1 minute read

Add host

gedit /etc/hosts

Whois

whois google.com

Domain scan

host google.com

Nmap

nmap -sC -sV -p53 10.10.10.3

nmap -p 80 --script dns-brute.nse domain.com
# Find DNS (A) records by trying a list of common sub-domains from a wordlist.

nmap 10.10.10.3 --script=dns-zone-transfer -p 53
# Zone transfer script

DIG - AXFR Zone Transfer

DNS zone transfer, also known as DNS query type AXFR, is a process by which a DNS server passes a copy of part of its database to another DNS server. The portion of the database that is replicated is known as a zone.

dig axfr @10.129.14.128 # Try zone transfer without domain 

dig axfr inlanefreight.htb @10.129.14.128 # Try zone transfer guessing the domain

Subdomain Enumeration

subfinder -d inlanefreight.com -v

Subbrute

git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
cd subbrute
echo "ns1.inlanefreight.com" > ./resolvers.txt
./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

Automated Scanners

Fierce

fierce --domain google.com

Dnsenum

dnsenum $ip

dnsenum google.com -f /usr/share/dnsenum/dns.txt
# Brute forcing subdomains

DnsRecon

dnsrecon -d $ip

dnsrecon -d $ip -t axfr
# Perform zone transfer

dnsrecon -d $ip -D /usr/share/dnsrecon/subdomains-top1mil-20000.txt -t brt
# Perform host and subdomain brute force

Sub-Domain Enumeration

Ffuf

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb

Sublist3r

sublist3r -d <domain>
# To scan with public data

sublist3r -d <domain> -b -t 100
# To bruteforce the subdomains
# this will use following wordlist:
    /usr/share/sublist3r/subbrute/names.txt

DNS Options

DNS Record Description
A Returns an IPv4 address of the requested domain as a result.
AAAA Returns an IPv6 address of the requested domain.
MX Returns the responsible mail servers as a result.
NS Returns the DNS servers (nameservers) of the domain.
TXT This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME This record serves as an alias for another domain name. If you want the domain www.hackthebox.eu to point to the same IP as hackthebox.eu, you would create an A record for hackthebox.eu and a CNAME record for www.hackthebox.eu.
PTR The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA Provides information about the corresponding DNS zone and email address of the administrative contact.

You May Also Enjoy

Linux

less than 1 minute read