DNS

A list of useful DNS Reconnaissance Technique.

NMAP script

# get all nmap dns scripts
ls /usr/share/nmap/scripts | grep dns | cut -d'.' -f 1 | tr '\n' ',' | sed 's/.$//'

# start nmap w/ all scripts
nmap -vvvv --script=<ALL_SCRIPTS> $IP_ADDRESS -p 53

# use nmap with proxychains
proxychains nmap -Pn -sT <OPTIONS> <IP>

Look at proxychains page for more information.

nslookup

Get Domain Name using nslookup

nslookup
> SERVER $IP_ADDRESS
[...]
> $IP_ADDRESS
[...]

DNS Zone transfer

dig axfr @$IP_ADDRESS DNS

DNS enumeration

Using wfuzz

wfuzz -c -u "http://<ADDRESS>" -w /usr/share/wordlists/subdomains-top1mil.txt -H "Host: FUZZ.<ADDRESS>"

Useful options

-H: Used to set custom header
--hc/hl/hw/hh: Hide responses with the specified code/lines/words/chars
--sc/sl/sw/sh: Show responses with the specified code/lines/words/chars

Using ffuf

ffuf -w /usr/share/wordlists/subdomains-top1mil.txt -H "Host: FUZZ.<ADDRESS>" -u http://<ADDRESS>

Useful options

-H: Used to set custom header
-fc: Filter HTTP status codes from response

Using dig

dig srv <DOMAIN> @<IP>
# example
# dig srv toto.com @10.0.0.10

PreviousPort Scanning NextLocal Reconnaissance

Last updated 1 year ago