DNS
DNS Record Format:
rr:fqdn and zone that record resides
ttl:time to live set by SOA
rc:internet, hesiod, or chaos
soa:start of authority, indicates the beginning of the zone and other values like the serial number of the zone.
ns:zones authoratative name server assigned
a: host name -> Ip mapping (forward zones:dns records that have an A record) // nslookup <domain.tld>// dig <domain.tld>
ptr: IP -> hostname mapping (reverse zone) //nslookup -type=PTR //dig PTR
cname: Alias host name -> A record hostname mapping
mx: Host that will accept email for the domain //nslookup -type=MX //dig MX
Tools
Linux: dig
Win: nslookup
Automated:
fierce
foca
maltego
hostmap
dmitry
DNS Discovery
Note dump:
Get hotname: #host 8.8.8.8 //'A' host record Get IP: #host www.megacorpone.com //'A' host record //Use -t to specify type of server to look for. MX: #host -t mx megacorpone.com TXT: #host -t txt megacorpone.com Get domain info: (A record) #nslookup sub.site.com (mail exchange record) #nslookup -query=mx sub.site.com (name servers) #nslookup -query=ns sub.site.com (all) #nslookup -query=any sub.site.com Subdomain brute force from list: #dnsmap site.com (forward lookup?) BRUTEFORCE: //Script looks for all associated subdomains for a given domain and prints its IP. Also known as a Forward DNS look up. //Uses a list of common subdomains from ‘subdomainList.txt’ #!/bin/bash for name in $(cat subdomainList.txt);do host $name.ligit.com|grep "has address" |cut -d" " -f1,4 done //we can use these given IPs and search the IPs that are unlisted but inbetween our listed ones. Href search: #wget www.cisco.com #grep "href=" index.html | cut -d'/' -f3 | grep "\." |cut -d '"' -f1 |sort -u //Better #cat index.html | grep -o 'https://[^"]*' | cut -d"/" -f3 | sort -u > list.txt //Get all IPs for the links //Oneliner #for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d" " -f4 | sort -u //As a program #!/bin/bash for url in $(cat cisco.txt);do host $url |grep “has address” |cut -d" " -f4 done //then give execute rights #chmod 755 cisco.sh //and run #./cisco.sh Reverse lookup: //It can be usefull to do a forward lookup first then once you have an IP range prove the unknown IPs to get the domain names for them. //the squence below needs to be chaged according to your look up. //seq, ip, grep all will change #! /bin/bash for ip in $(seq 72 91);do host 38.100.193.$ip |grep “megacorp” |cut -d" " -f1,5 done OR #! /bin/bash for ip in $(seq 72 91);do host 38.100.193.$ip |grep -v “not found” done //make sure to chmod 755 the script Zone transfers: //grab the dns list from a name server to get a map of all devices //a good start is to get all name servers of an organization #host -t ns corp.com //ZONE TRASFER #host -l <domain> <dns server> ex. #host -l corp.com ns1.corp.com. //last period is not a mistake //SCRIPT to grab NS #! /bin/bash for server in $(host -t ns corp.com |cut -d" " -f4); do host -l corp.com $server; done //prints to buffer OR //SCRIPT WITH ARGUMENT FOR DOMAIN. Will search domain for name servers then try zone transfers on those name servers. Make sure to chmod 755 the script #usage ./script <domain> #! /bin/bash #first checks if an argument was passed if [-z “$1”]; then echo “[*] Simple Zone trasfer script” echo “[*] Useage : $0 <domain name>” exit 0 fi # if argument was given, identify the DNS servers for the domain for server is $(host -t ns $1 |cut -d" " -f4);do # For each of these servers, attempt a zone transfer host -l $1 $server |grep “has address” done NMAP NSE: nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
Last updated
