Web Site Discovery with SensePost SP-DNS-mine.pl

Today I needed to discover Web sites for a client. I'll demonstrate part of my methodology here, using sun.com as a sample domain. I relied on a technique outlined in Johnny Long's Google Hacking for Penetration Testers. He mentions a SensePost tool called SP-DNS-mine.pl. The script uses Google to extract sub domains and DNS names for a given domain. You have to register with SensePost to retrieve SP-DNS-mine.pl; they email a username and password once you register.

The first requirement is having a license key for the Google API. You put your key into SP-DNS-mine.pl, thus:

#$key = "----YOUR GOOGLE API KEY HERE----";

Since I am running the script on FreeBSD, I realized I needed the net/p5-SOAP-Lite package. I added the latest version from the STABLE package collection.

Finally I needed the file http://api.google.com/GoogleSearch.wsdl.

orr:/home/richard$ fetch http://api.google.com/GoogleSearch.wsdl
fetch: http://api.google.com/GoogleSearch.wsdl: size of remote file is not known
GoogleSearch.wsdl 7496 B 145 kBps

Now I'm ready to find sun.com Web sites.

orr:/home/richard$ perl ./SP-DNS-mine.pl sun.com

Adding word [site]
0 1 0 1
Adding word [web]
0 1 0 1
Adding word [document]
0 1 0 1
Adding word [sun.com]
0 1 0 1
---------------
DNS names:
---------------
developers.sun.com
au.sunsolve.sun.com
docs.sun.com
forum.java.sun.com
www.yumasun.com
www.gainesvillesun.com
www.mohegansun.com
www.windsun.com
playground.sun.com
www.thedesertsun.com
access1.sun.com
www.baltimoresun.com
research.sun.com
blogs.sun.com
java.sun.com
sunsolve.sun.com
www.sbsun.com
javashoplm.sun.com
www.ottawasun.com
www.tiberiumsun.com
bugs.sun.com

---------------
Sub domains:
---------------
s.sun.com
baltimor.sun.com
yum.sun.com
win.sun.com
gainesvill.sun.com
java.sun.com
sunsolve.sun.com
mohega.sun.com
ottaw.sun.com
tiberiu.sun.com
thedeser.sun.com

That's it. You'll notice I found domains that end in sun.com but are not part of sun.com, like www.gainesvillesun.com. Still, this is a powerful way to use Google to identify Web servers.

Comments

Anonymous said…
You can use Netcraft too.
http://searchdns.netcraft.com/?restriction=site+contains&host=*.sun.com&lookup=wait..&position=limited
Thank you -- that's a great tip!
Anonymous said…
where does one get a Google API key from ?
You have to apply for a key at http://www.google.com/apis/.

I've noticed the link to http://api.google.com/GoogleSearch.wsdl no longer works, but I found the file at http://www.ebout.net/net/GoogleSearch.wsdl.
cmlh said…
@Richard,

GoogleSearch.wsdl can still be downloaded from http://api.google.com/

If you have installed AURA (also from SensePost), then the issue may be you have modified the host file from api.google.com to localhost.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics