DNS

• host

  • host <domain>

  • host -t mx <domain>

  • host -t txt <domain>

• host to find subdomains

  • create a subdomain text file

  • run this in bash

    • for ip in $(cat list.txt); do host $ip.domain.com; done

    • for ip in $(seq 64 79); do host 167.114.21.$ip; done | grep -Ev "not found|timed out"

• viewing dns records

  • dig soa www.inlanefreight.com

• zone files

  • cat /etc/bind/db.domain.com

• Reverse Name Resolution Zone Files

  • cat /etc/bind/db.10.129.14

• Dangerous Settings

  • allow-query

  • allow-recursion

  • allow-transfer

  • zone-statistics

• Footprinting the Service

• DIG - NS Query

  dig ns inlanefreight.htb @10.129.14.128
  

• DIG - Version Query

  • dig CH TXT version.bind 10.129.120.85

• DIG - ANY Query (view all available records)

  • dig any inlanefreight.htb @10.129.14.128

• DIG - AXFR Zone Transfer

  • dig axfr inlanefreight.htb @10.129.14.128

• DIG - AXFR Zone Transfer - Internal

  • dig axfr internal.inlanefreight.htb @10.129.14.128

Subdomain Brute Forcing

for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

CT Logs

CT Logs can be searched for using crt.sh and censys

crt.sh lookup

curl -s "https://crt.sh/?q=facebook.com&output=json" | jq -r '.[]
 | select(.name_value | contains("dev")) | .name_value' | sort -u

dnsrecon

dnsrecon -d megacorpone.com -t std

dnsrecon -d megacorpone.com -D ~/list.txt -t brt

DNS enum

dnsenum megacorpone.com