DNS Enumeration
The goal
is to gather more detailed information on both devices and resources attached to the network. This includes account names, misconfigured services and so on !
Enumerating DNS Records ?
host -t ns <domain name> // Enumerates name servers.
host -t mx <domain name> // Enumerates mail servers.
nslookup -type=ns <domain name>
nslookup -type=mx <domain name>
nslookup -type=any <domain name> // Enumerates anything possible.
If suppose, we have a list of domains. Use this Bash
command in the terminal.
for ip in $<cat list.txt>; do host $<domain>; done
Zone Transfer ?
DNS Zone Transfer is the process where a DNS server passes a copy of part of its Database to another DNS Server.
Okay so in Simple Words !
There is a Master DNS Zone Server and there could be one or more slave DNS Servers, The Slave Servers asks the Master Server for a copy of that records for that zone.
If the DNS Server is misconfigured, the Attacker pretends to be the slave and ask the master to send the copy of the DNS records.
Then he gets all the list of domains registered for the particular zone, Then the Attacker gathers all the information about all domains and try to attack the domain, if its vulnerable. So its necessary to check whether the zone transfer is enabled
in the name servers.
host -l <domain name> <@nameserver>
// Checks for Zone transfers.
dig axfr <domain name> <@name server>
Some Automating in-built
tools in Kali
dnsenum <domain name>
dnsrecon -d <domain name>
fierce -dns <domain name>
While pentesting a box or an application, we get to see port 53
is open
. The first thing that should strike us is :
Add host to /etc/hosts
nslookup
> server 10.10.10.7
> 10.10.10.7
. . . . ns1.cronos.htb
dig axfr cronos.htb @10.10.10.7
. . . . .
admin.cronos.htb
ns1.cronos.htb
cronos.htb
dig the subdomains using ffuf or sublist3r, get new subdomains and dig again.
(Don't forget to add the newly found subdomains in your /etc/hosts file).
Last updated