#!/usr/bin/perl
#
# Released under GPL.  Copyright 2005, David Hoelzer, www.cyber-defense.org
#
# When I teach hacking classes, I often point out that there are lots of scanning
# techniques that can be used to map out a network, but that it's always best
# to start with the least noticible methods first when red teaming.  For
# this reason, I recommend that people NOT try to dump a zone from a DNS
# server since that is sure to raise an IDS alarm if there is an IDS.  My
# preferred method is to simply grab the IP allocations from whois and
# then march right through the address space performing a reverse lookup.
# Especially of the organization does not have a split DNS, this can be
# extremely fruitful and even limit how much additional "noisy" recon
# is necessary.
#
# Please only use your powers for good!

if(!$ARGV[0] || !$ARGV[1])
{
  print"Usage:  dnsscan a.a.a.a b.b.b.b\n\na.a.a.a and b.b.b.b represent the starting and ending IP addresses to obtain information for.\n\n";
  exit;
}

$start = $ARGV[0];
$end = $ARGV[1];
print "Scanning from $start to $end\n";

($as, $bs, $cs, $ds) = split(/\./,$start);
($ae, $be, $ce, $de) = split(/\./, $end);
$de ++;
if($de > 255) { $de = 0; $ce++;}

while("$as.$bs.$cs.$ds" ne "$ae.$be.$ce.$de")
{
	$command = "nslookup -sil $as.$bs.$cs.$ds";
	open(FILE,"$command |") or die("Could not run nslookup!\n");
	@results = <FILE>;
	foreach(@results)
	{
		if($_ =~ m/.*name =.*/)
		{
			s/.*name = (.*$).*/\1/;
			print "$as.$bs.$cs.$ds -> $1\n";
		}
	}
	$ds++;
	if($ds > 255)
	{
		$ds=0; $cs++; if($cs > 255)
		{
			$cs=0; $bs++; if($bs > 255)
			{
				$bs=0;
				$as++;
			}
		}
	}
}