✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page
  • gobuster
  • DIG
  • Fierce
  • DNSenum
  • DNSrecon

Was this helpful?

  1. Services Enumeration
  2. HTTP 80/443
  3. Web Enumeration

DNS

PreviousFuzzersNextSMB 139/445

Last updated 3 years ago

Was this helpful?

gobuster

sudo gobuster dns -d spaghetti.lan -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

subbrute.py

The basic command is like this

https://github.com/TheRook/subbrute

./subbrute.py -p cnn.com

DIG

Dig, short for Domain Information Groper, is another tool to query DNS servers. Type dig -h to retrieve a list of options:

To query a specific record type you can use the -t option (just like with Host). The following command retrieves the mx (mail exchange) records for the domain:

dig -t mx google.com

Or you can request all records by specifying ‘any’ as a parameter:

dig -t any google.com

We can also test for zone transfers with Dig using the following command:

dig axfr @nsztm1.digi.ninja zonetransfer.me

Fierce

Fierce is a reconnaissance tool written in Perl to locate non-contiguous IP space and hostnames using DNS. This tool helps to locate likely targets both inside and outside corporate networks.

fierce -dns google.com

By default, Fierce uses its own wordlist, but you can also use your own wordlist by specifying it in the wordlist option as follows:

fierce -dns google.com --wordlist [path to wordlist]

WildCard DNS

If the request for this domain doesn’t match any of the explicitly defined records it will finally match against the wildcard DNS record and return the default IP associated with the wildcard DNS record.

DNSenum

DNSenum is a Perl script that can be used to enumerate the DNS information of a domain and to discover non-contiguous IP blocks. This tool will also attempt zone transfers on all the related domain name servers. Use the following command to use DNSenum on a specific target:

dnsenum [domainname]

DNSrecon

DNSrecon is another automated tool that can be used to query DNS records, check for zone transfers and other DNS related information. This tool shows more or less the same output as we’ve already seen in the other (automated) DNS reconnaissance tools

DNSrecon -d google.com

Note: is a great project to educate people about the implications of zone transfers. More information about zone transfers and the project is available here:

Type fierce -h for a list of options and usage instructions. Let’s run Fierce on the ‘’ domain with the following command:

So, what exactly is the purpose of checking for a Wildcard DNS record? Many DNS and subdomain enumeration tools use wordlists to test for common subdomains, like in the last step of the Fierce scan. As you can see from the Fierce example above, the tool first makes a request for a subdomain that is very unlikely to exist ( for example) before brute forcing common names.

google.com
ZoneTransfer.me
zonetransfer.me
https://digi.ninja/projects/zonetransferme.php
google.com
98081238656.google.com