DNSEnum is a very robust script which was actually written by one of the Backtrack developers when Backtrack was still a Remote-Exploit Project. The author, Filip (barbsie) Waeytens is a Web Application penetration tester and has extensive experience on the topic of DNS and information gathering. Today we will look at some examples of using Dnsenum to passively gather information on a target. DNSEnum is a great tool and should be in any hackers toolkit. The purpose of Dnsenum is to gather as much information as possible about a domain.

DNSMap was originally released back in 2006 and was inspired by the fictional story "The Thief No One Saw" by Paul Craig, which can be found in the book "Stealing the Network - How to 0wn the Box". DNSMap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc ...

DNSTracer is a software that determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. DNSTracer trace a chain of DNS servers to the source. It sends the specified name-server a non-recursive request for the name. Non-recursive means: if the name-server knows it, it will return the data requested. If the name-server doesn't know it, it will return pointers to name-servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers. If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried.

DNSWalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy. DNSWalk used to require 'dig' (part of the BIND distribution). However, different versions of dig gave output which was ever so slightly different, causing dnswalk to break. (This is usually easy to fix, even in a backward-compatible fashion, but it was annoying nonetheless) Also, using an external program made error checking more difficult and not very reliable. Since error checking is the heart of what dnswalk is about, this wasn't good. I finally got off my duff and ported dnswalk to Michael Fuhr's Net::DNS package, something I've been wanting to do for a while. (actually another reason I waited so long was the Net::DNS package wasn't complete enough initially for for a complete port.)

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites. It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc. This new version extracts MAC address from Microsoft Office documents. All this information should not be available on the net, but most of the companies doesn't have policies about information leaking... and most of them don't know this information exists. So you can show them what information an attacker can obtain, with this simple technique.

SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan a site for potential vulnerabilities. It’s multi-threaded, multi-database, and multi-search-engine capabilities permit easy navigation through vast amounts of information with a goal of system security assessment. Furthermore, SEAT’s ability to easily process additional search engine signatures as well as custom made vulnerability databases allows security professionals to adapt SEAT to their specific needs.