Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • Main commands used here for DNS enum.
  • NSlookup
  • Zone Transfer
  • Dig Zone Transfer
  • Tools List
  • WFUZZing

Was this helpful?

  1. Enumeration

DNS Enum

Main commands used here for DNS enum.

  • host

  • dig

  • nslookup

  • dnsrecon

NSlookup

nslookup 
> server 10.10.10.10
Default server: 10.10.10.10
Address: 10.10.10.10#53

> 10.10.10.10
10.10.10.10.in-addr.arpa	name = ns1.domain.com.
host -t ns somedomain.com		# -t: type, nameservers records 
host -t mx somedomain.com		# mail records
host www.somedomain.com			# Will display the IP of the domain
host idontexist.somedomain.com 	# If exists it will display further information

Zone Transfer

host -t ns somedomain.com					# Find the nameservers of the domain
host -l somedomain.com ns1.somedomain.com.	# attempt zone transfer based on the nameservers found. (e.g. ns1, ns2, ns3, ... )
############### Example Script for Zone Transfer ###############
################################################################

#!/bin/bash

# Zone Transfer script
######################

echo "[*] Simple Zone transfer script"
if [ -z "$1" ]; then
        echo "This script accepts an argument. Please re-run it and give an argument."
        exit 0
fi

for server in $(host -t ns $1 |cut -d" " -f4);
do
        host -l $1 $server | grep "has address"
done

Tools: DNSrecon/DNSenum

dnsrecon -d somedomain.com -t axfr	    # Attempt a Zone Transfer on a domain 

Dig Zone Transfer

dig axfr @10.10.10.10 domainame

Tools List

sublist3r
enumall
massdns
altdns
brutesubs
dns-parallel-prober
dnscan
knockpy
tko-subs
HostileSubBruteforce

WFUZZing

----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62
PreviousIDLE SCANNextSMB Enum

Last updated 3 years ago

Was this helpful?