DNS 53
#NMAP
nmap -p 53 10.11.1.1-254 -vv -oA dns.txt (1-254 specifies a range of targets)
#Find DNS server:
nslookup whatever.local 10.10.10.10
dig @10.11.1.221 whatever.local
dig -x 10.10.10.10 +short (short flag reduces output)
#Forward Lookup Brute Force: (using dnsrecon and dnsmap - install tools separately)
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
#host
host megacorpone.com (basic)
host –mx megacorpone.com (MX records search)
host –tx megacorpone.com (TX records search)
#Forward lookup bruteforce (requires list of potential hosts)
Cat list.txt
www http proxy ftp router mail
#Use bash script to automate research
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
#seclists has custom wordlist for dns bruteforcing
#Reverse lookup bruteforce script
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"
#Reverse Lookup Brute Force:
dnsrecon -d demo.com -t rvl
DNS Zone Transfers:
host -l domain > $ip $ dnsrecon -d megacorpone.com -t axfr
dnsenum zonetransfer.me
Last updated