I wrote about using dig to perform a DNS zone transfer earlier this year. Such a transfer returns a complete list of hosts that can be targeted. This is generally used as a sanity check because any DNS administrator worth their salt disables such transfers.
Another option is using Google. While not a complete listing, Google will return a well known listing of hosts. The only downside is that it takes some time.
Well, not any more.
Tim Tomes (LaNMaSteR53) released a tool this month called GXFR. GXFR is a Python script that is available for download on googlecode. “The technique involves making search engine requests which restrict the url and site to the target domain. Then, based on the results of the search, excluding the sub-domains that are returned. Repeat until the search engine returns 0 results. The final search query excludes all of the public facing sub-domains that the search engine is aware of. Conduct a dns look-up of each of the identified sub-domains, and you’ve got yourself a dns zone transfer of all the sub-domains with public facing web servers.”
Check it out on Tim’s site. Quite a nifty script.
Posted by