October 28, 2019 · Basic Pen-Testing

1.3 : Basic Bash scripting - IP lookup (Part II)

Example: example.com Sub-domain IP Lookup

Before you continue, please make sure you have a simple text file that contains cisco urls

cat index.html | grep -o -E 'https?://[^"]*' | grep "example" | cut -d "/" -f 3 | sort -u > list.txt

cat list.txt



introduce host command

host is a dig like but in more details & short-handed.
Another domain name information gathering command.

> host

Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] hostname [server]
       -a is equivalent to -v -t ANY
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -i IP6.INT reverse lookups
       -l lists all hosts in a domain, using AXFR
       -m set memory debugging flag (trace|record|usage)
       -N changes the number of dots allowed before root lookup is done
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -v enables verbose output
       -V print version number and exit
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only

Example usage: look up google.com

host google.com


google.com has address
google.com has IPv6 address 2404:6800:4005:805::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.

So, we can now use host to query sub-domains, show all IP address from DNS lookup

# First time init var dont need $, cat file as array
for URL in `cat list.txt`
    # grep "has address" , grep the ip and append it to res.txt file
    host $URL | grep "has address" | cut -d " " -f 4 >> res.txt

Or you can use a one-liner like this

for URL in `cat list.txt`;do host $URL | grep "has address" | cut -d " " -f 4 >> res.txt;done