LabEx
Log InJoin Free

Show IP Addresses in DNS Scan Results in Gobuster

Beginner
Practice Now

Introduction

Gobuster is a powerful tool used for brute-forcing URIs (directories and files), DNS subdomains, Amazon S3 buckets, and more. In the context of cybersecurity and penetration testing, discovering subdomains is a critical step in the reconnaissance phase. Knowing the IP addresses associated with these subdomains can provide valuable insights into an organization's network infrastructure, helping to identify potential attack vectors or misconfigurations.

This lab will guide you through using Gobuster to perform DNS subdomain enumeration. Specifically, you will learn how to leverage a particular flag to display the IP addresses alongside the discovered subdomains, enhancing your ability to map out target infrastructure effectively.

Run a Basic gobuster dns Scan

In this step, you will perform a basic DNS subdomain scan using Gobuster. This will demonstrate the default output of a DNS scan, which typically lists only the discovered subdomains without their corresponding IP addresses. We will use example.com as our target domain and a common wordlist for subdomains.

First, ensure Gobuster is installed. If not, you can install it using sudo apt install gobuster.

Now, execute the following command in your terminal:

gobuster dns -d example.com -w /usr/share/wordlists/dirb/common.txt -q
  • gobuster dns: Specifies that we want to perform a DNS subdomain scan.
  • -d example.com: Sets example.com as the target domain.
  • -w /usr/share/wordlists/dirb/common.txt: Specifies the wordlist to use for brute-forcing subdomains. This is a common wordlist available on many Linux distributions.
  • -q: Suppresses the banner and progress output, showing only the results.

You will see a list of subdomains found for example.com. Notice that only the subdomain names are displayed.

Found: www.example.com
Found: mail.example.com
Found: ftp.example.com
Found: blog.example.com
Found: dev.example.com

Rerun the Scan with the -i Flag

In this step, you will rerun the Gobuster DNS scan, but this time you will include the -i flag. The -i flag instructs Gobuster to display the IP addresses associated with each discovered subdomain. This is crucial for gaining a more complete picture of the target's infrastructure.

Execute the following command in your terminal:

gobuster dns -d example.com -w /usr/share/wordlists/dirb/common.txt -i -q

The only difference from the previous command is the addition of the -i flag.

Observe the output carefully. You should now see the IP addresses listed next to each discovered subdomain.

Found: www.example.com (93.184.216.34)
Found: mail.example.com (93.184.216.34)
Found: ftp.example.com (93.184.216.34)
Found: blog.example.com (93.184.216.34)
Found: dev.example.com (93.184.216.34)

The IP addresses shown here are for example.com, which typically points to a single IP for all its subdomains for demonstration purposes. In a real-world scenario, you might see different IP addresses for different subdomains, indicating different servers or services.

Compare the Output with and without the -i Flag

In this step, you will visually compare the output from the two previous Gobuster commands. This comparison will highlight the significant difference the -i flag makes in the reconnaissance process.

Recall the output from Step 1 (without -i):

Found: www.example.com
Found: mail.example.com
Found: ftp.example.com
Found: blog.example.com
Found: dev.example.com

And the output from Step 2 (with -i):

Found: www.example.com (93.184.216.34)
Found: mail.example.com (93.184.216.34)
Found: ftp.example.com (93.184.216.34)
Found: blog.example.com (93.184.216.34)
Found: dev.example.com (93.184.216.34)

The key difference is the presence of (IP_ADDRESS) next to each subdomain when the -i flag is used. This additional information is crucial for understanding the underlying infrastructure. Without the IP addresses, you only know the names of the subdomains. With them, you know where those subdomains resolve, which can point to specific servers, cloud services, or different parts of a network.

This comparison demonstrates how a simple flag can significantly enhance the utility of your reconnaissance efforts.

Identify the IP Addresses Associated with Each Subdomain

In this step, you will specifically identify and note down the IP addresses associated with the subdomains discovered in the previous step. While example.com might show the same IP for all subdomains, in a real-world scenario, this step would involve identifying potentially distinct IP addresses.

From the output of the command in Step 2:

Found: www.example.com (93.184.216.34)
Found: mail.example.com (93.184.216.34)
Found: ftp.example.com (93.184.216.34)
Found: blog.example.com (93.184.216.34)
Found: dev.example.com (93.184.216.34)

You can see that for example.com, all listed subdomains resolve to the IP address 93.184.216.34.

In a real reconnaissance scenario, if you were to scan a different domain, you might find:

  • sub1.target.com resolving to 192.168.1.10
  • sub2.target.com resolving to 192.168.1.11
  • cdn.target.com resolving to 203.0.113.50 (a CDN IP)
  • admin.target.com resolving to 10.0.0.5 (an internal IP, if exposed)

Identifying these distinct IPs helps in:

  • Server Fingerprinting: Different IPs might indicate different servers, operating systems, or web server software.
  • Cloud Service Identification: IPs belonging to known cloud providers (AWS, Azure, GCP) can reveal the use of specific cloud services.
  • Network Segmentation: Different IP ranges might suggest different network segments or departments within an organization.

This step emphasizes the importance of not just finding subdomains, but also understanding their network location.

Understand How This Helps in Infrastructure Mapping

In this final step, you will understand the broader implications of displaying IP addresses in DNS scan results, particularly how it aids in infrastructure mapping during reconnaissance.

Infrastructure mapping is the process of creating a detailed diagram or understanding of a target's network and systems. When you combine subdomain enumeration with IP address resolution, you gain several advantages:

  1. Identifying Hosting Providers: Different IP ranges often belong to different hosting providers (e.g., AWS, Google Cloud, DigitalOcean). Knowing this can help you understand where different parts of an organization's infrastructure are hosted.
  2. Discovering Hidden Services: Sometimes, subdomains might point to internal or less-known services that are not directly linked from the main website. Resolving their IPs can reveal if they are on the same server, a different server, or even a different network segment.
  3. Pinpointing Attack Surfaces: If multiple subdomains resolve to the same IP, it might indicate a single server hosting multiple services, potentially consolidating attack vectors. Conversely, distinct IPs suggest distributed services, each with its own potential vulnerabilities.
  4. Bypassing WAFs/CDNs: If a main domain is behind a Web Application Firewall (WAF) or Content Delivery Network (CDN), finding subdomains that resolve to the origin IP (the actual server IP) can allow you to bypass the WAF/CDN and directly interact with the server.
  5. Network Segmentation Analysis: Different IP address blocks can indicate different departments, geographical locations, or network segments within an organization. This helps in understanding the target's internal network structure.

By using the -i flag with Gobuster, you transform a simple subdomain list into a valuable piece of infrastructure intelligence, significantly enhancing your reconnaissance capabilities. This information is critical for planning subsequent penetration testing steps, such as port scanning, vulnerability analysis, and targeted attacks.

Summary

In this lab, you learned how to effectively use Gobuster for DNS subdomain enumeration and, more importantly, how to display the associated IP addresses for each discovered subdomain. You started by performing a basic Gobuster DNS scan, observed its default output, and then reran the scan with the -i flag to include IP addresses. Through comparison, you understood the critical difference this flag makes. Finally, you explored how identifying these IP addresses is fundamental for comprehensive infrastructure mapping and reconnaissance in cybersecurity. This skill is invaluable for gaining deeper insights into a target's network landscape and identifying potential attack surfaces.