weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7 from pwnwiki/giga1699

Browse Source 
DNS Info Gathering
This commit is contained in:
Giga Murphy 2014-02-07 09:48:31 -05:00
commit 43aedd1126
9 changed files with 398 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
tools/dnsenum.md Normal file
View File

@ -0,0 +1,51 @@
# dnsenum
Notes
-------
Help Text
-------
```
Usage: dnsenum.pl [Options] <domain>
[Options]:
Note: the brute force -f switch is obligatory.
GENERAL OPTIONS:
--dnsserver <server>
Use this DNS server for A, NS and MX queries.
--enum Shortcut option equivalent to --threads 5 -s 15 -w.
-h, --help Print this help message.
--noreverse Skip the reverse lookup operations.
--private Show and save private ips at the end of the file domain_ips.txt.
--subfile <file> Write all valid subdomains to this file.
-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
--threads <value> The number of threads that will perform different queries.
-v, --verbose Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
-p, --pages <value> The number of google search pages to process when scraping names,
the default is 5 pages, the -s switch must be specified.
-s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
-f, --file <file> Read subdomains from this file to perform brute force.
-u, --update <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)
```
Example Usage
-------
Links
-------

28
tools/dnsmap.md Normal file
View File

@ -0,0 +1,28 @@
# dnsmap
Notes
-------
Help Text
-------
```
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
usage: dnsmap <target-domain> [options]
options:
-w <wordlist-file>
-r <regular-results-file>
-c <csv-results-file>
-d <delay-millisecs>
-i <ips-to-ignore> (useful if you're obtaining false positives)
```
Example Usage
-------
dnsmap target-domain.foo
dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
dnsmap target-fomain.foo -r ./domainbf_results.txt
Links
-------

72
tools/dnsrecon.md Normal file
View File

@ -0,0 +1,72 @@
# dnsrecon
Notes
-------
Help Text
-------
```
Version: 0.8.1
Usage: dnsrecon.py <options>
Options:
-h, --help Show this help message and exit
-d, --domain <domain> Domain to Target for enumeration.
-r, --range <range> IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).
-n, --name_server <name> Domain server to use, if none is given the SOA of the
target will be used
-D, --dictionary <file> Dictionary file of sub-domain and hostnames to use for
brute force.
-f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records.
-t, --type <types> Specify the type of enumeration to perform:
std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.
rvl To Reverse Look Up a given CIDR IP range.
brt To Brute force Domains and Hosts using a given
dictionary.
srv To Enumerate common SRV Records for a given
domain.
axfr Test all NS Servers in a domain for misconfigured
zone transfers.
goo Perform Google search for sub-domains and hosts.
snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D
option.
tld Will remove the TLD of given domain and test against
all TLD's registered in IANA
zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
-a Perform AXFR with the standard enumeration.
-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration.
-g Perform Google enumeration with the standard enumeration.
-w Do deep whois record analysis and reverse look-up of IP
ranges found thru whois when doing standard query.
-z Performs a DNSSEC Zone Walk with the standard enumeration.
--threads <number> Number of threads to use in Range Reverse Look-up, Forward
Look-up Brute force and SRV Record Enumeration
--lifetime <number> Time to wait for a server to response to a query.
--db <file> SQLite 3 file to save found records.
--xml <file> XML File to save found records.
-c, --csv <file> Comma separated value file.
-v Show attempts in the bruteforce modes.
```
Example Usage
-------
Links
-------

23
tools/dnsrevenum6.md Normal file
View File

@ -0,0 +1,23 @@
# dnsrevenum6
Notes
-------
Help Text
-------
```
dnsrevenum6 v2.3 (c) 2013 by van Hauser / THC <vh@thc.org> www.thc.org
Syntax: dnsrevenum6 dns-server ipv6address
Performs a fast reverse DNS enumeration and is able to cope with slow servers.
Examples:
dnsrevenum6 dns.test.com 2001:db8:42a8::/48
dnsrevenum6 dns.test.com 8.a.2.4.8.b.d.0.1.0.0.2.ip6.arpa
```
Example Usage
-------
Links
-------

