DNSRecon is a simple python script that enables to gather DNS-oriented information on a given target.
This script provides the ability to perform:
- Check all NS Records for Zone Transfers.
- Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
- Perform common SRV Record Enumeration.
- Top Level Domain (TLD) Expansion.
- Check for Wildcard Resolution.
- Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
- Perform a PTR Record lookup for a given IP Range or CIDR.
- Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.
Author: Carlos Perez
dnsrecon.py [-h] -d DOMAIN [-n NS_SERVER] [-r RANGE] [-D DICTIONARY] [-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV] [-j JSON] [--iw] [--disable_check_recursion] [--disable_check_bindversion] [-v] [-t TYPE]
optional arguments: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN Target domain. -n NS_SERVER, --name_server NS_SERVER Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list. -r RANGE, --range RANGE IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask). -D DICTIONARY, --dictionary DICTIONARY Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records. -f Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records. -a Perform AXFR with standard enumeration. -s Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration. -b Perform Bing enumeration with standard enumeration. -y Perform Yandex enumeration with standard enumeration. -k Perform crt.sh enumeration with standard enumeration. -w Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration. -z Performs a DNSSEC zone walk with standard enumeration. --threads THREADS Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration. --lifetime LIFETIME Time to wait for a server to response to a query. --tcp Use TCP protocol to make queries. --db DB SQLite 3 file to save found records. -x XML, --xml XML XML file to save found records. -c CSV, --csv CSV Save output to a comma separated value file. -j JSON, --json JSON save output to a JSON file. --iw Continue brute forcing a domain even if a wildcard records are discovered. --disable_check_recursion Disables check for recursion on name servers --disable_check_bindversion Disables check for BIND version on name servers -v Enable verbose -t TYPE, --type TYPE Type of enumeration to perform. std: SOA, NS, A, AAAA, MX and SRV. rvl: Reverse lookup of a given CIDR or IP range. brt: Brute force domains and hosts using a given dictionary. srv: SRV records. axfr: Test all NS servers for a zone transfer. bing: Perform Bing search for subdomains and hosts. yand: Perform Yandex search for subdomains and hosts. crt: Perform crt.sh search for subdomains and hosts. snoop: Perform cache snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option. tld: Remove the TLD of given domain and test against all TLDs registered in IANA. zonewalk: Perform a DNSSEC zone walk using NSEC records.
DNSRecon Usage Example
Scan a domain (-d miloserdov.org), use a dictionary to brute force hostnames (-D /usr/share/dict/theHarvester/dns-names.txt), do a standard scan (-t std), and save the output to a file (--xml dnsrecon.xml):
dnsrecon -d miloserdov.org -D /usr/share/dict/theHarvester/dns-names.txt -t std --xml ~/dnsrecon.xml
Attempts a zone transfer (AXFR) (-t axfr) on the domain (-d miloserdov.org):
dnsrecon -t axfr -d miloserdov.org
How to install DNSRecon
Installation on Kali Linux
The program is pre-installed on Kali Linux.
sudo apt install dnsrecon
Installation on Debian, Linux Mint, Ubuntu
sudo apt install python3-pip git python3-setuptools git clone https://github.com/darkoperator/dnsrecon cd dnsrecon sudo pip3 install -r requirements.txt python3 ./dnsrecon.py -h
Installation on BlackArch
The program is pre-installed on BlackArch.
sudo pacman -S dnsrecon