Monday, July 2, 2012

DNS Brute force

Using a list of common host names that I update when ever I find a new one through a zone transfer. I make a script to do host name.domain.com
Here is my Hostname list.

www
www2
mail
smtp
pop3
mailgw
proxy
vpn
ssl
imap
ns1
ns2
router
cisco
conf
exchange
isa
juniper
gopher
irc




Next I wrote the script to query the file for certain domains.

#!/bin/bash
for name in $(cat names.txt);do
host $name.docstar.com | grep "has address"
done

The output will give you the list of resolved names

docstar.com has address 50.57.86.180
www2.docstar.com has address 67.215.65.132
mail.docstar.com has address 206.17.147.38
smtp.docstar.com has address 67.215.65.132
pop3.docstar.com has address 67.215.65.132
mailgw.docstar.com has address 67.215.65.132
proxy.docstar.com has address 67.215.65.132
vpn.docstar.com has address 67.215.65.132
ssl.docstar.com has address 67.215.65.132
imap.docstar.com has address 67.215.65.132
ns1.docstar.com has address 67.215.65.132
ns2.docstar.com has address 67.215.65.132
router.docstar.com has address 67.215.65.132
cisco.docstar.com has address 67.215.65.132
conf.docstar.com has address 67.215.65.132
exchange.docstar.com has address 67.215.65.132
isa.docstar.com has address 67.215.65.132
juniper.docstar.com has address 67.215.65.132
gopher.docstar.com has address 67.215.65.132
irc.docstar.com has address 67.215.65.132

Just to clean it up I will throw cut in the script using a delimiter  of a space and use field 4

|cut -d " " -f4

Next I'll output it to a file

 >>docstarip.txt

cat docstarip.txt | sort -u

206.17.147.38
50.57.86.180
67.215.65.132