Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Domain Enumeration Techniques

Sometimes when doing penetration testing, you are provided with very minimum information such as the domain name of the target. Obviously, having one target address will most likely reduce your chances of penetrating the network. One of the techniques you can use to expand your target list is domain enumeration. This technique is used to gather as much information as possible about the target domain.

This method is known as passive information gathering because it is non-intrusive. We are not actively probing the target network but instead using publicly available information on the Internet. There are several ways to do this but I'm going to share with you the ones that I normally used. I would usually start with the online tools to enumerate the target domain. Let say your target domain name is espn.com

Google: hacker's best friend
Using search string "allinurl: -www site:espn.com" to return the result of all domain names associated with the target.


Netcraft
Netcraft DNS search function http://searchdns.netcraft.com/

Serversniff
Checks domains for existing subdomains and hostnames. http://serversniff.net


Next, I will use enumeration tools that are available in BackTrack.

theHarvester
Tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources.
./theHarvester.py -d espn.com -b bing


Dnsenum
Multithreaded perl script to enumerate DNS information on a domain and to discover non-contiguous ip blocks.
./dnsenum.pl --enum espn.com -f dns.txt


Fierce
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.
 ./fierce -dns espn.com -wordlist host.txt


Below you can see a comparison table for result produced from each of the tool.


Next, what we need to do is to validate the result and remove any duplicate records. We started only with one target i.e. espn.com but after we have performed domain enumeration, we are presented with plenty of targets to attack.

Cheers :)

0 comments:

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!