White Oak Security’s experts created a tool to make performing deep attack surface analysis and identifying assets quicker – introducing DNSscope, a tool for automating DNS reconnaissance and attack surface identification.
The purpose of this tool is to make it faster and easier to go through the steps of performing deep attack surface analysis to identify assets that belong to a target. When mapping the external attack surface of a target, there are several excellent tools such as Amass (1) and Sublist3r (2) that include the ability to identify subdomains via reverse DNS, open-source intelligence, and subdomain brute-forcing (among other capabilities). However, the results from these tools often include additional top-level domains and other information that requires further analysis. The process for evaluating these results is a prime target for automation.
The basic process for DNS attack surface reconnaissance usually consists of the following steps (not necessarily in this order):
While Amass and Sublist3r are excellent at automating subdomain enumeration, the above process is often done manually. This makes it slow and difficult to complete thoroughly, especially for large companies with a complex attack surface.
DNSscope aims to automate this process, making it faster to identify domains and subdomains associated with a target, and organizing them based on IP ranges and top-level domains. This process can be simplified to a set of steps to be performed recursively for each IP address and identified domain (TLD or subdomain):
DNSscope requires a file with IP address ranges to be passed to it. It begins by importing those IP addresses and using them to determine what resources resolve to IP addresses within the file and are categorized as explicitly in scope. The tool can also optionally be passed a single top-level domain ( -d tld.com ) or a file with a list of top-level domains ( -D domainsfile.txt ). Each of the IP addresses and domains is then placed into their respective queues, and the above enumeration steps are performed.
For example, let’s pick a random company to run DNS enumeration on: Toyota. For Toyota, we do some initial research and find their main public external network to be 162.246.76.0/22, so we add those IPs to a file (DNSscope doesn’t support CIDR notation yet, so the tool “prips” can be used to expand the addresses):
prips 162.246.76.0/22 > toyota_prips
Then specify the file and a single domain with the ‘d’ flag to start. DNSscope will ingest the IP addresses and begin subdomain enumeration on the provided domain:
python3 dnsscope.py -i toyota_prips -d toyota.com
2022-03-14 14:39:00,627 INFO Starting DNSscope
2022-03-14 14:39:00,627 INFO Processing IPs from toyota_prips
2022-03-14 14:39:00,631 INFO Searching for subdomains of toyota.com. This may take a few seconds...
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: ccauto.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: perspective.test.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: losapp-cert.tfs.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: developer-qa.apic.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: dealerdailyddc-int-test-dev.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: oaddrmdreports.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: user63-86-140-78.toyota.com
2022-03-14 14:39:12,669 INFO (+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: ddcpsqa.1dd.toyota.com
. . .
When additional domains or IP addresses are discovered, they are also placed in the queue. When a new TLD is discovered, the default behavior of DNSscope is to prompt the user on whether they want to add it to the scope. If they choose yes, then the TLD is added to the “tentatively in scope” list, subdomain enumeration is performed on the new TLD, and all identified resources are added to the queue. The interactive prompt for new TLDs was chosen because it is often necessary to research whether the discovered TLD is owned by the target.
With the Toyota example, the buyatoyota.com TLD appears to belong to the organization, so we add it to the scope.
. . .
Processing domain: origin.staging-ws.oat.aws.toyota.com
Forward DNS lookup for origin.staging-ws.oat.aws.toyota.com
(-) fDNS lookup failed on: origin.staging-ws.oat.aws.toyota.com
Finished processing domain: origin.staging-ws.oat.aws.toyota.com
Processing IP: 162.246.76.244
(+) rDNS DISCOVERY! ddc-smtp07.toyota.com
Finished Processing IP: 162.246.76.244
Processing domain: staging.sandiego.aws.buyatoyota.com Newly discovered top-level domain: buyatoyota.com Add buyatoyota.com to scope? This will run additional subdomain enumeration (y/n)
(+) buyatoyota.com ADDED TO SCOPE!
Searching for subdomains of buyatoyota.com. This may take a few seconds...
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: stage.smartpath.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: nexus-test.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: staging.connecticut.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: westernwashington.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: staging.static.content.images.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: origin.www.cincinnati.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: staging.goldcoast.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: southernidaho.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: origin.staging.connecticut.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: origin.www.set.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: staging.tristate.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: www.upstateny.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: www.denver.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: origin.staging.centralatlantic.aws.buyatoyota.com
(+) SUBDOMAIN ENUM DISCOVERY: ADDING TO QUEUE: origin.staging.tristateeast.aws.buyatoyota.com
Additionally, the –tls flag can be specified to add TLS certificate enumeration. This can be incredibly useful for identifying additional assets, but takes longer to run and is not technically passive reconnaissance as it requests the TLS certificate for each in-scope asset. With Toyota, the –tls flag discovered several additional TLDs and subdomains that were not found using pure DNS enumeration without the –tls flag.
The default settings involve some compromises to achieve the best possible coverage, without diving too deeply down DNS rabbit-holes that have a low probability of finding valid targets. To attempt a more thorough enumeration, the ‘–tlsall’ flag was added. This performs TLS enumeration on ALL identified resources, not just those with TLDs or IP addresses in scope. This flag should be used with caution, as this can often snowball into a huge list of domain names and IP addresses that may not even be remotely associated with your target.
DNSscope outputs a file (default “./DNSscope_results.txt”) containing each IP address and its associated domains. It organizes the output into assets explicitly in scope, likely in scope, out of scope, and domains that did not resolve.
The tool also outputs a log file (default “./output.log”) that tracks each step of the recon process. The log is updated in real-time and can be useful for determining where a certain subdomain was identified and keeping track of the overall recon process.
The tool also outputs a log file (default “./output.log”) that tracks each step of the recon process. The log is updated in real time and can be useful for determining where a certain subdomain was identified and keeping track of the overall recon process.
I have personally found this DNSscope tool very useful for my external network penetration tests. It makes sure I achieve adequate DNS enumeration coverage and makes it easy to discern what is explicitly in scope and not. I plan on actively maintaining the tool and have several features I want to add in the future including the following:
Thanks for reading!