DNS Enumeration

Find DNS server

nmap -p 53 -sV 192.168.1.0/24 --open

Reverse lookup

Using DNSRecon

dnsrecon -r 192.168.1.0/24 -n <NS IP>

Using host

for ip in $(seq  1 254); do host 192.168.1.$ip <NS IP>; done | grep -v "not found"

Zone transfers

Using host

host -l <domain name> <ns server>

Using dig

dig axfr <domain or subdomain> @<NS IP>

Try zone transfer on each DNS servers

#!/bin/bash

if [ -z "$1" ]; then
  echo "[*] Simple Zone transfer script"
  echo "[*] Usage   : $0 <domain name> "
  exit 0
fi

for server in $(host -t ns $1 | cut -d " " -f4); do
  # For each of these servers, attempt a zone transfer
  host -l $1 $server |grep "has address"
done

PreviousHandmade Network Scan NextSMB Enumeration

Last updated 2 years ago