Web Site Discovery with SensePost SP-DNS-mine.pl
Today I needed to discover Web sites for a client. I'll demonstrate part of my methodology here, using sun.com as a sample domain. I relied on a technique outlined in Johnny Long's Google Hacking for Penetration Testers. He mentions a SensePost tool called SP-DNS-mine.pl. The script uses Google to extract sub domains and DNS names for a given domain. You have to register with SensePost to retrieve SP-DNS-mine.pl; they email a username and password once you register.
The first requirement is having a license key for the Google API. You put your key into SP-DNS-mine.pl, thus:
Since I am running the script on FreeBSD, I realized I needed the net/p5-SOAP-Lite package. I added the latest version from the STABLE package collection.
Finally I needed the file http://api.google.com/GoogleSearch.wsdl.
Now I'm ready to find sun.com Web sites.
That's it. You'll notice I found domains that end in sun.com but are not part of sun.com, like www.gainesvillesun.com. Still, this is a powerful way to use Google to identify Web servers.
The first requirement is having a license key for the Google API. You put your key into SP-DNS-mine.pl, thus:
#$key = "----YOUR GOOGLE API KEY HERE----";
Since I am running the script on FreeBSD, I realized I needed the net/p5-SOAP-Lite package. I added the latest version from the STABLE package collection.
Finally I needed the file http://api.google.com/GoogleSearch.wsdl.
orr:/home/richard$ fetch http://api.google.com/GoogleSearch.wsdl
fetch: http://api.google.com/GoogleSearch.wsdl: size of remote file is not known
GoogleSearch.wsdl 7496 B 145 kBps
Now I'm ready to find sun.com Web sites.
orr:/home/richard$ perl ./SP-DNS-mine.pl sun.com
Adding word [site]
0 1 0 1
Adding word [web]
0 1 0 1
Adding word [document]
0 1 0 1
Adding word [sun.com]
0 1 0 1
---------------
DNS names:
---------------
developers.sun.com
au.sunsolve.sun.com
docs.sun.com
forum.java.sun.com
www.yumasun.com
www.gainesvillesun.com
www.mohegansun.com
www.windsun.com
playground.sun.com
www.thedesertsun.com
access1.sun.com
www.baltimoresun.com
research.sun.com
blogs.sun.com
java.sun.com
sunsolve.sun.com
www.sbsun.com
javashoplm.sun.com
www.ottawasun.com
www.tiberiumsun.com
bugs.sun.com
---------------
Sub domains:
---------------
s.sun.com
baltimor.sun.com
yum.sun.com
win.sun.com
gainesvill.sun.com
java.sun.com
sunsolve.sun.com
mohega.sun.com
ottaw.sun.com
tiberiu.sun.com
thedeser.sun.com
That's it. You'll notice I found domains that end in sun.com but are not part of sun.com, like www.gainesvillesun.com. Still, this is a powerful way to use Google to identify Web servers.
Comments
http://searchdns.netcraft.com/?restriction=site+contains&host=*.sun.com&lookup=wait..&position=limited
I've noticed the link to http://api.google.com/GoogleSearch.wsdl no longer works, but I found the file at http://www.ebout.net/net/GoogleSearch.wsdl.
GoogleSearch.wsdl can still be downloaded from http://api.google.com/
If you have installed AURA (also from SensePost), then the issue may be you have modified the host file from api.google.com to localhost.