About four years ago to the date, I was looking for a DNS brute forcer due to the fact that many people were getting wise and locking down DNS zone transfers. I actually advised our security admin at work that we were allowing internal zone transfers to any IP that requested one. While not getting much help from the request for such a tool and not having time or enough interest to code my own, I dropped the idea. It appears that others in the InfoSec community had the same idea. About a week ago while catching up on old PaulDotCom Security Weekly episodes, I heard them mention a tool called Fierce Domain Scanner. This is a perl script that can be used on Windows using Cygwin (It does require a couple of perl modules). This tool first tries to perform a zone transfer. If that fails it the starts to guess domain names by doing a reverse lookup of the initial domain.com. What’s cool about it is that once it finds a computer in the domain space, it will start doing reverse lookups on either side of that IP five sequential IPs and below the IP it just found. It does this for each IP it finds in that domain using recursion. The number of IPs on either side defaults to 5, but can be set using the -traverse switch or expand it to the entire class C using the -wide switch. This is extremely helpful if the computers who’s IP addresses sequentially numbered. It also probes for internal IPs in case the target uses one DNS server for both internal (RFC 1918 addresses) and external DNS requests.

Other features include searching based on domains that you know the target owns, doing a reverse lookup on an entire class C network, doing a wide scan on either side of IPs that are found in the full class C scan, a command to connect to any http servers on port 80 and perform whatever action you put into a configuration file, and of course a dictionary attack using a wordlist by pre-pending each word to yourtarget.com.

Another DNS tool I read about yesterday is called TXDNS (Those eXtra Domain NameS). TXDNS is described as a Win32 aggressive multithreaded DNS digger. It can us a dictionary attack along with a real brute force attack of trying every possible character combination. It also can check for typos in a domain and rotate through all the TLDs. This could be used to find phishing sites for the target domain. You can use the -rr switch to just look for a specific type of DNS record. You can find a list of all available switches and sample outputs here.

Between the two of these tools, they do everything I could possibly have wished for and more. As always, please use these tools for good and not evil. Don’t be stupid.