DNS is one of the most important protocols on the internet. If you visited a homepage like this one your computer probably used DNS. The domain name system is used to associate ip addresses with certain domains, e.g. Google’s ip address is 22.214.171.124 and it is associated with google.com. So whenever you type google.com in your browser your computer actually looks up the ip address of it and further connects to it.
Forward DNS Bruteforcing
Forward DNS bruteforcing is method which uses DNS to find out about potential services of a domain. The concept is very simple. A lot of domains now a days have subdomains in the case of Google it could be mail.google.com. Here mail is a subdomain of Google thus it needs to have a certain ip address otherwise it wouldn’t be available over the internet. So what Forward DNS bruteforcing actually does is query DNS servers for subdomains and through the response you know whether it exists or not. Let’s take a look at an example.
Let’s say we want to know whether Google has a VPN service available. You could try to forward bruteforce Google by querying a DNS server for vpn.google.com. Now if it exists it has to have an ip address and we would get it through the query.
Python DNS Bruteforcing Script
Now I coded this little script in Python. It actually does the same as stated above. I am not sure whether it works under Windows since it uses the “host” command to query for domains but it should work well under Linux. When you run the script you need to provide a file and a domain. The file should be just a list of subdomain names (e.g. vpn, mail, pop etc.) which you want to forward bruteforce. The domain is obvisiously the domain you want to bruteforce. Here is the source code of the script:
import os, sys, commands
if len(sys.argv) < 3:
print ” DNS Bruteforce lookup on the domain by”
print ” adding the names in the file to the domain”
print “Usage: %s <file> <host>” % sys.argv
file = sys.argv
fh = open(file, “r”).readlines()
val = name[0:len(name)-2]
val = name[0:len(name)-1]
print “Shutting down application …”
var = commands.getoutput(“host %s.%s ” % (val, sys.argv))
if not “not found” in var:
for name in fh: