dnsenum是一款域名信息收集工具。

使用Git下载：

git clone https://github.com/fwaeytens/dnsenum.git

其他系统具体的安装方法在install.txt里面，因为我是在搬瓦工的VPS上安装的，所以这里只介绍在CentOS上安装的方法。

安装cpanminus，用来下载必须组件：

yum install cpan

确保cpanminus安装完之后，进行下面的操作。
安装依赖库，顺序无所谓，但是要保证都安装：

cpanm String::Random

cpanm Net::IP

cpanm Net::DNS

cpanm Net::Netmask

cpanm XML::Writer

安装完成后进入dnsenum的目录，并修改文件权限：

cd dnsenum

chmod 755 dnsenum.pl

然后执行如下命令：

./dnsenum.pl 

出现以下信息就说明已经安装完成了。

dnsenum.pl VERSION:1.2.4
Usage: dnsenum.pl [Options] <domain> 
[Options]:
Note: the brute force -f switch is obligatory.
GENERAL OPTIONS:
  --dnsserver   <server>
            Use this DNS server for A, NS and MX queries.
  --enum        Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help        Print this help message.
  --noreverse       Skip the reverse lookup operations.
  --nocolor     Disable ANSIColor output.
  --private     Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>  Write all valid subdomains to this file.
  -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
  --threads <value> The number of threads that will perform different queries.
  -v, --verbose     Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages <value>   The number of google search pages to process when scraping names, 
            the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value>   The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
  -f, --file <file> Read subdomains from this file to perform brute force.
  -u, --update  <a|g|r|z>
            Update the file specified with the -f switch with valid subdomains.
    a (all)     Update using all results.
    g       Update using only google scraping results.
    r       Update using only reverse lookup results.
    z       Update using only zonetransfer results.
  -r, --recursion   Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay <value>   The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois       Perform the whois queries on c class network ranges.
             **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude <regexp>
            Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output <file>    Output in XML format. Can be imported in MagicTree (www.gremwell.com)

因为dnsenum自带了一个dns.txt的爆破字典，我们可以直接拿来用，像这样：

./dnsenum.pl --noreverse --threads 20 -f dns.txt 域名

然后等待完成就可以了。