Script dns-brute

Script types: prerule, hostrule
Categories: intrusive, discovery
Download: https://svn.nmap.org/nmap/scripts/dns-brute.nse

Script Summary

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.

See also:

• dns-nsec3-enum.nse
• dns-ip6-arpa-scan.nse
• dns-nsec-enum.nse
• dns-zone-transfer.nse

Script Arguments

dns-brute.threads

Thread to use (default 5).

dns-brute.srvlist

The filename of a list of SRV records to try. Defaults to "nselib/data/dns-srv-names"

dns-brute.hostlist

The filename of a list of host strings to try. Defaults to "nselib/data/vhosts-default.lst"

dns-brute.srv

Perform lookup for SRV records

dns-brute.domain

Domain name to brute force if no host is specified

max-newtargets, newtargets

See the documentation for the target library.

Example Usage

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
nmap --script dns-brute www.foo.com

Script Output

Pre-scan script results:
| dns-brute:
|   DNS Brute-force hostnames
|     www.foo.com - 127.0.0.1
|     mail.foo.com - 127.0.0.2
|     blog.foo.com - 127.0.1.3
|     ns1.foo.com - 127.0.0.4
|     admin.foo.com - 127.0.0.5
|_    *A: 127.0.0.123

Requires

• coroutine
• dns
• io
• math
• nmap
• stdnse
• string
• stringaux
• table
• target
• rand

---

Author:

• Cirrus

License: Same as Nmap--See https://nmap.org/book/man-legal.html