In this new tutorial, we'll see together how to find the subdomains of a given domain name using Dnsmap. This tool was originally released back in 2006 and was inspired by the fictional story "The Thief No One Saw" by Paul Craig, which can be found in the book "Stealing the Network - How to 0wn the Box".

Dnsmap is mainly meant to be used by pen-testers during the information gathering phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc ... Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it's especially useful when other domain enumeration techniques such as zone transfers don't work.

Source: Dnsmap


WHAT CAN DONE USING DNSMAP
  • Finding interesting remote access servers.
  • Finding badly configured and/or unpatched servers.
  • Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks of your target organization.
  • Sometimes you find that some brute-forced subdomains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means that it is possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving.
  • Discover embedded devices configured using Dynamic DNS services. This method is an alternative to finding devices via Google hacking techniques.

Dnsmap is present by default in Kali Linux. But if you are using another Linux distribution such as Ubuntu or Debian, you can install it very easily using the below commands:


HOW TO INSTALL DNSMAP ON UBUNTU/DEBIAN AND OTHER DERIVED DISTRIBUTIONS
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/dnsmap/dnsmap-0.30.tar.gz
tar -xvf dnsmap-0.30.tar.gz
cd dnsmap-0.30/
make
sudo cp dnsmap /usr/local/bin/

To verify that dnsmap has been installed correctly, you can launch the following command from your terminal:

dnsmap

Output

Discover Hidden Subdomains of a given Domain using Dnsmap


USING DNSMAP WITH DEFAULT DICTIONARY

During an attack preparation phase, hackers will always try to map the network to find potentially vulnerable targets. Dnsmap allows finding from their IPs addresses subdomains that are not publicly visible.

From your terminal, launch dnsmap and specify in the first argument which domain you want to scan for subdomains. If you don't specify any "wordlist", dnsmap will use the default wordlist provided with the tool.

dnsmap neoslab.com

Output

Discover Hidden Subdomains of a given Domain using Dnsmap


USING DNSMAP WITH CUSTOM DICTIONARY

Dnsmap, also offers you the possibility of using your own wordlist. To do so, you will need to specify the path and the name of the dictionary file you want to use with the option "-w". In such a case, the command to use will be:

dnsmap example.com -w /path/to/your/dictionary/wordlist.txt

SAVE THE RESULTS OF YOUR SCAN

During penetration tests it can be very useful to take notes or even save the results of your scans. This can be done very easily with Dnsmap using the "-r"option and specifying the path and name of the file where you want the results to be saved.

dnsmap example.com -r /tmp/results.txt

DELAY YOUR DNSMAP SCAN

Another very interesting and very useful option of Dnsmap is the possibility of slowing down the scanning process to avoid to be blacklisted by the server you are targeting. This can be done using the "-d" option following by the delay value in milliseconds.

dnsmap example.com -d 3000

Using "-d 3000", the scan will mark a delay of 3 seconds between each loop.


DNSMAP BULK USAGE EXAMPLE

If you wish to brute-force several target domains in bulk fashion, you can use the script "dnsmap-bulk.sh" included in the dnsmap archive. Just copy the script to "/usr/local/bin/" so you can call it from any location.

sudo cp dnsmap-bulk.sh /usr/local/bin/
sudo chmod ugo+x /usr/local/bin/dnsmap-bulk.sh

Usage

dnsmap-bulk.sh domains.txt /tmp/results.txt

COUNTERMEASURE

Whenever it's possible, the best way to prevent an attacker from discovering subdomains that are not publicly accessible is to restrict access to those subdomains by setting up IP filtering with your firewall.