Old timers here will know about the concept of bruteforcing DNS using the clues available..
i.e. zone transfers disabled, but u see that the NS and MX servers are called gandalf.company.com and elrond.company.com. Effectively trying frodo.company.com is going to make good sense..
To this end BidiBlah will do this automagically for u and tries to eek out info.. (a little while back i saw fierce-scanner pop up in a similar vein!)
Young Mr Wilkinson ran up against a company last night with disabled transfers, but the 2 DNS servers showed up as:
- asimov.company.com
- heinlein.company.com
We can then simply (quick and dirty) pipe this to awk to bruteforce surname.company.com:
wh00t:customer haroon$ cat scifi.txt |awk '{system("host"$NF".company.com")}' |grep -v not
Heinlein.customer.com has address 10.10.10.10
Asimov.customer.com has address 10.10.10.9
Bischoff.customer.com has address 10.10.10.8
Bloch.customer.com has address 10.10.10.7
Bujold.customer.com has address 10.10.10.6 ...
{results clearly faked for effect!}
The joy is that 2 minutes later we found mustang.another-customer.com and could use the exact same trick:
wh00t:customer haroon$ cat horses.txt |awk '{system("host"$1".another-company.com")}' |grep -v not
mustang.customer.com has address 10.10.10.10
holstein.customer.com has address 10.10.10.9
Nothing major, but useful when u desperately searching for new hosts to hax0r.
/mh
Actually i used the wiki to get the "others in list" easily..
An alternate approach would be to make use of google-sets (http://labs.google.com/sets) which was an idea johnny long was kicking around a while back..
/mh
ps.. im not much of a scifi reader, but _even_ i wont foncused asimov for a new fangled abbreviation for oriental cinema.. :>
of how an anarchist community could actually operate, but without all those limitations of having to be set in the real world.
(I'll stop ranting now)