Our Blog

Horses and DNS BruteForcing..

Reading time ~1 min

Old timers here will know about the concept of bruteforcing DNS using the clues available..

i.e. zone transfers disabled, but u see that the NS and MX servers are called gandalf.company.com and elrond.company.com. Effectively trying frodo.company.com is going to make good sense..

To this end BidiBlah will do this automagically for u and tries to eek out info.. (a little while back i saw fierce-scanner pop up in a similar vein!)

Young Mr Wilkinson ran up against a company last night with disabled transfers, but the 2 DNS servers showed up as:

  • asimov.company.com
  • heinlein.company.com

A quick trip to wikipedia shows that both are american sci-fi authors. The awesome thing is that wikipedia has a tail link that usually links to  variations on your theme. i.e. in asimovs case, we have:

So.. a quick copy and paste (or wget) leaves u with a usable scifi.txt file.

We can then simply (quick and dirty) pipe this to awk to bruteforce surname.company.com:

wh00t:customer haroon$ cat scifi.txt |awk ‘{system(“host”$NF”.company.com”)}’ |grep -v not

Heinlein.customer.com has address

Asimov.customer.com has address

Bischoff.customer.com has address

Bloch.customer.com has address

Bujold.customer.com has address

{results clearly faked for effect!}

The joy is that 2 minutes later we found mustang.another-customer.com and  could use the exact same trick:

wh00t:customer haroon$ cat horses.txt |awk ‘{system(“host”$1″.another-company.com”)}’ |grep -v not

mustang.customer.com has address

holstein.customer.com has address

Nothing major, but useful when u desperately searching for new hosts to hax0r.