PTT – The Pen Testing Toolkit: DNS-Bruteforcing
You already have installed the Pen Testing Toolkit and now want to use it. So we look at the DNS functionality.
The whole design of PTT is centered arround Project directories. So create a directory for your tests: mkdir ptttest; cd ptttest. We now try to find some interesting hostnames and domains. Create a file called target-domains.txt which contains the domains you want to research. For this example I will try domains from my employer and a german Bank. Since all of this ist DNS only, nobody should get to upset about this. But you should try something else.
md@hextatic ~/ptttest$ echo 'informatik.uni-mannheim.de' > target-domains.txt md@hextatic ~/ptttest$ echo 'uni-mannheim.de' >> target-domains.txt md@hextatic ~/ptttest$ echo 'deutsche-bank.de' >> target-domains.txt
Let’s go:
md@hextatic ~/ptttest$ ptt-dnsbruteforce -f ./target-domains.txt
calibrating for TLDs with wildcard dns ...
www.obscuredomainasdfghj.tk = 195.20.32.85
www.obscuredomainasdfghj.tk = 217.115.203.20
www.obscuredomainasdfghj.tk = 62.129.131.34
[...]
Domains which are suspected to use wildcard DNS and thus beeing excluded:
Set(['ac', 'com.ph', 'pw', 'vg', 'net.ph', 'de.vu', 'sh', 'cd', 'museum',
'tm', 'ws', 'vu', 'ph', 'st', 'mp', 'nu', 'org.ph', 'tk'])
The first thing dnsbruteforce is trying to do here is to find TLDs with those ugly wildcard entries which redirect you to some advertisement site run by the TLD operator. PTT generally spits out a lot of output, because we are hackers, we like blinkenlights and moving screen displays. But it also generates output in ./output/ where it never overwrites files but merges them with new information if appropriate.
The next thing dnsbruteforce does, is to check if the domains in target-domains.txt also exist in other TLDs. It not only checks for the domains you gave in target-domains.txt but also for slight variants. When it’s done the output appears in output/namesinothertlds.txt:
md@hextatic ~/ptttest$ cat output/namesinothertlds.txt # Auto generated: 2005-11-18 Nov:11:42 www.uni-mannheim.de www.deutsche-bank.de www.deutschebank.ru www.deutschebank.co.nz www.deutschebank.ca deutsche-bank.biz www.unimannheim.de uni-mannheim.com unimannheim.de www.uni-mannheim.com [...]
Deutsche Bank has registered domains in many countries, no suprise there. I’m more suprise that they are not in the top 75 companies in DNS. But never the less, you would be probably interested in the branch offices.
Uni Mannheim seems th have a Typo-Squatting problem. The bomains found are all expect one owned by other entities. Sigh.
Depending on your objectives you might want to add some of the names in output/namesinothertlds.txt to target-domains.txt.
The the next step can take a few hours, so better let it run over night. First variants of very common hostnames in the domains you supplied are checked for ther existence. Next some other stilll common names are tried:
Trying 22 very common hostnames in 3 domains @ deutsche-bank.de : wo1.prod.deutsche-bank.de @ deutsche-bank.de : wo2.prod.deutsche-bank.de @ deutsche-bank.de : fallback.mail.de.uu.net . deutsche-bank.de : auth02.ns.de.uu.net . deutsche-bank.de : auth52.ns.de.uu.net . deutsche-bank.de : dgate1.db.com . deutsche-bank.de : dgate2.db.com www.deutsche-bank.de = 217.73.49.24 www.deutsche-bank.de = 217.73.49.24 www1.deutsche-bank.de = 212.96.254.10 www2.deutsche-bank.de = 212.96.254.1 wwwtest.deutsche-bank.de = 217.111.13.189 www3.deutsche-bank.de = 195.124.75.164 www5.deutsche-bank.de = 195.124.75.160 [...] Writing data ... output/dnsbruteforce.txt Trying 3868 hostnames in 3 domains scorpius.informatik.uni-mannheim.de = 134.155.65.240 arwen.informatik.uni-mannheim.de = 134.155.81.154 [...] Writing data ... output/dnsbruteforce.txt
The console output can be is meant to be greppable. Lines containing ‘ = ‘ mean an hostname=IP adress mapping (A record) has been found. Lines starting with ‘@ ‘ man an domainname-mailserver mapping (MX record) has been found and lines starting with ‘. ‘ man that an domainname-nameserver mapping (NS record) has been found.
Often checking the MX and NS records can reveal relationships between companies or providers. It is up to you to screen them.
When dnsbruteforce is finished, output/dnsbruteforce.txt contains the hostnames found:
md@hextatic ~/ptttest$ grep bank output/dnsbruteforce.txt wob1.deutsche-bank.de wwwtest.deutsche-bank.de ccmail.deutsche-bank.de wob.deutsche-bank.de www2.deutsche-bank.de info3.deutsche-bank.de info1.deutsche-bank.de rd2.deutsche-bank.de jb2.deutsche-bank.de info.deutsche-bank.de info2.deutsche-bank.de notes.deutsche-bank.de public.deutsche-bank.de rd1.deutsche-bank.de banking.deutsche-bank.de wobtest.deutsche-bank.de wob3.deutsche-bank.de jb1.deutsche-bank.de www.deutsche-bank.de notes2.deutsche-bank.de www3.deutsche-bank.de tp.deutsche-bank.de www5.deutsche-bank.de www1.deutsche-bank.de notes1.deutsche-bank.de chat.deutsche-bank.de ml.deutsche-bank.de