Simple DNS Enumeration

dnsenum.sh

#!/bin/bash

echo ""

if [ $# -eq 0 ]
then
    echo "[!] no arguments given"
    echo "[!] usage: ./dnsenum.sh [host]"
    echo "[!] eg.: ./dnsenum.sh grandbusiness.com.br"
    exit 1
fi

echo "[+] Trying to enumerate NS, MX, A, AAAA, HINFO, CNAME, PTR and SOA records..."
echo ""

records=("NS" "MX" "A" "AAAA" "HINFO" "CNAME" "PTR" "SOA")
for record in "${records[@]}"
do  
    echo "[+] $record records:"
    host -t $record $1
    echo ""
done

echo "[+] Trying to perform a Reverse DNS Brute Force..."
echo ""

ip=$(host $1 | grep "has address" | head -n1 | awk -F " " '{print $4}')
base=$(echo $ip | cut -d "." -f1-3)
range=$(whois $ip | grep "NetRange:" | tail -n1 | awk -F " " '{print $2" - "$4}')
from=$(echo $range | awk -F " " '{print $1}' | awk -F "\\." '{print $NF}')
to=$(echo $range | awk -F " " '{print $3}' | awk -F "\\." '{print $NF}')

for index in $(seq $from $to)
do
    host $base.$index | grep -v "not found"
done   

echo ""
echo "[+] Trying to perform a DNS Zone Transfer"
echo ""

for ns in $(host -t ns $1 | awk -F " " '{print $4}')
do
    host -l $1 $ns | grep "has address"
done    

echo ""