Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Hosts File
Description here
/etc/hosts
example here
C:\Windows\System32\drivers\etc\hosts
example here
DNS Enumeration
DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality.
A public training site for testing and learning about DNS. Uses the following two name servers:
nsztm1.digi.ninja
nsztm2.digi.ninja
You can test everything from simple dig queries to DNS zone transfers.
Interacting with a DNS Server
host -t ns zonetransfer.me
# -t : type , ns: dns
host -t mx zonetransfer.me
# mx : mail server
Also you can use nslookup
nslookup zonetransfer.me
dig also can be used
dig zonetransfer.me
Automating lookups
we have some initial data from the zonetransfer.me domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com.
host zonetransfer.me
# we will found that it has an IP
host idontexist.zonetransfer.me
# this is not found
Forward Lookup Brute Force
Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script.
echo www > list.txt
echo ftp >> list.txt
echo mail >> list.txt
echo owa >> list.txt
echo proxy >> list.txt
echo router >> list.txt
echo api >> list.txt
for ip in $(cat list.txt);do host $ip.$domain;done
Reverse Lookup Brute Force
If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase.
for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found"
# grep -v :: --invert-match
DNS Zone Transfers
A zone transfer is similar to a database replication act between related DNS servers.
This process includes the copying of the zone file from a master DNS server to a slave server.
The zone file contains a list of all the DNS names configured for that zone. Zone transfers should usually be limited to authorized slave DNS servers.
host -l megacorpone.com ns1.megacorpone.com # ns1 refused us our zone transfer request
# -l :: list all hosts in a domain
host -l megacorpone.com ns2.megacorpone.com
# The result is a full dump of the zone file for the megacorpone.com domain,
# providing us a convenient list of IPs and DNS names for the megacorpone.com domain.
host -t axfr zonetransfer.me nsztm1.digi.ninja
dig axfr nsztm1.digi.ninja zonetransfer.me
Now Lets automate the process:
To get the name servers for a given domain in a clean format, we can issue the following command.
host -t ns zonetransfer.me | cut -d " " -f 4
# -d :: --delimiter=DELIM ;
# -f :: --fields=LIST select only these fields on each line;
Taking this a step further, we could write the following simple Bash script to automate the procedure of discovering and attempting a zone transfer on each DNS server found.
# /bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [-z "$1" ]; then
echo "[-] Simple Zone transfer script"
echo "[-] Usage : $0 $domain_name "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d" " -f4);do
# For each of these servers, attempt a zone transfer
host -l $1 $server | grep "has address"
done
Running this script on zonetransfer.me should automatically identify both name servers and attempt a zone transfer on each of them
dnsrecon -d zonetransfer.me -t axfr
# -d :: domain
# -t :: type of Enumeration to perform
# axfr :: test all ns servers for zone transfer
DNSEnum
dnsenum zonetransfer.me
fierce
NOTE: the one included in Kali is outdated and may not work, so try using the new version from fierce
pip3 install fierce
fierce --domain zonetransfer.me
# To scan a domain and output to a file
fierce -dns <domain> -file <output_file>
# To scan a domain and specify which dnsserver to use
fierce -dns <domain> -dnsserver <server>
# To scan an internal ip range for a given server
fierce -range <ip-range> -dnsserver <server>
# To scan a domain using a given wordlist
fierce -dns <domain> -wordlist <wordlist>
# To scan a domain using a specified timeout and number of ip addresses to branch from all found addresses
fierce -dns <domain> -tcptimeout <# seconds> -traverse <# addresses>
# To scan domains from a list and search the entire class C for each found
fierce -dnsfile <file> -wide
DIG
digzonetransfer.me+shortdigzonetransfer.meMXdigzonetransfer.meNSdigzonetransfer.meSOAdigzonetransfer.meANY+noall+answerdig-xzonetransfer.medigzonetransfer.memx+noall+answerzonetransfer.mens+noall+answer# DNS Zone Transferdig-tAXFRzonetransfer.medigaxfr@10.11.1.111zonetransfer.me# For Ipv4dig-4zonetransfer.me# For IPv6dig-6zonetransfer.me#To just get the ip addressdig [domain] +nocomments +noauthority +noadditional +nostats ORdig [domain] +noall +answerORdig [domain] +short#To use a specific query typedig-t [query type] [domain] [options]ORdig [domain] [query type] [options]#To view ALL DNS record types use query ANYdig-tANY [domain] [options]ORdig [domain] ANY [options]#To do a DNS reverse look up dig-x [ip address]+short#To use a specific DNS serverdig@[specificDNS] [domain]#To do a bulk DNS query (where file.txt has all the domains, one to a line)dig [domain1] [options] [domain2] [options]ORdig-ffile.txt [options]
DNSEnum
# dnsenumdnsenum10.11.1.111
DNS reverse lookup
Using powershell
$ComputerIPAddress = "10.10.10.10"
Using dnsrecon:
dnsrecon -r $ip/$subnet -n $ip_to_check
Misc
DNS zone transfer: dig axfr <hostname> @<ip> or host -l <domain> <nameserver>
add DNS server - Linux: /etc/resolv.conf {nameserver <ip>}
Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques: https://github.com/OWASP/Amass
NMAP DNS Hostnames Lookup
nmap -F --dns-server
Host Lookup
host -t ns zonetransfer.me
Reverse Lookup Brute Force - find domains in the same range
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
