[Discuss] DNS question about DNSENUM.PL

Chris O'Connell omegahalo at gmail.com
Mon Mar 25 12:59:16 EDT 2013 

HI Rich,

Thanks for replying.  Looks like i may be more confused then I thought!
 Perhaps I did a bad job explaining what's going on too.  I can't use my
exact domain as an example for security reasons, but I found this blog (
http://www.question-defense.com/2013/02/03/dnsenum-backtrack-5-information-gathering-network-analysis-dns-analysis-dnsenum)
that uses CNN.COM as an example.

Now, let's suppose I work for CNN as an IT person.  When I work from home I
VPN into "access.cnn.com."

Running the script with no parameters does not return "access.cnn.com" as a
valid (sub domain?  Host name?  I don't know...)
dnsenum Perl Script: Default Output Against cnn.com

root at bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl
cnn.comdnsenum.pl VERSION:1.2.2

-----   cnn.com   -----

Host's addresses:
__________________
cnn.com                                  198      IN    A
157.166.255.19cnn.com                                  198      IN
A        157.166.226.25cnn.com                                  198
  IN    A        157.166.226.26cnn.com
 198      IN    A        157.166.255.18

Name Servers:
______________
ns1.p42.dynect.net                       159347   IN    A
208.78.70.42ns1.timewarner.net                       169183   IN    A
      204.74.108.238ns3.timewarner.net                       169183
IN    A        199.7.68.238ns2.p42.dynect.net
169183   IN    A        204.13.250.42

Mail (MX) Servers:
___________________
atlmail3.turner.com                      40       IN    A
157.166.174.56atlmail5.turner.com                      40       IN
A        157.166.165.14hkgmail1.turner.com                      40
  IN    A        168.161.96.115lonmail1.turner.com
 107      IN    A        157.166.216.142nycmail1.turner.com
          107      IN    A        157.166.157.8nycmail2.turner.com
                 107      IN    A        157.166.157.10


Now, if instead I use a brute force attack I get the following, which
includes access.cnn.com.

*Bruteforced Sub Domains Example Output:*

Brute forcing with subdomains.txt:
___________________________________
access.cnn.com                           2066     IN    A
64.20.247.69ads.cnn.com                              96       IN    A
      157.166.255.216asia.cnn.com                             300
IN    CNAMEedition.cnn.com                          3600     IN
CNAME

So now I guess I'm curious, is the script just guessing at valid host names
(or as the author of this blog states, "sub domains") to see what results
are returned?  What's interesting is running the script without a brute
force on my organization shows me news.blah.org, ftp.blah.org, etc.  I do
not, however, see vpn.blah.org listed, which is how I get in from home.
 When I run the brute force I do see the vpn.blah.org.

I'm trying to figure this out, very odd.

Thanks for responding... I think I'm missing a piece of the puzzle here and
am really curious as to what's going on.

Thanks,

Chris

On Mon, Mar 25, 2013 at 12:27 PM, Rich Pieri <richard.pieri at gmail.com>wrote:

> --On Monday, March 25, 2013 11:16 AM -0400 Chris O'Connell <
> omegahalo at gmail.com> wrote:
>
>  I don't understand the mechanics of how this is happening.  What's
>> allowing me to ping VPN.blah.org, but doesn't allows DNSENUM to find it?
>> What exactly is brute forcing DNS doing?  Why do some subdomains show up
>> without the use of brute force and others don't?
>>
>
> You appear to be using the word "subdomain" when you mean "host name". If
> you've delegated the vpn.blah.org subdomain from the blah.org domain then
> of course you cannot ping it. Subdomains do not have IP addresses.
>
> --
> Rich P.
> ______________________________**_________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/**listinfo/discuss<http://lists.blu.org/mailman/listinfo/discuss>
>



-- 
Chris O'Connell
http://outlookoutbox.blogspot.com

More information about the Discuss mailing list