Monday, January 23, 2006

Web Site Discovery with SensePost SP-DNS-mine.pl

Today I needed to discover Web sites for a client. I'll demonstrate part of my methodology here, using sun.com as a sample domain. I relied on a technique outlined in Johnny Long's Google Hacking for Penetration Testers. He mentions a SensePost tool called SP-DNS-mine.pl. The script uses Google to extract sub domains and DNS names for a given domain. You have to register with SensePost to retrieve SP-DNS-mine.pl; they email a username and password once you register.

The first requirement is having a license key for the Google API. You put your key into SP-DNS-mine.pl, thus:

#$key = "----YOUR GOOGLE API KEY HERE----";

Since I am running the script on FreeBSD, I realized I needed the net/p5-SOAP-Lite package. I added the latest version from the STABLE package collection.

Finally I needed the file http://api.google.com/GoogleSearch.wsdl.

orr:/home/richard$ fetch http://api.google.com/GoogleSearch.wsdl
fetch: http://api.google.com/GoogleSearch.wsdl: size of remote file is not known
GoogleSearch.wsdl 7496 B 145 kBps

Now I'm ready to find sun.com Web sites.

orr:/home/richard$ perl ./SP-DNS-mine.pl sun.com

Adding word [site]
0 1 0 1
Adding word [web]
0 1 0 1
Adding word [document]
0 1 0 1
Adding word [sun.com]
0 1 0 1
---------------
DNS names:
---------------
developers.sun.com
au.sunsolve.sun.com
docs.sun.com
forum.java.sun.com
www.yumasun.com
www.gainesvillesun.com
www.mohegansun.com
www.windsun.com
playground.sun.com
www.thedesertsun.com
access1.sun.com
www.baltimoresun.com
research.sun.com
blogs.sun.com
java.sun.com
sunsolve.sun.com
www.sbsun.com
javashoplm.sun.com
www.ottawasun.com
www.tiberiumsun.com
bugs.sun.com

---------------
Sub domains:
---------------
s.sun.com
baltimor.sun.com
yum.sun.com
win.sun.com
gainesvill.sun.com
java.sun.com
sunsolve.sun.com
mohega.sun.com
ottaw.sun.com
tiberiu.sun.com
thedeser.sun.com

That's it. You'll notice I found domains that end in sun.com but are not part of sun.com, like www.gainesvillesun.com. Still, this is a powerful way to use Google to identify Web servers.

5 comments:

Anonymous said...

You can use Netcraft too.
http://searchdns.netcraft.com/?restriction=site+contains&host=*.sun.com&lookup=wait..&position=limited

Richard Bejtlich said...

Thank you -- that's a great tip!

Anonymous said...

where does one get a Google API key from ?

Richard Bejtlich said...

You have to apply for a key at http://www.google.com/apis/.

I've noticed the link to http://api.google.com/GoogleSearch.wsdl no longer works, but I found the file at http://www.ebout.net/net/GoogleSearch.wsdl.

cmlh said...

@Richard,

GoogleSearch.wsdl can still be downloaded from http://api.google.com/

If you have installed AURA (also from SensePost), then the issue may be you have modified the host file from api.google.com to localhost.