Manual enumeration

Subdomain enumeration

Put usu­al domain names (Seclists!) and iter­ate them with the bash

$ for ip in $(cat list.txt); do host $ip.domain.com; done

IP enumeration

Enu­mer­ate an IP range to find domains

$ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"

Zone transfer

Per­form a DNS zone trans­fer like this:

host -l megacorpone.com ns1.megacorpone.com

Detect DNS requests e.g. via https://app.interactsh.com/

---

Tools

DNSenum

Per­forms mul­ti­ple DNS enu­mer­a­tion strate­gies. A good start.

dnsenum domain.com

DNSRecon

dnsre­con is an enu­mer­a­tion script.

Zone trans­fer

dnsrecon -d domain.com -t axfr

VHost search

dnsrecon -d domain.com -D vhost_names.txt -t brt

See also here for VHost enu­mer­a­tion.

dig

Read infor­ma­tion about a host

dig [@$dnsServer] host01 ANY

Dig can read a local con­fig­u­ra­tion file. It can also be tried to read an arbi­trary file.

dig -f /etc/passwd 127.0.0.1

Get all DNS information

dig @8.8.8.8 $target -t AXFR

DNSDumpster

Queries mul­ti­ple sources and aggre­gates the data. Github page

python3 dnsdumpster.py -d $target

DNSTool

DNSTool Add/modify/delete Active Direc­to­ry Inte­grat­ed DNS records via LDAP.

---

Windows

Stan­dard lookup:

nslookup domain.com