DNS Enumeration

The goal is to gather more detailed information on both devices and resources attached to the network. This includes account names, misconfigured services and so on !

Enumerating DNS Records ?

host -t ns <domain name>    // Enumerates name servers.
host -t mx <domain name>    // Enumerates mail servers.

nslookup -type=ns <domain name>    
nslookup -type=mx <domain name>
nslookup -type=any <domain name>    // Enumerates anything possible.

If suppose, we have a list of domains. Use this Bash command in the terminal.

for ip in $<cat list.txt>; do host $<domain>; done

Zone Transfer ?

DNS Zone Transfer is the process where a DNS server passes a copy of part of its Database to another DNS Server.

Okay so in Simple Words !

There is a Master DNS Zone Server and there could be one or more slave DNS Servers, The Slave Servers asks the Master Server for a copy of that records for that zone.

If the DNS Server is misconfigured, the Attacker pretends to be the slave and ask the master to send the copy of the DNS records.

Then he gets all the list of domains registered for the particular zone, Then the Attacker gathers all the information about all domains and try to attack the domain, if its vulnerable. So its necessary to check whether the zone transfer is enabled in the name servers.

host -l <domain name> <@nameserver>
                                      // Checks for Zone transfers.                                                                                                                                                                              
dig axfr <domain name> <@name server>

Some Automating in-built tools in Kali

dnsenum <domain name>

dnsrecon -d <domain name>

fierce -dns <domain name>

While pentesting a box or an application, we get to see port 53 is open. The first thing that should strike us is : 

Add host to /etc/hosts

nslookup 
> server 10.10.10.7
> 10.10.10.7
. . . .     ns1.cronos.htb

dig axfr cronos.htb @10.10.10.7
. . . . . 
admin.cronos.htb
ns1.cronos.htb
cronos.htb

dig the subdomains using ffuf or sublist3r, get new subdomains and dig again.
(Don't forget to add the newly found subdomains in your /etc/hosts file).
PreviousPort ScanningNextFTP Enumeration

Last updated