Old timers here will know about the concept of bruteforcing DNS using the clues available..
i.e. zone transfers disabled, but u see that the NS and MX servers are called gandalf.company.com and elrond.company.com. Effectively trying frodo.company.com is going to make good sense..
To this end BidiBlah will do this automagically for u and tries to eek out info.. (a little while back i saw fierce-scanner pop up in a similar vein!)
Young Mr Wilkinson ran up against a company last night with disabled transfers, but the 2 DNS servers showed up as:
- asimov.company.com
- heinlein.company.com
A quick trip to wikipedia shows that both are american sci-fi authors. The awesome thing is that wikipedia has a tail link that usually links to variations on your theme. i.e. in asimovs case, we have:
We can then simply (quick and dirty) pipe this to awk to bruteforce surname.company.com:
wh00t:customer haroon$ cat scifi.txt |awk ‘{system(“host”$NF”.company.com”)}’ |grep -v not
Heinlein.customer.com has address 10.10.10.10
Asimov.customer.com has address 10.10.10.9
Bischoff.customer.com has address 10.10.10.8
Bloch.customer.com has address 10.10.10.7
Bujold.customer.com has address 10.10.10.6
…
{results clearly faked for effect!}
The joy is that 2 minutes later we found mustang.another-customer.com and could use the exact same trick:
wh00t:customer haroon$ cat horses.txt |awk ‘{system(“host”$1″.another-company.com”)}’ |grep -v not
mustang.customer.com has address 10.10.10.10
holstein.customer.com has address 10.10.10.9
Nothing major, but useful when u desperately searching for new hosts to hax0r.
/mh