dnsrecon

DNS Enumeration and Scanning Tool

TLDR

Scan a domain and save the results to a SQLite database

>_ dnsrecon --domain [example.com] --db [path/to/database.sqlite]
copy

Scan a domain, specifying the nameserver and performing a zone transfer

>_ dnsrecon --domain [example.com] --name_server [nameserver.example.com] --type axfr
copy

Scan a domain, using a dictionary of subdomains and hostnames for bruteforcing

>_ dnsrecon --domain [example.com] --dictionary [path/to/dictionary.txt] --type brt
copy

Scan a domain, performing a reverse lookup of IP ranges from the SPF record and saving the results to a JSON file

>_ dnsrecon --domain [example.com] -s --json
copy

Scan a domain, performing a Google enumeration and saving the results to a CSV file

>_ dnsrecon --domain [example.com] -g --csv
copy

Scan a domain, performing DNS cache snooping

>_ dnsrecon --domain [example.com] --type snoop --name_server [nameserver.example.com] --dictionary [path/to/dictionary.txt]
copy

Scan a domain, performing zone walking

>_ dnsrecon --domain [example.com] --type zonewalk
copy

SYNOPSIS

dnsrecon [-h][-dDOMAIN][-nNS_SERVER][-rRANGE][-DDICTIONARY] [-f] [-t TYPE] [-a] [-s] [-g] [-b] [-k] [-w] [-z] [--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV] [-j JSON] [--iw] [--disable_check_recursion] [--disable_check_bindversion] [-v]

DESCRIPTION

dsnrecon is a simple python script that enables to gather DNS-oriented information on a given target.

OPTIONS

-h, --help show help message and exit -d DOMAIN, --domain DOMAIN Target domain. -n NS_SERVER, --name_server NS_SERVER Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list. -r RANGE, --range RANGE IP range for reverse lookup brute force in for‐ mats (first-last) or in (range/bitmask). -D DICTIONARY, --dictionary DICTIONARY Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records. -f Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records. -t TYPE, --type TYPE Type of enumeration to perform. -a Perform AXFR with standard enumeration. -s Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration. -g Perform Google enumeration with standard enu‐ meration. -b Perform Bing enumeration with standard enumera‐ tion. -k Perform crt.sh enumeration with standard enu‐ meration. -w Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration. -z Performs a DNSSEC zone walk with standard enu‐ meration. --threads THREADS Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumera‐ tion. --lifetime LIFETIME Time to wait for a server to response to a query. --tcp Use TCP protocol to make queries. --db DB SQLite 3 file to save found records. -x XML, --xml XML XML file to save found records. -c CSV, --csv CSV Comma separated value file. -j JSON, --json JSON JSON file. --iw Continue brute forcing a domain even if a wild‐ card records are discovered. --disable_check_recursion Disables check for recursion on name servers --disable_check_bindversion Disables check for BIND version on name servers -v Enable verbose

EXAMPLES

attempts a zone transfer (AXFR) on the zonstransfer.me domain dnsrecon -t axfr -d zonetransfer.me DNSRECON(1)

Copied to clipboard
free 100$ digital ocean credit