DNS Reconnaissance Report

---

Situation:

The project focused on performing DNS reconnaissance on the artstailor.com domain to identify subdomains, associated IP address blocks, and potential vulnerabilities. This involved using tools like the fierce domain scanner, dnsmap, and CeWL for creating custom wordlists to uncover additional subdomains.

---

Obstacles:

1. Limited Default Wordlists: Default wordlists in tools like fierce and dnsmap missed some subdomains, requiring custom wordlists.
2. Hidden IP Addresses: Some subdomains had private IPs, increasing the complexity of validation.
3. Data Corroboration: Ensuring consistency across findings from different tools like fierce and dnsmap.

---

Actions Taken:

1. Used the fierce domain scanner to identify subdomains and IP address blocks using default settings and a wide traversal of IP ranges.
2. Analyzed the source code of fierce to locate its default wordlist, default.txt, stored in /usr/lib/python3/dist-packages/fierce/lists/.
3. Generated a custom wordlist with CeWL by scraping the artstailor.com website and used it with fierce to uncover additional subdomains.
4. Cross-validated findings with the dnsmap domain scanner using both the default and custom wordlists.
5. Noted hosts identified by their proximity to known IPs during wide traversals.

---

Results:

1. Subdomains Identified:
   • Using fierce with the default wordlist: mail.artstailor.com, ns.artstailor.com, pdc.artstailor.com, pop.artstailor.com, and books.artstailor.com.
   • Using fierce with the custom wordlist: costumes.artstailor.com, linuxserver.artstailor.com, and KEY005-TrvlNmWThZ4Aj2EDyYQx1A.artstailor.com.
   • Using wide traversal: ceo.artstailor.com and devbox.artstailor.com.
   • Using dnsmap: Subdomains like www.artstailor.com and costumes.artstailor.com.
2. IP Address Blocks:
   • Public: 217.70.184.3, 217.70.184.38.
   • Private: 10.70.184.39, 10.70.184.40, 10.70.184.90, 10.70.184.91, etc.
3. Key Found: KEY005-TrvlNmWThZ4Aj2EDyYQx1A==.
4. Vulnerability: Subdomains with private IPs (e.g., ceo.artstailor.com and devbox.artstailor.com) were publicly discoverable, potentially exposing internal resources.

---

Tool Purpose Overview

fierce:

• Identifies subdomains using DNS reconnaissance with wordlists or IP traversals. Useful for mapping domain infrastructure.

dnsmap:

• Performs subdomain discovery via DNS mapping, using default or custom wordlists for more tailored results.

CeWL:

• Generates custom wordlists by scraping a target website for unique keywords, improving subdomain discovery.

Custom Wordlists:

• Enhanced subdomain identification by supplementing default lists with context-specific keywords.

Source Code Analysis:

• Located fierce's default wordlist (default.txt), facilitating comparison and tailored scanning.

---

View PDF Document