Questions about this topic? Sign up to ask in the talk tab.


From Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools
Jump to: navigation, search

Dripper.c is a fast, asynchronous DNS scanner; it can be used for enumerating subdomains and enumerating boxes via reverse DNS.

It may be a crime to use this tool against a system without express permission.

Special thanks to jtripper for her contributions to this article.


How It Works

When Dripper first starts, it forks the process. The child process rapidly sends DNS queries using raw sockets without waiting for replies, while the parent process opens a raw socket sniffer and listens for DNS replies. Dripper cycles through a list of nameservers to help prevent rate limiting.


Due to the usage of raw sockets, Dripper requires root priviledges to function properly.

The most basic usage of Dripper is to enumerate subdomains:

# ./dripper -d
dripper Stateless DNS Scanner 1.0
  (c) jtripper 2013
--------------------------------- -> (A) -> (A)

By default, Dripper uses the file "resolv.conf" to load nameservers and "subs.txt" to load subdomains, these can be changed with the "-r" and "-s" options, respectively.

# ./dripper -r resolv.conf.2 -s subs2.txt -d

Dripper also supports reverse DNS record scanning, this feature accepts an IP range to scan and a word (usually a domain) to search for:

# ./dripper -d yahoo -i
dripper Stateless DNS Scanner 1.0
  (c) jtripper 2013
--------------------------------- -> (PTR) -> (PTR)

An example subdomain file might look like:


Resolv.conf should be in the same format:


Some known limitations are:

  • Packets do not get resent, packets that get lost are lost.
  • Nameservers tend to ratelimit incoming packets.

Source Code

The source for Dripper can be found at Dripper.c.

See also

Personal tools

VPS-Heaven now accepting BitCoin!

Our research is made possible by your support.