DNS Enumeration

DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality.

Interacting with a DNS Server

> host -t ns megacorpone.com           # -t : type , ns: dns
> host -t mx megacorpone.com           # mx : mail server

• Also you can use nslookup

> nslookup anasboureada.com

• dig also can be used

> dig aboureada.com

Automating lookups

we have some initial data from the megacorpone.com domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com.

> host www.megacorpone.com             # we will found that it has an ip
> host idontexist.megacorpone.com      # this is not found

Forward Lookup Brute Force

Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script.

> echo www > list.txt
> echo ftp >> list.txt
> echo mail >> list.txt
> echo owa >> list.txt
> echo proxy >> list.txt
> echo router >> list.txt
> echo api >> list.txt
> for ip in $(cat list.txt);do host $ip.megacorpone.com;done

Reverse Lookup Brute Force

If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase.

> for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found"
# grep -v :: --invert-match

DNS Zone Transfers

• A zone transfer is similar to a database replication act between related DNS servers.
• This process includes the copying of the zone file from a master DNS server to a slave server.
• The zone file contains a list of all the DNS names configured for that zone. Zone transfers should usually be limited to authorized slave DNS servers.

> host -l megacorpone.com ns1.megacorpone.com   # ns1 refused us our zone transfer request
# -l :: list all hosts in a domain
> host -l megacorpone.com ns2.megacorpone.com
# The result is a full dump of the zone file for the megacorpone.com domain,
# providing us a convenient list of IPs and DNS names for the megacorpone.com domain.

> host -t axfr zonetransfer.me nsztm1.digi.ninja.

> dig axfr nsztm1.digi.ninja zonetransfer.me

• Now Lets automate the process:

  • To get the name servers for a given domain in a clean format, we can issue the following command.

    > host -t ns megacorpone.com | cut -d " " -f 4
    # -d :: --delimiter=DELIM ;
    # -f ::  --fields=LIST select only these fields on each line;
    

  • Taking this a step further, we could write the following simple Bash script to automate the procedure of discovering and attempting a zone transfer on each DNS server found.

    # /bin/bash
    # Simple Zone Transfer Bash Script
    # $1 is the first argument given after the bash script
    # Check if argument was given, if not, print usage
    if  [-z "$1" ]; then
    echo "[-] Simple Zone transfer script"
    echo "[-] Usage : $0 <domain name> "
    exit 0
    fi
    
    # if argument was given, identify the DNS servers for the domain
    for server in $(host ­-t ns $1 | cut ­-d" " ­-f4);do
    # For each of these servers, attempt a zone transfer
    host -l $1 $server | grep "has address"
    done
    

    Running this script on megacorpone.com should automatically identify both name servers and attempt a zone transfer on each of them

    > chmod 755 dns-­-axfr.sh
    > ./dns-­-axfr.sh megacorpone.com
    

Relevant Tools in Kali Linux

DNSRecon

> dnsrecon -d megacorpone.com -t axfr
# -d :: domain
# -t :: type of Enumeration to perform
# axfr :: test all ns servers for zone transfer

DNSEnum

> dnsenum zonetransfer.me

fierce

NOTE the one included in the latest version of kali may not work, so try to install the new version from fierce

> pip3 install fierce
> fierce --domain zonetransfer.me

• NMAP DNS Hostnames Lookup

nmap -F --dns-server

• Host Lookup

host -t ns [megacorpone.com](http://megacorpone.com/)

• Reverse Lookup Brute Force - find domains in the same range

for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

• Perform DNS IP Lookup

dig a [domain-name-here.com](http://domain-name-here.com/) @nameserver

• Perform MX Record Lookup

dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserver

• Perform Zone Transfer with DIG

dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserver

DNS Zone Transfers

• Windows DNS zone transfer

nslookup -> set type=any -> ls -d [blah.com  ](http://blah.com/)

• Linux DNS zone transfer

dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/)

• Dnsrecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

• Dnsrecon DNS List of megacorp

dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfr

• DNSEnum

dnsenum zonetransfer.m