diff --git a/tools/dnsenum.md b/tools/dnsenum.md new file mode 100644 index 0000000..02afda7 --- /dev/null +++ b/tools/dnsenum.md @@ -0,0 +1,51 @@ +# dnsenum + +Notes +------- + +Help Text +------- +``` +Usage: dnsenum.pl [Options] +[Options]: +Note: the brute force -f switch is obligatory. +GENERAL OPTIONS: + --dnsserver + Use this DNS server for A, NS and MX queries. + --enum Shortcut option equivalent to --threads 5 -s 15 -w. + -h, --help Print this help message. + --noreverse Skip the reverse lookup operations. + --private Show and save private ips at the end of the file domain_ips.txt. + --subfile Write all valid subdomains to this file. + -t, --timeout The tcp and udp timeout values in seconds (default: 10s). + --threads The number of threads that will perform different queries. + -v, --verbose Be verbose: show all the progress and all the error messages. +GOOGLE SCRAPING OPTIONS: + -p, --pages The number of google search pages to process when scraping names, + the default is 5 pages, the -s switch must be specified. + -s, --scrap The maximum number of subdomains that will be scraped from Google (default 15). +BRUTE FORCE OPTIONS: + -f, --file Read subdomains from this file to perform brute force. + -u, --update + Update the file specified with the -f switch with valid subdomains. + a (all) Update using all results. + g Update using only google scraping results. + r Update using only reverse lookup results. + z Update using only zonetransfer results. + -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record. +WHOIS NETRANGE OPTIONS: + -d, --delay The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s. + -w, --whois Perform the whois queries on c class network ranges. + **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups. +REVERSE LOOKUP OPTIONS: + -e, --exclude + Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames. +OUTPUT OPTIONS: + -o --output Output in XML format. Can be imported in MagicTree (www.gremwell.com) +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnsmap.md b/tools/dnsmap.md new file mode 100644 index 0000000..010dd9f --- /dev/null +++ b/tools/dnsmap.md @@ -0,0 +1,28 @@ +# dnsmap + +Notes +------- + +Help Text +------- +``` +dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) + +usage: dnsmap [options] +options: +-w +-r +-c +-d +-i (useful if you're obtaining false positives) +``` + +Example Usage +------- +dnsmap target-domain.foo +dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt +dnsmap target-fomain.foo -r /tmp/ -d 3000 +dnsmap target-fomain.foo -r ./domainbf_results.txt + +Links +------- diff --git a/tools/dnsrecon.md b/tools/dnsrecon.md new file mode 100644 index 0000000..d8151c9 --- /dev/null +++ b/tools/dnsrecon.md @@ -0,0 +1,72 @@ +# dnsrecon + +Notes +------- + +Help Text +------- +``` +Version: 0.8.1 +Usage: dnsrecon.py + +Options: + -h, --help Show this help message and exit + -d, --domain Domain to Target for enumeration. + -r, --range IP Range for reverse look-up brute force in formats (first-last) + or in (range/bitmask). + -n, --name_server Domain server to use, if none is given the SOA of the + target will be used + -D, --dictionary Dictionary file of sub-domain and hostnames to use for + brute force. + -f Filter out of Brute Force Domain lookup records that resolve to + the wildcard defined IP Address when saving records. + -t, --type Specify the type of enumeration to perform: + std To Enumerate general record types, enumerates. + SOA, NS, A, AAAA, MX and SRV if AXRF on the + NS Servers fail. + + rvl To Reverse Look Up a given CIDR IP range. + + brt To Brute force Domains and Hosts using a given + dictionary. + + srv To Enumerate common SRV Records for a given + + domain. + + axfr Test all NS Servers in a domain for misconfigured + zone transfers. + + goo Perform Google search for sub-domains and hosts. + + snoop To Perform a Cache Snooping against all NS + servers for a given domain, testing all with + file containing the domains, file given with -D + option. + + tld Will remove the TLD of given domain and test against + all TLD's registered in IANA + + zonewalk Will perform a DNSSEC Zone Walk using NSEC Records. + + -a Perform AXFR with the standard enumeration. + -s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the + targeted domain with the standard enumeration. + -g Perform Google enumeration with the standard enumeration. + -w Do deep whois record analysis and reverse look-up of IP + ranges found thru whois when doing standard query. + -z Performs a DNSSEC Zone Walk with the standard enumeration. + --threads Number of threads to use in Range Reverse Look-up, Forward + Look-up Brute force and SRV Record Enumeration + --lifetime Time to wait for a server to response to a query. + --db SQLite 3 file to save found records. + --xml XML File to save found records. + -c, --csv Comma separated value file. + -v Show attempts in the bruteforce modes. