一,dnsenum
DESCRIPTION:Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.
Operations:
• 1) Get the host's address (A record).
• 2) Get the nameservers (threaded).
• 3) Get the MX record (threaded).
• 4) Perform AXFR queries on nameservers (threaded).
• 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
• 6) Brute force subdomains from (REQUIRED), can also perform recursion on subdomain that have NS records (all threaded).
• 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).
• 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).
• 9) Write to domain_ips.txt file non-contiguous ip-blocks results.
examples:
dnsenum --enum sina.com//--enum 相当于 –threads 5 -s 15 -w
dnsenum --noreverse -f /usr/share/dnsenum/dns.txt sina.com
最后阶段为根据地址反查该网段地址的域名
二,dnsmap
爆子域名
三,dnsrecon
DNS Enumeration and Scanning Too
dnsrecon -n 8.8.8.8 -t bing -d thepaper.cn
四,dnstracer
dnstracer -v -o -s 8.8.8.8 -4 www. thepaper.cn
-q queryclass
Change the query-class, default is A. You can either specify a number of the type (if you're brave) or one of the following strings: a, aaaa, a6, soa, cname, hinfo, mx, ns, txt and ptr.
五,dnswalk
NAME
dnswalk - A DNS database debugger
SYNOPSIS
dnswalk [ -adilrfFm ] domain.
DESCRIPTION
dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as for correctness according to accepted practices with the Domain
Name System.
The domain name specified on the command line MUST end with a '.'. You can specify a forward domain, such as dnswalk podunk.edu. or a reverse domain, such as dnswalk 3.2.1.in-addr.arpa.
该工具一般不好使了。因为zone transfers一般被禁用了
六,fierce
usage: fierce [-h] [--domain DOMAIN] [--connect] [--wide] [--traverse TRAVERSE] [--search SEARCH [SEARCH ...]] [--range RANGE] [--delay DELAY] [--subdomains SUBDOMAINS [SUBDOMAINS ...] | --subdomain-file SUBDOMAIN_FILE]
[--dns-servers DNS_SERVERS [DNS_SERVERS ...] | --dns-file DNS_FILE] [--tcp]
fierce --dns-server 8.8.8.8 --domain sina.com.cn
fierce --range 39.156.6.98/24 --dns-server 8.8.8.8
sudo fierce --range 23.75.85.0/24 --dns-server 8.8.8.8
fierce --domain thepaper.cn --traverse 10 //临近
fierce --domain ziroom.com --wide // C段
A DNS reconnaissance tool for locating non-contiguous IP space.
options:
-h, --help show this help message and exit
--domain DOMAIN domain name to test
--connect attempt HTTP connection to non-RFC 1918 hosts
--wide scan entire class c of discovered records
--traverse TRAVERSE scan IPs near discovered records, this won't enter adjacent class c's
--search SEARCH [SEARCH ...]
filter on these domains when expanding lookup
--range RANGE scan an internal IP range, use cidr notation
--delay DELAY time to wait between lookups
--subdomains SUBDOMAINS [SUBDOMAINS ...]
use these subdomains
--subdomain-file SUBDOMAIN_FILE
use subdomains specified in this file (one per line)
--dns-servers DNS_SERVERS [DNS_SERVERS ...]
use these dns servers for reverse lookups
--dns-file DNS_FILE use dns servers specified in this file for reverse lookups (one per line)
--tcp use TCP instead of UDP
七,urlcrazy
容易误输入的域名。如果模仿了原网页,可以成为钓鱼网站。URLCrazy是一款针对域名安全的攻击测试工具,它本质上是一款OSINT公开资源情报工具,可以帮助广大研究人员生成并测试钓鱼域名及其变种,并执行Typo Squatting、URL劫持、网络钓鱼以及企业间谍活动等等。