DNS Enumeration with Fierce in Kali Linux

Oke , malam ini kita akan mempelajari bagaimana cara menggunakan fierce.pl untuk melakukan DNS Enumeration dari sebuah DNS atau Domain Name Server . Sebelum masuk ke dalam materi , kita berkenalan dulu apa itu DNS Enumeration :

WTF is DNS Enumeration ?

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.

How i can do that ?

You can use many tools on the internet for DNS Enumerate , for example : nslookup , dnsenum , and alse fierce.pl

 

Setelah kita berkenalan dikit dengan DNS Enumeration , sekarang waktunya berkenalan dengan fierce.pl . Oke lancarkan command perkenalan

[code]
fierce -h
[/code]

Result :
[code]

fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains. It's really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole
internet indiscriminately. It is meant specifically to locate likely
targets both inside and outside a corporate network. Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That's especially useful in targeted malware.

Options:
-connect Attempt to make http connections to any non RFC1918
(public) addresses. This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag. I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text "Host:\n" will be replaced
by the host specified. Usage:

perl fierce.pl -dns example.com -connect headers.txt

-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts. Instead dump everything. This is really noisy but
is useful for finding other domains that spammers might be
using. It will also give you lots of false positives,
especially on large domains.
-range Scan an internal IP range (must be combined with
-dnsserver). Note, that this does not support a pattern
and will simply output anything it finds. Usage:

perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

-search Search list. When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company. If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website. Usage:

perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list. The more the
better.
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds). You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads Specify how many threads to use while scanning (default
is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs. Default is 5 above and
below. Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C. This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line). Usage:

perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
[/code]

Nahh , disana ada beberapa command command penting pada saat eksekusi nanti . Kalo menurut ane sih :

[code]
fierce -dns domain -dnsserver nameserver
fierce -range ip.portstart-portend
fierece -range ip.portstart-portend -dnsserver nameserver
[/code]

Oke dari situ , kita bisa tahu apa yang kita perlukan sebelum menjalankan perintah tersebut :D Oke , sekarang ente tentukan target nya . Disini target ane : www.laotel.com

Next , ane udah nentuin target nih ... sekarang tinggal ngelakuin Gathering Information (Reconnaissance) dikit.

Pertama ane coba whois tuh domain , ente bisa check whois domain tsb melalui layanan dari internet atau langsung pake console . Biar keliatan hekernya bro ... hahahahahaha

[code]
whois laotel.com
[/code]

And the result :

[code]

Domain Name: LAOTEL.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com/en_US/
Updated Date: 2013-02-20T00:00:00Z
Creation Date: 1999-02-23T00:00:00Z
Registrar Registration Expiration Date: 2018-02-23T00:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: 1-800-333-7680
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Lao Telecommunication
Registrant Organization: Lao Telecommunication
Registrant Street: Ave Lane xang 0100
Registrant City: Vientiane
Registrant State/Province: Vientiane
Registrant Postal Code: 010000
Registrant Country: LA
Registrant Phone: +856 21 219429
Registrant Phone Ext:
Registrant Fax: +856 21 219428
Registrant Fax Ext:
Registrant Email: vath@LAOTEL.COM
Registry Admin ID:
Admin Name: Putthasingha, SAVATPHONH
Admin Organization: Lao Telecommunications Co., Ltd.
Admin Street: Ave Lane xang 0100
Admin City: Vientiane
Admin State/Province: Vientiane
Admin Postal Code: LA
Admin Country: LA
Admin Phone: +856 21 219429
Admin Phone Ext:
Admin Fax: +856 21 219428
Admin Fax Ext:
Admin Email: putthas@laotel.com
Registry Tech ID:
Tech Name: Putthasingha, SAVATPHONH
Tech Organization: Lao Telecommunications Co., Ltd.
Tech Street: Ave Lane xang 0100
Tech City: Vientiane
Tech State/Province: Vientiane
Tech Postal Code: LA
Tech Country: LA
Tech Phone: +856 21 219429
Tech Phone Ext:
Tech Fax: +856 21 219428
Tech Fax Ext:
Tech Email: putthas@laotel.com
Name Server: NUMPHOU1.LAOTEL.COM
Name Server: NUMPHOU2.LAOTEL.COM
Name Server: NSBK2.LAOTEL.COM
DNSSEC:
[/code]

Oke dari sana kita dapat beberapa informasi penting , seperti registrant , email , phone , nameserver , dan sebangsanya . Dari proses whois ini kita dapat mengetahui domain laotel.com memakai 3 nameserver .... Catat bro biar gak lupa , atau simpen notepad wkwkwkwkw

Setelah dapet nameservernya , sekarang kita cari IP nya bro .... Caranya ? Di ping aja :D yang suka maen bbm pasti jago nih ginian :p

[code]
ping www.laotel.com
[/code]

Dari proses diatas ane dapet ip nya bro , jangan lupa catet juga itu IP nya jangan sampe lupa :p Oke next tinggal jalankan aksi kita bro , dari command fierce diatas

Example :

[code]
fierce -dns laotel.com -dnsserver nsbk2.laotel.com (Contoh bro)
[/code]

Result :

[code]
DNS Servers for laotel.com:

numphou1.laotel.com
nsbk2.laotel.com
numphou2.laotel.com
nsbk1.laotel.com

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Can't open hosts.txt or the default wordlist
Exiting...
[/code]

Oke dapet satu lagi Nameserver bro , jadi total domain ini memakai 4 nameserver :) lohh tapi kok ada yang error tuh , oke kita coba modifikasi itu command .... Intinya terus mencoba jangan pernah menyerah kaya D'Nasib :D

[code]
fierce -dns laotel.com -threads 5
[/code]

Wahh hasilnya kok beda , tapi dibelakangnya sama aja zone transfer succesfull , berarti zone transfernya failed atau ada yang error ... Sekarang kita pergi ke google untuk mencari jawaban dari hal tsb . Dan saya temukan jawabnya seperti ini :

[code]
Although this (target kita) server no longer allowed us to use zone transfers, we were to map several of the subdomains with wordlists.txt
[/code]

Oke , jadi error tsb dikarenakan server tidak mengijinkan kita untuk melakukan zone transfers . Terus gimana dong ? Tenang broo masih ada opsi lain :) masih banyak jalan menuju neraka *eh surga wkwkwk

Sekarang kita eksekusi command ke dua :

[code]
fierce -range ip.portstart-portend

fierce -range 202.137.128.0-255
[/code]

Loh kok error setelah di eksekusi ? :o you must be combined with -dnsserver . Tenang bro berarti kita harus mengkombinasikan command -range dengan dns server . sehingga menjadi seperti ini :

[code]
fierce -range 202.137.128.0-255 -dnsserver NSBK2.LAOTEL.COM
fierce -range 202.137.128.0-255 -dnsserver NUMPHOU1.LAOTEL.COM
fierce -range 202.137.128.0-255 -dnsserver NUMPHOU2.LAOTEL.COM
[/code]

Hasilnya nanti seperti ini brooo :

[gallery columns="2" link="file" ids="148,149"]

 

Untuk yang gambar kedua , itu kreasikan jurus jurus andalan mu ya bero bero semua :D Banyak jalan menuju neraka .... Eh surga :p wkwkwkwkw

Oke semoga bermanfaat! and keep hack the world .... - Z