28
tools/dnstracer.md Normal file
View File

@ -0,0 +1,28 @@
# dnstracer
Notes
-------
Help Text
-------
```
DNSTRACER version 1.8.1 - (c) Edwin Groothuis - http://www.mavetju.org
Usage: dnstracer [options] [host]
-c: disable local caching, default enabled
-C: enable negative caching, default disabled
-o: enable overview of received answers, default disabled
-q <querytype>: query-type to use for the DNS requests, default A
-r <retries>: amount of retries for DNS requests, default 3
-s <server>: use this server for the initial request, default localhost
If . is specified, A.ROOT-SERVERS.NET will be used.
-t <maximum timeout>: Limit time to wait per try
-v: verbose
-S <ip address>: use this source address.
-4: don't query IPv6 servers
```
Example Usage
-------
Links
-------

26
tools/dnswalk.md Normal file
View File

@ -0,0 +1,26 @@
# dnswalk
Notes
-------
Help Text
-------
```
Usage: dnswalk [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
The following single-character options are accepted:
With arguments: -D
Boolean (without arguments): -r -f -i -a -d -m -F -l
Options may be merged together. -- stops processing of options.
Space is not required between options and their arguments.
Usage: dnswalk domain
domain MUST end with a '.'
```
Example Usage
-------
Links
-------

94
tools/fierce.md Normal file
View File

@ -0,0 +1,94 @@
# fierce
Notes
-------
Help Text
-------
```
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
Usage: perl fierce.pl [-dns example.com] [OPTIONS]
Overview:
Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains. It's really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole
internet indiscriminately. It is meant specifically to locate likely
targets both inside and outside a corporate network. Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That's especially useful in targeted malware.
Options:
-connect Attempt to make http connections to any non RFC1918
(public) addresses. This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag. I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text "Host:\n" will be replaced
by the host specified. Usage:
perl fierce.pl -dns example.com -connect headers.txt
-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts. Instead dump everything. This is really noisy but
is useful for finding other domains that spammers might be
using. It will also give you lots of false positives,
especially on large domains.
-range Scan an internal IP range (must be combined with
-dnsserver). Note, that this does not support a pattern
and will simply output anything it finds. Usage:
perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
-search Search list. When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company. If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website. Usage:
perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list. The more the
better.
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds). You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads Specify how many threads to use while scanning (default
is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs. Default is 5 above and
below. Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C. This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line). Usage:
perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
```
Example Usage
-------
Links
-------

39
tools/urlcrazy.md Normal file
View File

@ -0,0 +1,39 @@
# urlcrazy
Notes
-------
Help Text
-------
```
URLCrazy version 0.5
by Andrew Horton (urbanadventurer)
http://www.morningstarsecurity.com/research/urlcrazy
Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking,
phishing, and corporate espionage.
Supports the following domain variations:
Character omission, character repeat, adjacent character swap, adjacent character replacement, double
character replacement, adjacent character insertion, missing dot, strip dashes, singular or pluralise,
common misspellings, vowel swaps, homophones, bit flipping (cosmic rays), homoglyphs, wrong top level
domain, and wrong second level domain.
Usage: /usr/bin/urlcrazy [options] domain
Options
-k, --keyboard=LAYOUT Options are: qwerty, azerty, qwertz, dvorak (default: qwerty)
-p, --popularity Check domain popularity with Google
-r, --no-resolve Do not resolve DNS
-i, --show-invalid Show invalid domain names
-f, --format=TYPE Human readable or CSV (default: human readable)
-o, --output=FILE Output file
-h, --help This help
-v, --version Print version information. This version is 0.5
```
Example Usage
-------
Links
-------

37
tools/zenmap.md Normal file
View File

@ -0,0 +1,37 @@
# zenmap
Notes
-------
Help Text
-------
```
Usage: zenmap [options] [result files]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--confdir=DIR Use DIR as the user configuration directory. Default:
/root/.zenmap
-f RESULT_FILES, --file=RESULT_FILES
Specify a scan result file in Nmap XML output format.
Can be used more than once to specify several scan
result files.
-n, --nmap Run Nmap with the specified args.
-p PROFILE, --profile=PROFILE
Begin with the specified profile selected. If combined
with the -t (--target) option, automatically run the
profile against the specified target.
-t TARGET, --target=TARGET
Specify a target to be used along with other options.
If specified alone, open with the target field filled
with the specified target
-v, --verbose Increase verbosity of the output. May be used more
than once to get even more verbosity
```
Example Usage
-------
Links
-------