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnsrevenum6.md b/tools/dnsrevenum6.md new file mode 100644 index 0000000..57bc939 --- /dev/null +++ b/tools/dnsrevenum6.md @@ -0,0 +1,23 @@ +# dnsrevenum6 + +Notes +------- + +Help Text +------- +``` +dnsrevenum6 v2.3 (c) 2013 by van Hauser / THC www.thc.org + +Syntax: dnsrevenum6 dns-server ipv6address + +Performs a fast reverse DNS enumeration and is able to cope with slow servers. +Examples: + dnsrevenum6 dns.test.com 2001:db8:42a8::/48 + dnsrevenum6 dns.test.com 8.a.2.4.8.b.d.0.1.0.0.2.ip6.arpa +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnstracer.md b/tools/dnstracer.md new file mode 100644 index 0000000..57d5114 --- /dev/null +++ b/tools/dnstracer.md @@ -0,0 +1,28 @@ +# dnstracer + +Notes +------- + +Help Text +------- +``` +DNSTRACER version 1.8.1 - (c) Edwin Groothuis - http://www.mavetju.org +Usage: dnstracer [options] [host] + -c: disable local caching, default enabled + -C: enable negative caching, default disabled + -o: enable overview of received answers, default disabled + -q : query-type to use for the DNS requests, default A + -r : amount of retries for DNS requests, default 3 + -s : use this server for the initial request, default localhost + If . is specified, A.ROOT-SERVERS.NET will be used. + -t : Limit time to wait per try + -v: verbose + -S : use this source address. + -4: don't query IPv6 servers +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnswalk.md b/tools/dnswalk.md new file mode 100644 index 0000000..cdfbd77 --- /dev/null +++ b/tools/dnswalk.md @@ -0,0 +1,26 @@ +# dnswalk + +Notes +------- + +Help Text +------- +``` +Usage: dnswalk [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...] + +The following single-character options are accepted: + With arguments: -D + Boolean (without arguments): -r -f -i -a -d -m -F -l + +Options may be merged together. -- stops processing of options. +Space is not required between options and their arguments. + +Usage: dnswalk domain +domain MUST end with a '.' +``` + +Example Usage +------- + +Links +------- diff --git a/tools/fierce.md b/tools/fierce.md new file mode 100644 index 0000000..9c01637 --- /dev/null +++ b/tools/fierce.md @@ -0,0 +1,94 @@ +# fierce + +Notes +------- + +Help Text +------- +``` +fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/ + + Usage: perl fierce.pl [-dns example.com] [OPTIONS] + +Overview: + Fierce is a semi-lightweight scanner that helps locate non-contiguous + IP space and hostnames against specified domains. It's really meant + as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all + of those require that you already know what IP space you are looking + for. This does not perform exploitation and does not scan the whole + internet indiscriminately. It is meant specifically to locate likely + targets both inside and outside a corporate network. Because it uses + DNS primarily you will often find mis-configured networks that leak + internal address space. That's especially useful in targeted malware. + +Options: + -connect Attempt to make http connections to any non RFC1918 + (public) addresses. This will output the return headers but + be warned, this could take a long time against a company with + many targets, depending on network/machine lag. I wouldn't + recommend doing this unless it's a small company or you have a + lot of free time on your hands (could take hours-days). + Inside the file specified the text "Host:\n" will be replaced + by the host specified. Usage: + + perl fierce.pl -dns example.com -connect headers.txt + + -delay The number of seconds to wait between lookups. + -dns The domain you would like scanned. + -dnsfile Use DNS servers provided by a file (one per line) for + reverse lookups (brute force). + -dnsserver Use a particular DNS server for reverse lookups + (probably should be the DNS server of the target). Fierce + uses your DNS server for the initial SOA query and then uses + the target's DNS server for all additional queries by default. + -file A file you would like to output to be logged to. + -fulloutput When combined with -connect this will output everything + the webserver sends