ObjectiveUse DNSenum to scan your server to see which information is publicly available.
DistributionsThis works best with Kali Linux, but can be done on any distribution with Perl.
RequirementsA working Linux install. Root is required if you need to install DNSenum.
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionIt's important to regularly test any public-facing server to see which information it's making available. That information is important to attackers. They can use it to put together a picture of your server, what's running on it, and which exploits might work against it.
Install DNSenumIf you're running Kali, you already have DNSenum, so there's no need to worry. If you're running something else, make sure that you have Perl(You probably do). You also need a couple of Perl libraries to get the full functionality.
$ sudo apt install libtest-www-mechanize-perl libnet-whois-ip-perlFrom there, you can download and run DNSenum. It's just a Perl script. You can get it from the project's [Github](https://github.com/fwaeytens/dnsenum).
Performing A Basic Scan
It's super easy to run a basic scan. Point DNSenum in the direction of the server's domain, and run the scan. Only do this with a server you own or have permission to scan. This guide will use
hackthissite.org, which is a site designed for testing pentesting tools. Run the full command.
$ dnsenum hackthissite.orgThe report will show you any DNS records that the script was able to find. It will also find the nameservers that are being used, email records, and IP addresses. The script will attempt zone transfers too. If successful, those can be used to carry out an attack.
A More Advanced ScanIf you want to gather more information about the site, you can dig through the flags that DNSenum makes available, or you could use the
--enumflag. It will try to gather whois information and use Google to dig up subdomains, if they're available.
$ dnsenum --enum hackthissite.orgThe results will have additional entries and sections for the subdomains. Any additional information can help you gain a better understanding of your server.