Header Ads

Find the Subdomains of a Network With Dnsmap

Find the Subdomains of a Network With Dnsmap

I'll teach you how to find the subdomains of a domain name. dnsmap is a software open source present by default in Kali Linux which is very useful during the data collection period to the Census of infrastructure networks.
During the preparation phase of an attack, hackers always the network map to find a target to attack. dnsmap allows to find the sub areas that are not visible to the public with their IP address. Â the discovery of such critical infrastructure gives access door to attack on a vital point of a network.
Manual of dnsmap
dnsmap is accessible in Kali Linux via the menu Applications > Kali Linux > Information Gathering > DNS Analysis > dnsmap
usage: dnsmap <domaine-cible> [options]
options:
-w <fichier-wordlist>
-r <fichier-de-sauvegarde>
-c <fichier-de-résultat-csv>
-d <délai-millisecs>
-i <IPs-a-ignorer> (utile pour de faux positifs)
In your terminal throw dnsmap with a domain to a search from subdomain by brute force with a default dictionary.
root@kali:~# dnsmap exemple.fr
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for exemple.fr using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests

cpanel.exemple.fr
IP address #1: 15.26.18.8

ftp.exemple.fr
IP address #1: 15.26.18.8

mail.exemple.fr
IP address #1: 15.26.18.8

webmail.exemple.fr
IP address #1: 15.26.18.8

www.exemple.fr
IP address #1: 15.26.18.8

[+] 5 (sub)domains and 5 IP address(es) found
[+] completion time: 244 second(s)
You can also use your own dictionary with the-w option to make your brute force for DNS. In Kali Linux you have Wordliste ready wordlist_TLAs.txt in the folder/usr/share/dnsmap.
Example:
root@kali:~#  dnsmap exemple.fr -w /usr/share/dnsmap/wordlist_TLAs.txt
In all tests of penetration it is customary to take notes and save the result of the scans. You can do this very easily with the - r option. Another interesting option is the-d option to slow down the frequency of the scan. This has the effect of not to trigger an IDS/IPS on a sensitive network or simply not to overload the networks.
As you see in my scan with dnsmap it is very easy to find connection portal for example to the Cpanel. This type of discovery allows has a beset to tackle the critical infrastructure of the server or network.
Wherever possible you can for the critical subdomain blocking access with filtering by IP as a private VPN.

No comments

Powered by Blogger.