DNSMap in Pen Testing

DNSMap Logo

DNSMap in Pen Testing (https://code.google.com/p/dnsmap/)

DNSMap will scan a domain and provide a list of subdomains. Looking for subdomains that have been orphaned (neglected) or subdomains that may have rushed to production tend to have more vulnerabilities than those that have deployed through an organization’s normal channels.

What is a subdomain?

A subdomain is that part of a URL that comes before the primary name. For example, when you search for an image on Google you end up on images.google.com, with “images” being the subdomain.

Spotting High Value Targets

As a penetration tester, the sub-directories below should all be considered valuable. Sites such as “test-do-not-delete.icecreamhoneypot.com” likely have less security than the actual production site. “admin.icecreamhoneypot.com” and “cpanel.icecreamhoneypot.com” suggest the ability to gain higher levels of access.

root@kali:~# dnsmap icecreamhoneypot.com
dnsmap 0.30 – DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for icecreamhoneypot.com
[+] using maximum random delay of 10 millisecond(s) between requests

dev.icecreamhoneypot.com
IP address #1: 127.0.0.1

admin.icecreamhoneypot.com
IP address #1: 127.0.0.1

mail.icecreamhoneypot.com
IP address #1: 127.0.0.1
IP address #2: 198.162.0.1

crash-and-burn.icecreamhoneypot.com
IP address #1: 127.0.0.1

test-do-not-delete.icecreamhoneypot.com
IP address #1: 127.0.0.1

cpanel.icecreamhoneypot.com
IP address #1: 127.0.0.1

ftp.icecreamhoneypot.com
IP address #1: 127.0.0.1

webmail.icecreamhoneypot.com
IP address #1: 127.0.0.1

Maximizing DNSmap

DNSMap is a brute force tool, meaning that it gets its results but working from a list. DNSmap’s native list is good, but by no means as complete as others you can download. This simple Google search can provide several options. To dun DNSMap using a wordlist, use the -w parameter:  “dnsmap <targt URL> -w <wordlistname>”. An example for scanning the site “icecreamhoneypot.com” with a wordlist named “domainlist.txt” would look like:

dnsmap icecreamhoneypot.com -w domainlist.txt

If your test results in a large list, it can be helpful to have dnsmap save the results in a CSV file to provide to your client.  You can do this with the -c paramenter followed by your desired filename:

dnsmap icecreamhoneypot.com -w domainlist.txt -c icecreamhoneypot_DNS_results.csv

Real Life Examples

When conducting Web assessments, I always search for subdomains that look like they were put up quickly outside of normal release processes since that usually means security was bypassed in the process. For example, I once found a site called “testing-today-do-not-delete.—website–.com.” In spite of being called “testing-today-do-not-delete…” the subdomain had been there for several years and contained lots of production data, but absolutely no security. On another assessment I found a subdomain advertising a contest give-away for tickets to a major sporting even that had taken place four years earlier. The site and its hosting software had not been updated since, and there were still plenty of vulnerabilities to be exploited.

 

Keeping It Clean

Not all pen testing engagements will have an unlimited scope. What sites get tested and what sites get ignored is up to your client. Confirm that your Rules of Engagement for the assessment allow you to test these sites prior to commencing. If nothing else, a list of all domains under their URL is often a welcome addendum to a pen test report.

Video Demo