DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality.
Interacting with a DNS Server
>> host -t ns megacorpone.com # -t : type , ns: dns > host -t mx megacorpone.com # mx : mail server
- Also you can use
>> nslookup anasboureada.com
digalso can be used
>> dig aboureada.com
we have some initial data from the megacorpone.com domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com.
>> host www.megacorpone.com # we will found that it has an ip > host idontexist.megacorpone.com # this is not found
Forward Lookup Brute Force
Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script.
>> echo www > list.txt > echo ftp >> list.txt > echo mail >> list.txt > echo owa >> list.txt > echo proxy >> list.txt > echo router >> list.txt > echo api >> list.txt > for ip in $(cat list.txt);do host $ip.megacorpone.com;done
Reverse Lookup Brute Force
If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase.
>> for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found" # grep -v :: --invert-match
DNS Zone Transfers
- A zone transfer is similar to a database replication act between related DNS servers.
- This process includes the copying of the zone file from a master DNS server to a slave server.
- The zone file contains a list of all the DNS names configured for that zone. Zone transfers should usually be limited to authorized slave DNS servers.
>> host -l megacorpone.com ns1.megacorpone.com # ns1 refused us our zone transfer request # -l :: list all hosts in a domain > host -l megacorpone.com ns2.megacorpone.com # The result is a full dump of the zone file for the megacorpone.com domain, # providing us a convenient list of IPs and DNS names for the megacorpone.com domain.
>> host -t axfr zonetransfer.me nsztm1.digi.ninja.
>> dig axfr nsztm1.digi.ninja zonetransfer.me
Now Lets automate the process:
To get the name servers for a given domain in a clean format, we can issue the following command.
>> host -t ns megacorpone.com | cut -d " " -f 4 # -d :: --delimiter=DELIM ; # -f :: --fields=LIST select only these fields on each line;
Taking this a step further, we could write the following simple Bash script to automate the procedure of discovering and attempting a zone transfer on each DNS server found.
># /bin/bash # Simple Zone Transfer Bash Script # $1 is the first argument given after the bash script # Check if argument was given, if not, print usage if [-z "$1" ]; then echo "[-] Simple Zone transfer script" echo "[-] Usage : $0 <domain name> " exit 0 fi # if argument was given, identify the DNS servers for the domain for server in $(host -t ns $1 | cut -d" " -f4);do # For each of these servers, attempt a zone transfer host -l $1 $server | grep "has address" done
Running this script on megacorpone.com should automatically identify both name servers and attempt a zone transfer on each of them
>> chmod 755 dns--axfr.sh > ./dns--axfr.sh megacorpone.com
Relevant Tools in Kali Linux
>> dnsrecon -d megacorpone.com -t axfr # -d :: domain # -t :: type of Enumeration to perform # axfr :: test all ns servers for zone transfer
>> dnsenum zonetransfer.me
NOTE the one included in the latest version of kali may not work, so try to install the new version from fierce
>> pip3 install fierce > fierce --domain zonetransfer.me
- NMAP DNS Hostnames Lookup
>nmap -F --dns-server
- Host Lookup
>host -t ns [megacorpone.com](http://megacorpone.com/)
- Reverse Lookup Brute Force - find domains in the same range
>for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
- Perform DNS IP Lookup
>dig a [domain-name-here.com](http://domain-name-here.com/) @nameserver
- Perform MX Record Lookup
>dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserver
- Perform Zone Transfer with DIG
>dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserver
DNS Zone Transfers
- Windows DNS zone transfer
>nslookup -> set type=any -> ls -d [blah.com ](http://blah.com/)
- Linux DNS zone transfer
>dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/)
- Dnsrecon DNS Brute Force
>dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
- Dnsrecon DNS List of megacorp
>dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfr