Thursday, October 25, 2012

Enumerasi DNS Domain Dengan Fierce Script Perl

Fierce, merupakan tool yang sangat ringan, seperti tool analisis sistem DNS lainya. Dengan ditulis dengan bahasa pemrograman perl oleh RSnake, yang membantu menemukan hostname space alamat IP terhadap nama domain yang ditentukan ataupun ditargetkan. Seperti kutipan dalam tool tersebut.
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.  It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.
Sebagai tool yang menganalisis sistem DNS yang memiliki vuln ataupun celah,sehingga bisa menjadi target untuk serangan pada sistem DNS yang salah konfigurasi. Fierce,dilakukan dalam pentesting untuk proses enumerasi sub domain..

Analisis DNS Dengan Script Perl, Fierce

Note : Sistem Operasi Linux Backtrack 5 R2
Opsi :

-connect
Attempt to make http connections to any non RFC1918 (public) addresses.  This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag.  I wouldn't recommend doing this unless it's a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text "Host:\n" will be replaced by the host specified.
Usage:
    perl fierce.pl -dns example.com -connect headers.txt
-delay  
The number of seconds to wait between lookups.
-dns  
The domain you would like scanned.
-dnsfile
Use DNS servers provided by a file (one per line) for reverse lookups (brute force).
-dnsserver
Use a particular DNS server for reverse lookups (probably should be the DNS server of the target).  Fierce uses your DNS server for the initial SOA query and then uses the target's DNS server for all additional queries by default.
-file 
A file you would like to output to be logged to.
-fulloutput
When combined with -connect this will output everything the webserver sends back, not just the HTTP headers.
-help 
This screen.
-nopattern 
Don't use a search pattern when looking for nearby hosts.  Instead dump everything.  This is really noisy but is useful for finding other domains that spammers might be using.  It will also give you lots of false positives,  especially on large domains.
-range
Scan an internal IP range (must be combined with -dnsserver).Note, that this does not support a pattern and will simply output anything it finds.
Usage:
    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.com
-search
Search list.  When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company.  If you supply a comma delimited list to fierce it will report anything found.This is especially useful if the corporate servers are named different from the public facing website. 
Usage:
    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number ofhosts found, as it will continue to traverse once it locatesservers that you specified in your search list.  The more the better.

-suppress
Suppress all TTY output (when combined with -file).

-tcptimeout
Specify a different timeout (default 10 seconds).  You may want to increase this if the DNS server you are querying is slow or has a lot of network lag.

-threads
Specify how many threads to use while scanning (default is single threaded).

-traverse
Specify a number of IPs above and below whatever IP you have found to look for nearby IPs.  Default is 5 above and below.  Traverse will not move into other C blocks.

-version
Output the version number.
-wide
Scan the entire class C after finding any matching hostnames in that class C.  This generates a lot more traffic but can uncover a lot more information.

-wordlist
Use a seperate wordlist (one word per line). 
Usage:
 perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

Contoh :

root@linux:/pentest/enumeration/dns/fierce# perl fierce.pl -dns tws.web.id

Untuk Hasilnya :
DNS Servers for tws.web.id:
    ns2.rumahosting.com
    ns1.rumahosting.com

Trying zone transfer first...
    Testing ns2.rumahosting.com
        Request timed out or transfer not allowed.
    Testing ns1.rumahosting.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
216.239.36.21    ftp.tws.web.id
216.239.38.21    ftp.tws.web.id
216.239.32.21    ftp.tws.web.id
216.239.34.21    ftp.tws.web.id
127.0.0.1    localhost.tws.web.id
216.239.34.21    mail.tws.web.id
216.239.36.21    mail.tws.web.id
216.239.38.21    mail.tws.web.id
216.239.32.21    mail.tws.web.id

Subnets found (may want to probe here using nmap or unicornscan):
    127.0.0.0-255 : 1 hostnames found.
    216.239.32.0-255 : 2 hostnames found.
    216.239.34.0-255 : 2 hostnames found.
    216.239.36.0-255 : 2 hostnames found.
    216.239.38.0-255 : 2 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 9 entries.

Have a nice day.
------------------------------------------------------
NOTE :
Tutorial ini hanya untuk tujuan pendidikan. Saya tidak bertanggung jawab atas jenis kegiatan ilegal yang dilakukan oleh Anda.

No comments:

Post a Comment