Nmap dns-brute NSE Script
This page contains detailed information about how to use the dns-brute NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/dns-brute.nse
Script categories: intrusive, discovery
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Script Description
The dns-brute.nse script attempts to enumerate DNS hostnames by brute force guessing of common
subdomains. With the dns-brute.srv argument, dns-brute will also
try to enumerate common DNS SRV records.
Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.
Dns-brute NSE Script Arguments
This is a full list of arguments supported by the dns-brute.nse script:
dns-brute.domainDomain name to brute force if no host is specified
dns-brute.hostlistThe filename of a list of host strings to try. Defaults to "nselib/data/vhosts-default.lst"
dns-brute.srvPerform lookup for SRV records
dns-brute.srvlistThe filename of a list of SRV records to try. Defaults to "nselib/data/dns-srv-names"
dns-brute.threadsThread to use (default 5).
max-newtargetsSets the number of the maximum allowed new targets. If set to 0 or less then there is no limit. The default value is 0.
newtargetsIf specified, lets NSE scripts add new targets.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=dns-brute --script-args dns-brute.domain=value,dns-brute.hostlist=value <target>Dns-brute NSE Script Example Usage
Here's an example of how to use the dns-brute.nse script:
nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
nmap --script dns-brute www.foo.com
Dns-brute NSE Script Example Output
Here's a sample output from the dns-brute.nse script:
Pre-scan script results:
| dns-brute:
| DNS Brute-force hostnames
| www.foo.com - 127.0.0.1
| mail.foo.com - 127.0.0.2
| blog.foo.com - 127.0.1.3
| ns1.foo.com - 127.0.0.4
| admin.foo.com - 127.0.0.5
|_ *A: 127.0.0.123
Dns-brute NSE Script Example XML Output
Here's a sample XML output from the dns-brute.nse script produced by providing the -oX <file> Nmap option:
<table key="DNS Brute-force hostnames">
<table>
<elem key="address">127.0.0.1</elem>
<elem key="hostname">www.foo.com</elem>
</table>
<table>
<elem key="address">127.0.0.2</elem>
<elem key="hostname">mail.foo.com</elem>
</table>
<table>
<elem key="address">127.0.1.3</elem>
<elem key="hostname">blog.foo.com</elem>
</table>
<table>
<elem key="address">127.0.0.4</elem>
<elem key="hostname">ns1.foo.com</elem>
</table>
<table>
<elem key="address">127.0.0.5</elem>
<elem key="hostname">admin.foo.com</elem>
</table>
<elem key="*A">127.0.0.123</elem>
</table>
<table key="SRV results"></table>
Author
- Cirrus
References
- https://nmap.org/nsedoc/scripts/dns-brute.html
- https://github.com/nmap/nmap/tree/master/scripts/dns-brute.nse
See Also
Related NSE scripts to the dns-brute.nse script:
- dns-blacklist.nse
- dns-cache-snoop.nse
- dns-check-zone.nse
- dns-client-subnet-scan.nse
- dns-fuzz.nse
- dns-ip6-arpa-scan.nse
- dns-nsec3-enum.nse
- dns-nsec-enum.nse
- dns-nsid.nse
- dns-random-srcport.nse
- dns-random-txid.nse
- dns-recursion.nse
- dns-service-discovery.nse
- dns-srv-enum.nse
- dns-update.nse
- dns-zeustracker.nse
- dns-zone-transfer.nse
Visit Nmap NSE Library for more scripts.
The dns-brute.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Cannot find hostlist file, quitting
Here is a relevant code snippet related to the "Cannot find hostlist file, quitting" error message:
237: if not l:match("#!comment:") then
238: table.insert(hostlist, l)
239: end
240: end
241: else
242: stdnse.debug1("Cannot find hostlist file, quitting")
243: return
244: end
245:
246: local threads, results, srvresults = {}, {}, {}
247: for _, dtype in ipairs({"A", "AAAA"}) do
Cannot find srvlist file, skipping
Here is a relevant code snippet related to the "Cannot find srvlist file, skipping" error message:
306: if ( not(done) ) then
307: condvar("wait")
308: end
309: end
310: else
311: stdnse.debug1("Cannot find srvlist file, skipping")
312: end
313: end
314:
315: local response = stdnse.output_table()
316: if(#results==0) then
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
