{"id":2086,"date":"2021-01-09T11:40:43","date_gmt":"2021-01-09T10:40:43","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2086"},"modified":"2024-09-15T15:09:23","modified_gmt":"2024-09-15T13:09:23","slug":"dns-domain-name-system","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2086","title":{"rendered":"<span class=\"caps\">DNS<\/span> Domain Name System"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Manual enumeration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Subdomain enumeration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Put usu\u00adal domain names (Seclists!) and iter\u00adate them with the&nbsp;bash<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ for ip in $(cat list.txt); do host $ip.domain.com; done<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">IP<\/span> enumeration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate an <span class=\"caps\">IP<\/span> range to find domains<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v \"not found\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Zone transfer<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Per\u00adform a <span class=\"caps\">DNS<\/span> zone trans\u00adfer like&nbsp;this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">host -l megacorpone.com ns1.megacorpone.com<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Detect <span class=\"caps\">DNS<\/span> requests e.g. via <a href=\"https:\/\/app.interactsh.com\/\">https:\/\/app.interactsh.com\/<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">DNSenum<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Per\u00adforms mul\u00adti\u00adple <span class=\"caps\">DNS<\/span> enu\u00admer\u00ada\u00adtion strate\u00adgies. A good&nbsp;start.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnsenum domain.com<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">DNSRecon<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/darkoperator\/dnsrecon\">dnsre\u00adcon<\/a> is an enu\u00admer\u00ada\u00adtion script.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Zone trans\u00adfer<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnsrecon -d domain.com -t axfr<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">VHost search<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnsrecon -d domain.com -D vhost_names.txt -t brt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=487\">See also here for VHost enu\u00admer\u00ada\u00adtio<\/a>n.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">dig<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Read infor\u00adma\u00adtion about a&nbsp;host<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig [@$dnsServer] host01 ANY<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Dig can read a local con\u00adfig\u00adu\u00adra\u00adtion file. It can also be tried to read an arbi\u00adtrary&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig -f \/etc\/passwd 127.0.0.1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all <span class=\"caps\">DNS<\/span> information<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig @8.8.8.8 $target -t AXFR<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">DNSDumpster<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Queries mul\u00adti\u00adple sources and aggre\u00adgates the data. <a href=\"https:\/\/github.com\/nmmapper\/dnsdumpster\">Github page<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python3 dnsdumpster.py -d $target<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">DNSTool<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/dirkjanm\/krbrelayx\/blob\/master\/dnstool.py\">DNSTool<\/a> Add\/modify\/delete Active Direc\u00adto\u00adry Inte\u00adgrat\u00aded <span class=\"caps\">DNS<\/span> records via&nbsp;<span class=\"caps\">LDAP<\/span>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Stan\u00addard lookup:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nslookup domain.com<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Man\u00adu\u00adal enu\u00admer\u00ada\u00adtion Sub\u00addo\u00admain enu\u00admer\u00ada\u00adtion Put usu\u00adal domain names (Seclists!) and iter\u00adate them with the&nbsp;bash $ for ip in $(cat list.txt); do host $ip.domain.com; done <span class=\"caps\">IP<\/span> enu\u00admer\u00ada\u00adtion Enu\u00admer\u00adate an <span class=\"caps\">IP<\/span> range to find domains $ for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep \u2011v \u201cnot found\u201d Zone trans\u00adfer Per\u00adform a <span class=\"caps\">DNS<\/span>&nbsp;zone&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[90],"class_list":["post-2086","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-dns"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2086"}],"version-history":[{"count":10,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2086\/revisions"}],"predecessor-version":[{"id":4385,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2086\/revisions\/4385"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}