Lockdoor Framework

A Penetration Testing Framework

View on GitHub

DNS Enumeration

DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality.

Interacting with a DNS Server

>> host -t ns megacorpone.com           # -t : type , ns: dns
> host -t mx megacorpone.com           # mx : mail server
>> nslookup anasboureada.com
>> dig aboureada.com

Automating lookups

we have some initial data from the megacorpone.com domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com.

>> host www.megacorpone.com             # we will found that it has an ip
> host idontexist.megacorpone.com      # this is not found

Forward Lookup Brute Force

Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script.

>> echo www > list.txt
> echo ftp >> list.txt
> echo mail >> list.txt
> echo owa >> list.txt
> echo proxy >> list.txt
> echo router >> list.txt
> echo api >> list.txt
> for ip in $(cat list.txt);do host $ip.megacorpone.com;done

Reverse Lookup Brute Force

If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase.

>> for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found"
# grep -v :: --invert-match

DNS Zone Transfers

>> host -l megacorpone.com ns1.megacorpone.com   # ns1 refused us our zone transfer request
# -l :: list all hosts in a domain
> host -l megacorpone.com ns2.megacorpone.com
# The result is a full dump of the zone file for the megacorpone.com domain,
# providing us a convenient list of IPs and DNS names for the megacorpone.com domain.
>> host -t axfr zonetransfer.me nsztm1.digi.ninja.
>> dig axfr nsztm1.digi.ninja zonetransfer.me

Relevant Tools in Kali Linux

DNSRecon

>> dnsrecon -d megacorpone.com -t axfr
# -d :: domain
# -t :: type of Enumeration to perform
# axfr :: test all ns servers for zone transfer

DNSEnum

>> dnsenum zonetransfer.me

fierce

NOTE the one included in the latest version of kali may not work, so try to install the new version from fierce

>> pip3 install fierce
> fierce --domain zonetransfer.me
>nmap -F --dns-server
>host -t ns [megacorpone.com](http://megacorpone.com/)
>for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
>dig a [domain-name-here.com](http://domain-name-here.com/) @nameserver
>dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserver
>dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserver

DNS Zone Transfers

>nslookup -> set type=any -> ls -d [blah.com  ](http://blah.com/)
>dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/)
>dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
>dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfr
>dnsenum zonetransfer.m