffixes
-f File of hostnames or domains
-n host Nameserver to use (default: determined by OS)
-d Debugging output
-r 0|1 Use recursive queries (default: 1)
-t n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
Note the -m option above. Generally speaking you want at least 25 query processes running because DNS lookup can be slow if done sequentially by a low number of processes. Be aware that this tool can stress your local recursive DNS server. I’ve known the DNS service on ADSL routers to fall over if -m is set too high.
If you want to stress a different DNS server instead, use the -n option.
Some Examples
Bruteforcing Hostnames (A-record Lookups)
In the example below, we use a file of hostname prefixes (with ‘-P’ for prefix option) and a domain, pentestmonkey.net (with the ‘-s’ for suffix option). A single A-record is found.
$ cat hostname-prefixes.txt alpha backup cray ... $ dns-grind.pl -P hostname-prefixes.txt -s pentestmonkey.net A www.pentestmonkey.net 213.165.240.11
NB: Wildcard A-records may ruin your search, but you could always ‘grep -v wildcard-ip’ as a workaround.
A variant of this scan would be to look for subdomains by replacing hostname-prefixes.txt with subdomain-prefixes.txt (us, uk, hq, intranet, etc.) and searching for NS-records instead of A-records.
Finding Registered Domains (NS-record Lookups)
The premise for this search is that only registered domains have corresponding NS records. The real-world example below shows that this method kinda works, but needs a little refinement.
We supply a prefix of ‘pentestmonkey’ with the ‘-p’ option, and a file of potential suffixes 1 with the -S option. Note the captial letter in -S or -P to signify a file option, and lowercase -p or -s for a single prefix or suffix2.
$ cat tlds.txt ac ad ae ... $ dns-grind.pl -p pentestmonkey -S tlds.txt ns pentestmonkey.mp ns1.sdcdns.mp,ns2.sdcdns.mp pentestmonkey.vg pentestmonkey.sh ns1c.nic.ac,ns2c.nic.ac pentestmonkey.net ns0.nl.ev6.net,ns0.uk.ev6.net pentestmonkey.com ns0.nl.ev6.net,ns0.uk.ev6.net,ns1.uk.ev6.net pentestmonkey.ac ns1c.nic.ac,ns2c.nic.ac pentestmonkey.io ns1c.nic.ac,ns2c.nic.ac pentestmonkey.tm ns1c.nic.ac,ns2c.nic.ac pentestmonkey.org ns0.uk.ev6.net,ns1.uk.ev6.net,ns0.nl.ev6.net
After a bit of further investigation we find that there’s a wildcard NS record for any domain ending in .mp, .sh, .ac, .io, or .tm. These results are effectively false-positives. As is .vg for which a CNAME is returned when we look up the NS record.
The only registered domains with a prefix of ‘pentestmonkey’ are therefore .com, .net and .org.
Finding Interesting Hosts In An IP Range (PTR-record Lookups)
Simply supply a list of IP addresses with the -f option. Below we use the genip3tool to generate a list of IPs first.
$ genip 10.0.0.0/24 > ips.txt $ dns-grind.pl -f ips.txt PTR 10.0.0.10 www.example.com 10.0.0.99 manager.example.com
License
This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.
In all other respects the GPL version 2 applies:
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.