back, not just the HTTP headers. + -help This screen. + -nopattern Don't use a search pattern when looking for nearby + hosts. Instead dump everything. This is really noisy but + is useful for finding other domains that spammers might be + using. It will also give you lots of false positives, + especially on large domains. + -range Scan an internal IP range (must be combined with + -dnsserver). Note, that this does not support a pattern + and will simply output anything it finds. Usage: + + perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co + + -search Search list. When fierce attempts to traverse up and + down ipspace it may encounter other servers within other + domains that may belong to the same company. If you supply a + comma delimited list to fierce it will report anything found. + This is especially useful if the corporate servers are named + different from the public facing website. Usage: + + perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany + + Note that using search could also greatly expand the number of + hosts found, as it will continue to traverse once it locates + servers that you specified in your search list. The more the + better. + -suppress Suppress all TTY output (when combined with -file). + -tcptimeout Specify a different timeout (default 10 seconds). You + may want to increase this if the DNS server you are querying + is slow or has a lot of network lag. + -threads Specify how many threads to use while scanning (default + is single threaded). + -traverse Specify a number of IPs above and below whatever IP you + have found to look for nearby IPs. Default is 5 above and + below. Traverse will not move into other C blocks. + -version Output the version number. + -wide Scan the entire class C after finding any matching + hostnames in that class C. This generates a lot more traffic + but can uncover a lot more information. + -wordlist Use a seperate wordlist (one word per line). Usage: + + perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt +``` + +Example Usage +------- + +Links +------- diff --git a/tools/urlcrazy.md b/tools/urlcrazy.md new file mode 100644 index 0000000..ad56a5f --- /dev/null +++ b/tools/urlcrazy.md @@ -0,0 +1,39 @@ +# urlcrazy + +Notes +------- + +Help Text +------- +``` +URLCrazy version 0.5 +by Andrew Horton (urbanadventurer) +http://www.morningstarsecurity.com/research/urlcrazy + +Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, +phishing, and corporate espionage. + +Supports the following domain variations: +Character omission, character repeat, adjacent character swap, adjacent character replacement, double +character replacement, adjacent character insertion, missing dot, strip dashes, singular or pluralise, +common misspellings, vowel swaps, homophones, bit flipping (cosmic rays), homoglyphs, wrong top level +domain, and wrong second level domain. + +Usage: /usr/bin/urlcrazy [options] domain + +Options + -k, --keyboard=LAYOUT Options are: qwerty, azerty, qwertz, dvorak (default: qwerty) + -p, --popularity Check domain popularity with Google + -r, --no-resolve Do not resolve DNS + -i, --show-invalid Show invalid domain names + -f, --format=TYPE Human readable or CSV (default: human readable) + -o, --output=FILE Output file + -h, --help This help + -v, --version Print version information. This version is 0.5 +``` + +Example Usage +------- + +Links +------- diff --git a/tools/zenmap.md b/tools/zenmap.md new file mode 100644 index 0000000..50caf25 --- /dev/null +++ b/tools/zenmap.md @@ -0,0 +1,37 @@ +# zenmap + +Notes +------- + +Help Text +------- +``` +Usage: zenmap [options] [result files] + +Options: + --version show program's version number and exit + -h, --help show this help message and exit + --confdir=DIR Use DIR as the user configuration directory. Default: + /root/.zenmap + -f RESULT_FILES, --file=RESULT_FILES + Specify a scan result file in Nmap XML output format. + Can be used more than once to specify several scan + result files. + -n, --nmap Run Nmap with the specified args. + -p PROFILE, --profile=PROFILE + Begin with the specified profile selected. If combined + with the -t (--target) option, automatically run the + profile against the specified target. + -t TARGET, --target=TARGET + Specify a target to be used along with other options. + If specified alone, open with the target field filled + with the specified target + -v, --verbose Increase verbosity of the output. May be used more + than once to get even more verbosity +``` + +Example Usage +------- + +Links +-------