Tool for performing lots of DNS queries quickly.<\/p>\n
Download dns-grind v1.0 here<\/a>.<\/p>\n SHA1sum: db2beb7ca6caf4343f81936d78617f02b87da024<\/p>\n MD5sum: f145a5acf5cc53507d9be147adbe384e<\/p>\n User documentation is also available in PDF<\/a>\u00a0format.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n dns-grind is a tool for performs lots of DNS queries quickly. In particular:<\/p>\n <\/p>\n You can instruct dns-grind to only query a specific nameserver you’re testing, or to act like a normal DNS client and use the DNS configuration from your OS.<\/p>\n You can pass it a simple list of records to look up or you can give prefixes (e.g. www, test, ftp, …) and suffixes (foobar.com, foo-bar.com). The examples below should make this a bit clearer.<\/p>\n dns-grind is just a stand alone PERL script, so installation is as simple as copying it to your path. It has only been tested under Linux so far.<\/p>\n It depends on the following PERL modules which you may need to install first:<\/p>\n If you have PERL installed, you should be able to install the modules from CPAN:<\/p>\n dns-grind should first be passed either a file of records to look up or a combination of prefixes and suffixes. The last parameter should be passed is the DNS query type. Only a few are supported currently.<\/p>\n Note the -m option above. Generally speaking you want at least 25 query processes running because DNS lookup can be slow if done sequentially by a low number of processes. Be aware that this tool can stress your local recursive DNS server. I’ve known the DNS service on ADSL routers to fall over if -m is set too high.<\/p>\n If you want to stress a different DNS server instead, use the -n option.<\/p>\n In the example below, we use a file of hostname prefixes (with ‘-P’ for prefix option) and a domain, pentestmonkey.net (with the ‘-s’ for suffix option). A single A-record is found.<\/p>\n NB: Wildcard A-records may ruin your search, but you could always ‘grep -v wildcard-ip’ as a workaround.<\/p>\n A variant of this scan would be to look for subdomains by replacing hostname-prefixes.txt with subdomain-prefixes.txt (us, uk, hq, intranet, etc.) and searching for NS-records instead of A-records.<\/p>\n The premise for this search is that only registered domains have corresponding NS records. The real-world example below shows that this method kinda works, but needs a little refinement.<\/p>\n We supply a prefix of ‘pentestmonkey’ with the ‘-p’ option, and a file of potential suffixes <\/a>1<\/sup> with the -S option. Note the captial letter in -S or -P to signify a file option, and lowercase -p or -s for a single prefix or suffix<\/a>2<\/sup>.<\/p>\n After a bit of further investigation we find that there’s a wildcard NS record for any domain ending in .mp, .sh, .ac, .io, or .tm. These results are effectively false-positives. As is .vg for which a CNAME is returned when we look up the NS record.<\/p>\n The only registered domains with a prefix of ‘pentestmonkey’ are therefore .com, .net and .org.<\/p>\n Simply supply a list of IP addresses with the -f option. Below we use the genip<\/a>3<\/sup>tool to generate a list of IPs first.<\/p>\n This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.<\/p>\n In all other respects the GPL version 2 applies:<\/p>\n Tool for performing lots of DNS queries quickly. Download dns-grind v1.0 here. SHA1sum: db2beb7ca6caf4343f81936d78617f02b87da024 MD5sum: f145a5acf5cc53507d9be147adbe384e User documentation is also available in PDF\u00a0format.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16],"tags":[37,27,120,32,23,29,31,30,33,36,34,19,35,28,22,76],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/114"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":3,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":567,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/114\/revisions\/567"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}dns-grind User Documentation<\/h1>\n
<\/a> Contents<\/h2>\n
\n
\n
<\/a>Overview<\/h1>\n
\n
<\/a>Installation<\/h1>\n
\n
# perl -MCPAN -e shell\r\n cpan> install Net::DNS<\/pre>\n
<\/a>Usage<\/h1>\n
Usage: .\/dns-grind.pl -f file | (( -p prefix | -P file ) | ( -s suffix | -S file )) query-type \r\n\r\n query-type is one of:\r\n A\r\n NS\r\n MX\r\n PTR \r\n\r\n options are:\r\n -m n Maximum number of resolver processes (default: 25)\r\n -p Prefix of hostname or domain\r\n -P file File of hostname or domain prefixes\r\n -s Suffix of hostname or domain\r\n -S file File of hostname of domain suffixes\r\n -f File of hostnames or domains\r\n -n host Nameserver to use (default: determined by OS)\r\n -d Debugging output\r\n -r 0|1 Use recursive queries (default: 1)\r\n -t n Wait a maximum of n seconds for reply (default: 5)\r\n -v Verbose\r\n -h This help message<\/pre>\n
<\/a>Some Examples<\/h1>\n
<\/a> Bruteforcing Hostnames (A-record Lookups)<\/h2>\n
$ cat hostname-prefixes.txt\r\n alpha\r\n backup\r\n cray\r\n ...\r\n $ dns-grind.pl -P hostname-prefixes.txt -s pentestmonkey.net A\r\n www.pentestmonkey.net\t213.165.240.11<\/pre>\n
<\/a> Finding Registered Domains (NS-record Lookups)<\/h2>\n
$ cat tlds.txt\r\n ac\r\n ad\r\n ae\r\n ... \r\n\r\n $ dns-grind.pl -p pentestmonkey -S tlds.txt ns\r\n pentestmonkey.mp ns1.sdcdns.mp,ns2.sdcdns.mp\r\n pentestmonkey.vg\r\n pentestmonkey.sh ns1c.nic.ac,ns2c.nic.ac\r\n pentestmonkey.net ns0.nl.ev6.net,ns0.uk.ev6.net\r\n pentestmonkey.com ns0.nl.ev6.net,ns0.uk.ev6.net,ns1.uk.ev6.net\r\n pentestmonkey.ac ns1c.nic.ac,ns2c.nic.ac\r\n pentestmonkey.io ns1c.nic.ac,ns2c.nic.ac\r\n pentestmonkey.tm ns1c.nic.ac,ns2c.nic.ac\r\n pentestmonkey.org ns0.uk.ev6.net,ns1.uk.ev6.net,ns0.nl.ev6.net<\/pre>\n
<\/a> Finding Interesting Hosts In An IP Range (PTR-record Lookups)<\/h2>\n
$ genip 10.0.0.0\/24 > ips.txt\r\n $ dns-grind.pl -f ips.txt PTR\r\n 10.0.0.10\twww.example.com\r\n 10.0.0.99\tmanager.example.com<\/pre>\n
<\/a>License<\/h1>\n
This program is free software; you can redistribute it and\/or modify\r\n it under the terms of the GNU General Public License version 2 as\r\n published by the Free Software Foundation. \r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details. \r\n\r\n You should have received a copy of the GNU General Public License along\r\n with this program; if not, write to the Free Software Foundation, Inc.,\r\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.<\/pre>\n","protected":false},"excerpt":{"rendered":"