Adding and using hostmap.rb to BT4

The next is hostmap.rb a ruby script for DNS
This tool is available at http://hostmap.lonerunners.net/

So to get started visit the above link, download and save the tarball.

root@dorkness:/tmp/# tar xvf hostmap-0.2.2.tar

Remove the tarball, move the directory to /pentest/enumeration/hostmap-0.2.2/

root@dorkness:/tmp/# rm -rf hostmap-0.2.2.tar*

root@dorkness:pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb -h

Usage: hostmap.rb [options] -t [target]
Target options:
-t, --target [STRING] set target domain
Discovery options:
--with-zonetransfer
enable DNS zone transfer check
--without-bruteforce
disable DNS bruteforcing
--without-dnsexpansion
disable DNS TLD expansion
--bruteforce-level [STRING]
set bruteforce aggressivity, values are lite, custom or full (default is lite)
--without-be-paranoid
don't check the results consistency
--http-ports [STRING]
set a comma separated list of custom HTTP ports to check
--only-passive
passive discovery, don't make network activity to the target network
--timeout [STRING]
set plugin timeout
--threads [STRING]
set concurrent threads number
Networking options:
-d, --dns [STRING] set a comma separated list of DNS servers IP addresses to use instead of system defaults
Output options:
--print-maltego
set output formatted for Maltego
-v, --verbose set verbose mode
Misc options:
--without-update
skip update check
-h, --help show this help message

root@dorkness:pentest/enumeration/hostmap-0.2.2#

Note: You will need to give an IP address, you can not use domain names.

An example of usage is as follows:

root@dorkness:/pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb --only-passive --without-update -t 80.65.162.250
hostmap 0.2.2 codename truppola
Coded by Alessandro `jekil` Tanasi

[2010-05-25 22:41] Skipping SSL because only passive checks are enabled
[2010-05-25 22:41] Found new hostname queer.ba
[2010-05-25 22:41] Found new domain queer.ba
[2010-05-25 22:41] Found new hostname diocletian.httpool.ba
[2010-05-25 22:41] Found new domain httpool.ba
[2010-05-25 22:41] Found new nameserver ns.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new nameserver ns02.europronet.ba
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks
[2010-05-25 22:41] Found new mail server mx2.europronet.ba
[2010-05-25 22:41] Found new mail server mx3.europronet.ba
[2010-05-25 22:41] Found new mail server mx1.europronet.ba
[2010-05-25 22:41] Found new nameserver ns1.httpool.com
[2010-05-25 22:41] Found new nameserver ns2.httpool.com
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks

Results for 80.65.162.250
Served by name server (probably)
ns2.httpool.com
ns1.httpool.com
ns.queer.ba
ns02.europronet.ba
Served by mail exchange (probably)
mx1.europronet.ba
mx3.europronet.ba
mx2.europronet.ba
Hostnames:
www.queer.ba
diocletian.httpool.ba
queer.ba
root@dorkness:/pentest/enumeration/hostmap-0.2.2#

Note: I used the --only-passive flag, the --without-update flags this should be self explanatory. -t is for target

As you can see there are several other options to work with. Those I will leave up to you to work with.

Enjoy

Adding more DNS tools to BT4 part 3

The next tool is subdomainer.py

To get it, download the .tar here

http://www.edge-security.com/subdomainer.php
Again you can save it wherever, I chose /pentest/enumeration/
untar the package cd to the directory chmod +x the subdomainer.pyand then you are set to go.
To untar the package tar xvf subd*
Deleted the tarball rm -rf subdomainer.tar

Generic usage is:

root@dorkness:/pentest/enumeration/subdomainer# python subdomainer.py

*************************************
*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies2k@yahoo.com.ar *
*************************************

usage: subdomainer.py options

-d: domain to search
-l: limit of results to work with. (msn and yahoo goes in 10 to 10
google in 100's, and pgp does not need this option)
-m: data source (msn, yahoo, google, pgp-veridis, all)

-o: output to html file. (optional, good for long lists.)

Example:
subdomainer.py -d microsoft.com -l 200 -m google

subdomainer.py -d microsoft.com -l 100 -m all -o microsoft.html

root@dorkness:/pentest/enumeration/subdomainer#

Due to the length of the results I will leave it to you to run them.

