Enumerating DNS with dnsmap

dnsmap is a fantastic tool to find subdomains within the domain you are looking for. It's a great way to see whether other sites are publicly available (internally and/or externally) that may or may not be known. This allows you to potentially find and exploit a subdomain that may not be controlled or administered correctly. You can provide your own word list to look up against the subdomains, or you can use the built-in one. Some organizations offload some subdomains to third parties, so you need to be cautious how you use this information. The scope of work may only cover the company you are hired for; and therefore, you may not be looked upon so kindly by the other organization if you are trying to actively exploit it. This should be worked out in the stakeholders meeting, but sometimes things do slip through the floor. The following is a screenshot of the command-line options for dnsmap:

We can then take a domain that we are looking at, in this case https://www.mozilla.org, and see which other subdomains may exist. The following screenshot shows the output of the dnsmap command against Mozilla.org:

With this information, we can now start to probe additional IP addresses/sites that we might not have known about in the past, which can increase the attack/penetration-testing surface in which we can work against. The more the targets, the better the chance we have of getting in and being able to include that in our penetration report that we will deliver.