Monday, April 25, 2011


This is a very useful tool with a pretty good algorithm. In short how it works:

After our DNS server it jumps to the target domain's, and continue query that one. Thus, the private IP address ranges can also be detected if the target uses the same server for internal and external IP's resolution. Then retrieves the SOA record and tries to make a zone transfer (this is usually not successful). Then looks for subdomain based on a list, but you can specify your own. If it finds an address that resolves to an IP, will try to resolve the surrounding IP addresses as well (the range is adjustable).

In addition, there are plenty of options. Here is an example (the result does not seen till the end, because it's rather long):

