Objective

Use DNSenum to scan your server to see which information is publicly available.

Distributions

This works best with Kali Linux, but can be done on any distribution with Perl.

Requirements

A working Linux install. Root is required if you need to install DNSenum.

Difficulty

Easy

Conventions

  • # - requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given command to be executed as a regular non-privileged user

Introduction

It's important to regularly test any public-facing server to see which information it's making available. That information is important to attackers. They can use it to put together a picture of your server, what's running on it, and which exploits might work against it.

Install DNSenum

If you're running Kali, you already have DNSenum, so there's no need to worry. If you're running something else, make sure that you have Perl(You probably do). You also need a couple of Perl libraries to get the full functionality.
$ sudo apt install libtest-www-mechanize-perl libnet-whois-ip-perl
From there, you can download and run DNSenum. It's just a Perl script. You can get it from the project's [Github](https://github.com/fwaeytens/dnsenum).

Performing A Basic Scan



Scanning With DNSenum

It's super easy to run a basic scan. Point DNSenum in the direction of the server's domain, and run the scan. Only do this with a server you own or have permission to scan. This guide will use hackthissite.org, which is a site designed for testing pentesting tools. Run the full command.
$ dnsenum hackthissite.org
The report will show you any DNS records that the script was able to find. It will also find the nameservers that are being used, email records, and IP addresses. The script will attempt zone transfers too. If successful, those can be used to carry out an attack.

A More Advanced Scan

If you want to gather more information about the site, you can dig through the flags that DNSenum makes available, or you could use the --enum flag. It will try to gather whois information and use Google to dig up subdomains, if they're available.
$ dnsenum --enum hackthissite.org
The results will have additional entries and sections for the subdomains. Any additional information can help you gain a better understanding of your server.

Closing Thoughts

DNSenum is a great way tool for gathering information. Information is key to understanding and preventing attacks. In many cases, security breaches happen because something was overlooked. The more you know about your server, the better prepared you are to prevent a breach.