DNS
gobuster
sudo gobuster dns -d spaghetti.lan -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txtsubbrute.py
The basic command is like this
https://github.com/TheRook/subbrute
./subbrute.py -p cnn.comDIG
Dig, short for Domain Information Groper, is another tool to query DNS servers. Type dig -h to retrieve a list of options:
To query a specific record type you can use the -t option (just like with Host). The following command retrieves the mx (mail exchange) records for the google.com domain:
dig -t mx google.com
Or you can request all records by specifying ‘any’ as a parameter:
dig -t any google.com
We can also test for zone transfers with Dig using the following command:
dig axfr @nsztm1.digi.ninja zonetransfer.me
Note: ZoneTransfer.me is a great project to educate people about the implications of zone transfers. More information about zone transfers and the zonetransfer.me project is available here: https://digi.ninja/projects/zonetransferme.php
Fierce
Fierce is a reconnaissance tool written in Perl to locate non-contiguous IP space and hostnames using DNS. This tool helps to locate likely targets both inside and outside corporate networks.
Type fierce -h for a list of options and usage instructions. Let’s run Fierce on the ‘google.com’ domain with the following command:
fierce -dns google.com
By default, Fierce uses its own wordlist, but you can also use your own wordlist by specifying it in the wordlist option as follows:
fierce -dns google.com --wordlist [path to wordlist]
WildCard DNS
So, what exactly is the purpose of checking for a Wildcard DNS record? Many DNS and subdomain enumeration tools use wordlists to test for common subdomains, like in the last step of the Fierce scan. As you can see from the Fierce example above, the tool first makes a request for a subdomain that is very unlikely to exist (98081238656.google.com for example) before brute forcing common names.
If the request for this domain doesn’t match any of the explicitly defined records it will finally match against the wildcard DNS record and return the default IP associated with the wildcard DNS record.
DNSenum
DNSenum is a Perl script that can be used to enumerate the DNS information of a domain and to discover non-contiguous IP blocks. This tool will also attempt zone transfers on all the related domain name servers. Use the following command to use DNSenum on a specific target:
dnsenum [domainname]
DNSrecon
DNSrecon is another automated tool that can be used to query DNS records, check for zone transfers and other DNS related information. This tool shows more or less the same output as we’ve already seen in the other (automated) DNS reconnaissance tools
DNSrecon -d google.com
Last updated
Was this helpful?