DNS, Enumeration

Enumerate DNS hostnames using nmap

nmap dns-brute script – Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

Script Arguments:

dns-brute.threads
Thread to use (default 5).

dns-brute.srvlist
The filename of a list of SRV records to try. Defaults to “nselib/data/dns-srv-names”

dns-brute.hostlist
The filename of a list of host strings to try. Defaults to “nselib/data/vhosts-default.lst”

dns-brute.srv
Perform lookup for SRV records

dns-brute.domain
Domain name to brute force if no host is specified
max-newtargets, newtargets

newtargets
If specified, lets NSE scripts add new targets.

max-newtargets
Sets the number of the maximum allowed new targets. If set to 0 or less then there is no limit. The default value is 0.

Example Usage:

nmap --script dns-brute --script-args dns-brute.threads=10,dns-brute.domain=mydomain.com