Hack$Notes
Search…
Hack$Notes
Enumeration
NMAP Scanning
Hping3 Scanning
DNS Enum
SMB Enum
SMTP Enum
POP3
SNMP Enum
LDAP Enum
HTTP Enum
FTP Enum
SSH Enum
MySQL Enum
Oracle Enum
NFS Enum
Internet Relay Chat (IRC)
Telnet
Kerberos
Finger
Ports Open/Close
ident
Postgresl
Transferring Files
Metasploit Framework
Reverse Shells
Buffer Overflow
Spawning a Shell
Password Attacks
Privilege Escalation
Port Forwarding
Tools / Techniques
Resources
Powered By
GitBook
DNS Enum
Main commands used here for DNS enum.
host
dig
nslookup
dnsrecon
NSlookup
nslookup
> server 10.10.10.10
Default server: 10.10.10.10
Address: 10.10.10.10#53
​
> 10.10.10.10
10.10.10.10.in-addr.arpa name = ns1.domain.com.
host -t ns somedomain.com # -t: type, nameservers records
host -t mx somedomain.com # mail records
host www.somedomain.com # Will display the IP of the domain
host idontexist.somedomain.com # If exists it will display further information
Zone Transfer
host -t ns somedomain.com # Find the nameservers of the domain
host -l somedomain.com ns1.somedomain.com. # attempt zone transfer based on the nameservers found. (e.g. ns1, ns2, ns3, ... )
############### Example Script for Zone Transfer ###############
################################################################
​
#!/bin/bash
​
# Zone Transfer script
######################
​
echo "[*] Simple Zone transfer script"
if [ -z "$1" ]; then
echo "This script accepts an argument. Please re-run it and give an argument."
exit 0
fi
​
for server in $(host -t ns $1 |cut -d" " -f4);
do
host -l $1 $server | grep "has address"
done
​
Tools
: DNSrecon/DNSenum
dnsrecon -d somedomain.com -t axfr # Attempt a Zone Transfer on a domain
Dig Zone Transfer
dig axfr @10.10.10.10 domainame
Tools List
sublist3r
enumall
massdns
altdns
brutesubs
dns-parallel-prober
dnscan
knockpy
tko-subs
HostileSubBruteforce
WFUZZing
----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62
Previous
IDLE SCAN
Next
SMB Enum
Last modified
1yr ago
Copy link
Outline
Main commands used here for DNS enum.
NSlookup
Zone Transfer
Dig Zone Transfer
Tools List
WFUZZing