// work in progress:
Information gathering using public available DNS information
DNS Enumeration
DNS Record types
A
|
Host A record (IPv4)
|
AAAA
|
Host A record (IPv6)
|
MX
|
Mailserver record
|
NS
|
Nameserver record
|
CNAME
|
Alias record
|
PTR
|
Pointer record
|
SOA
|
Authority record
|
Scanning DNS records with ‘host’ command:
1 |
host -t mx vmoshpit.com |
Check for DNS zone transfer against hosts with NS records:
1 |
host -l ns,vmoshpit.com vmoshpit.com |
Nmap reverse DNS and traceroute scan:
1 |
nmap -PN -T4 —traceroute www.vmoshpit.com |
Checking domain owner with whois:
1 |
whois microsoft.com |
Whois against IP addresses:
1 |
whois 104.40.211.35 |
Example Enumeration of domain megacorpone.com
1) Get the DNS Servers:
1 2 3 4 |
# host -t ns megacorpone.com megacorpone.com name server ns1.megacorpone.com. megacorpone.com name server ns3.megacorpone.com. megacorpone.com name server ns2.megacorpone.com. |
2) Create list of possible subdomain names:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# cat subdomain.list www www2 ftp sftp pubs root admin mail owa mx ns router proxy cisco dns sql mysql |
3) Bruteforce domain names:
1 |
# for ip in $(cat subdomain.list);do host $ip.megacorpone.com;done |
4) Bruteforce reverse lookup (seq to limit IP range):
1 |
# for ip in $(seq 76 91);do host 38.100.193.$ip;done |grep megacorp |
5) Bruteforce zone transfer with bash script:
1 2 3 4 |
#!/bin/bash for server in $(host -t ns $1 |cut -d" " -f4);do host -l $1 $server |grep 'has address' done |
Testing the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# ./zonetransfer.sh megacorpone.com admin.megacorpone.com has address 38.100.193.83 beta.megacorpone.com has address 38.100.193.69 fs1.megacorpone.com has address 38.100.193.82 intranet.megacorpone.com has address 38.100.193.81 mail.megacorpone.com has address 38.100.193.84 mail2.megacorpone.com has address 38.100.193.73 ns1.megacorpone.com has address 38.100.193.70 ns2.megacorpone.com has address 38.100.193.80 ns3.megacorpone.com has address 38.100.193.90 router.megacorpone.com has address 38.100.193.91 siem.megacorpone.com has address 38.100.193.89 snmp.megacorpone.com has address 38.100.193.85 support.megacorpone.com has address 173.246.47.170 syslog.megacorpone.com has address 38.100.193.66 test.megacorpone.com has address 38.100.193.67 vpn.megacorpone.com has address 38.100.193.77 www.megacorpone.com has address 38.100.193.76 www2.megacorpone.com has address 38.100.193.79 |
6) Alternative: Use dnsrecon:
1 |
# dnsrecon -d megacorpone.com -t axfr |
7) Alternative: Use dnsenum:
1 |
# dnsenum megacorpone.com |