DNS Enumeration
nslookup
SERVER <ip address>
127.0.0.1
<ip address>
๏ปฟroot@kali:/assessments/htb/cronos# nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
> cronos.htb
Server: 10.10.10.13
Address: 10.10.10.13#53
Name: cronos.htb
Address: 10.10.10.13
dnsrecon
dnsrecon -r 127.0.0.0/24 -n <name server>
dnsrecon -r 127.0.1.0/24 -n <name server>
A lot of DNS servers also use 127.0.1.x addresses
Dnsrecon -r 10.10.10.0/24 -n <name server>
Also try the name server's subnet; 10.10.10.x in this case
---DNS Zone Transfers---
dnsrecon -d <domain name> -t axfr
e.g.
dnsrecon -d megacorpone.com -t axfr
Dig - DNS Zone Transfer
Zone transfers can give you information on additional sub domains that you can then enumerate.
After a successful zone transfer, add the name server to your /etc/resolv.conf file
dig axfr @<name server>
Zone transfer on the root zone
dig axfr bank.htb @10.10.10.29
Zone transfer on a specific zone; bank.htb in this case
dig axfr foocampus.com @10.50.96.5 +nocookie
If the previous xfers don't work, try running with the +nocookie option
host
host - DNS lookup utility
host -t ns megacorpone.com
megacorpone.com name server ns1.megacorpone.com.
megacorpone.com name server ns3.megacorpone.com.
megacorpone.com name server ns2.megacorpone.com.
types: CNAME, NS, SOA, TXT, DNSKEY, AXFR, MX, etc.
By default, every configured domain should provide at least the DNS and mail servers responsible for the domain.
Does it have a corresponding webserver?
host www.megacorpone.com
---Forward Lookup Brute Force---
create a wordlist of common subdomains that you can prepend to megacorpone.com
e.g. www, ftp, mail, owa, proxy, router, etc.
for ip in $(<wordlist.txt); do host $ip.megacorpone.com; done |grep -v "not found"
---Reverse Lookup Brute Force---
e.g.
for ip in $(seq 155 190); do host 50.7.67.$ip; done |grep -v "not found"
---DNS Zone Transfers---
host -l <domain name> <dns server address>
e.g.
host -l megacorpone.com ns1.megacorpone.com
nmap scripts
---DNS Zone Transfer-
Unsuccessful zone xfr
; <<>> DiG 9.11.3-1-Debian <<>> axfr @10.10.10.29 โ+ Target IP: 10.10.10.29
; (1 server found) โ+ Target Hostname: 10.10.10.29
;; global options: +cmd โ+ Target Port: 80
;; Query time: 60 msec โ+ Start Time: 2018-08-21 08:00:07 (GMT-5)
;; SERVER: 10.10.10.29#53(10.10.10.29)
โ---------------------------------------------------------------------------
;; WHEN: Tue Aug 21 08:14:58 CDT 2018 โ+ Server: Apache/2.4.7 (Ubuntu)
;; MSG SIZE rcvd: 28
Successful zone xfr
; <<>> DiG 9.11.3-1-Debian <<>> axfr bank.htb @10.10.10.29 โ+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content
;; global options: +cmd โof the site in a different fashion to the MIME type
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 โ+ No CGI Directories found (use '-C all' to force check all possible dirs)
bank.htb. 604800 IN NS ns.bank.htb. โ+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final releas
bank.htb. 604800 IN A 10.10.10.29 โe) and 2.2.29 are also current.
ns.bank.htb. 604800 IN A 10.10.10.29 โ+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
www.bank.htb. 604800 IN CNAME bank.htb. โ+ OSVDB-3233: /icons/README: Apache default file found.
bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 โ+ 7499 requests: 0 error(s) and 7 item(s) reported on remote host
;; Query time: 59 msec โ+ End Time: 2018-08-21 08:08:24 (GMT-5) (497 seconds)
;; SERVER: 10.10.10.29#53(10.10.10.29)
โ---------------------------------------------------------------------------
;; WHEN: Tue Aug 21 08:15:07 CDT 2018 โ+ 1 host(s) tested
;; XFR size: 6 records (messages 1, bytes 171)
dnsenum
---DNS Zone Transfers---
dnsenum <domain name>
e.g.
dnsenum megacorpone.com
Last updated