Adding more DNS tools to BT4 part 2

DNSbf.py
Ok again this is a simple copy and paste.
Get the source here:
https://docs.google.com/View?docid=dg23j87b_213fh46kgfp

EDIT: Since the above google doc seems to no longer be valid, I will leave it to the user to find it by searching google. Frankly as I stated in the comments below if you can't find this or any other tool I write about then you probably shouldn't be using them since it's obvious you don't know what you are doing.

Copy and paste to wherever you want. I used the same directory as before.
The name is dnsbf.py The purpose of the tools is to use DNS and find hostnames in a subnet.
save and give execute permissions.

Generic usage with no flags set.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

wrong number of arguments

exemple: ./dnsbf.py 192.168.1.0/24

root@dorkness:/pentest/enumeration/dnsenum#

This time we have some targets to scan.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py 80.65.162.0/24

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

80.65.162.2 bbr-gtz.europronet.ba
80.65.162.201 fa11_ssw-gadzo01.europronet.ba
80.65.162.202 smtps.bihgap.ba
80.65.162.205 fa05_ssw-sa02.europronet.ba
80.65.162.206 hotcasino03.europronet.ba
80.65.162.209 fa23_ssw-sa01.europronet.ba
80.65.162.210 ulk-srv01.linux.org.ba
80.65.162.213 fa15_ssw-sa01.europronet.ba
80.65.162.214 voip-gw01.europronet.ba
80.65.162.217 fa32_ssw-sa01.europronet.ba
80.65.162.218 yellow.europronet.ba
80.65.162.221 fa42_ssw-sa01.europronet.ba
80.65.162.225 fa06_ssw-sa02.europronet.ba
80.65.162.226 hotcasino2.europronet.ba
80.65.162.250 queer.ba
80.65.162.229 fa13_ssw-sa01.europronet.ba
80.65.162.230 mx2.europronet.ba
80.65.162.233 fa07_ssw-sa02.europronet.ba
80.65.162.234 hotcasinogb.europronet.ba
80.65.162.237 fa31_ssw-sa01.europronet.ba
80.65.162.241 fa34_ssw-sa01.europronet.ba
80.65.162.242 mail.triptih.europronet.ba
80.65.162.245 fa36_ssw-sa01.europronet.ba
80.65.162.1 fe08_asw-sa01.europronet.ba
80.65.163.78 mailsrvsa.octas.com
80.65.163.81 rg-ice.europronet.ba
80.65.163.108 terme-centrala.europronet.ba
80.65.163.162 mail2.procreditbank.ba
80.65.163.194 ip-65-163-194.europronet.ba
80.65.163.254 robot-vgw.europronet.ba
80.65.162.70 ns.queer.ba
80.65.162.34 posao.ba
80.65.162.35 mposao.ba

end of search
511 ip tested, 33 names found, in 11 s

root@dorkness:/pentest/enumeration/dnsenum#

So there you go another cool tool to add to BT for your
reconaissance efforts.

Adding more DNS tools to BT4 part 1

So here is a write up on adding some tools to the BT4 DNS collection.
I will first show how to install and give a brief usage of each tool.
They are not hard to install and are simple to use. The power lies in what they can do.
These tools are ones that I found, and credit goes to their authors. Also note that since the tools are not included in BT by default you are on your own if something goes wrong. However since they are simple python and or ruby scripts with no real dependencies things should work just fine.
NOTE: Most output info has been slightly modified.

So without further delay the first up is
DNSDic.py
Code is here:
https://docs.google.com/View?docid=dg23j87b_214cdwmbjfx

So copy and paste the code from the link to a file named dnsdic.py and make the file executable. I added these tools to the following directory to keep things somewhat organised.
The script will need a dictionary when running. A good one and the one the author recommends is located in the dnsenum directory.

root@dorkness:/pentest/enumeration/#

Again executable is

root@dorkness:/pentest/enumeration/# chmod +x dnsdic.py

Generic run with no options:

root@dorkness:/pentest/enumeration/#python dnsdic.py

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

wrong number of arguments

exemple: dnsdic.py -f ./dico.txt infond.blogspot.com

Ok now a run with some actual usage and results.

root@dorkness:/pentest/enumeration/# python dnsdic.py -f ./dns.txt exampleweb.ba

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

exampleweb.ba ['ftp.exampleweb.ba'] ['81.61.112.150']
mail.exampleweb.ba [] ['81.61.112.10']
ns.exampleweb.ba [] ['81.61.112.70']
exampleweb.ba ['www.exampleweb.ba'] ['81.61.112.250']

end of search
95 names tested, 4 hostnames found, in 16.110284 s

root@dorkness:/pentest/enumeration/#