DNS Lookups

During the portion of the attack, mind-mapping/network-diagraming software is your friend.

Info

dsn info:

dig sub.site.com

dnsenum <domain>

Find Hostnames:

dnsrecon -d bank.htb -D /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -t brt

Brute force recon (Find IP spaces, hostmanes, subdomians, transfers, etc):

#fierce -dns some.site

#fierce -dns some.site -dnsserver ns1.some.site

Forward Lookup

nslookup ns.domain.com

Reverse Lookup

This one is a bit more interesting because of how servers are configured. With cloud hosting providers and small to medium businesses it is very common and expected that there are multiple domains and services being hosted on a single IP. Because of this when we get the IP we should do a check to see what is all hosted on the IP and who owns the IP in question. This will help with discovery and also staying in scope. (ex: dnslytics)

I once did a pentest with a "leet" hacker who didnt know this and spent 3 days attacking the wrong corporation. Don't be that guy.

PreviousDNS NextZone Transfer

Last updated 2 years ago