🥷
Offensive Security
  • Shells and stuffs
    • Bind Shell
    • Reverse Shell
    • TTY Shell
    • File Transfer
    • Handmade Network Scan
  • Services enumeration
    • DNS Enumeration
    • SMB Enumeration
    • NFS Enumeration
  • Linux Privilege Escalation
    • Useful Tools
    • Hijack X11 session
    • Linux capabilities
    • LXC membership
  • Windows Privilege Escalation
    • Useful Tools
  • Password Attacks
    • Build Wordlist
    • Network Service Attacks
    • Password Cracking
  • Active Directory
    • AD CS
  • OSINT
    • Google Dorks
Powered by GitBook
On this page
  • Find DNS server
  • Reverse lookup
  • Using DNSRecon
  • Using host
  • Zone transfers
  • Using host
  • Using dig
  • Try zone transfer on each DNS servers
  1. Services enumeration

DNS Enumeration

Find DNS server

nmap -p 53 -sV 192.168.1.0/24 --open

Reverse lookup

Using DNSRecon

dnsrecon -r 192.168.1.0/24 -n <NS IP>

Using host

for ip in $(seq  1 254); do host 192.168.1.$ip <NS IP>; done | grep -v "not found"

Zone transfers

Using host

host -l <domain name> <ns server>

Using dig

dig axfr <domain or subdomain> @<NS IP>

Try zone transfer on each DNS servers

#!/bin/bash

if [ -z "$1" ]; then
  echo "[*] Simple Zone transfer script"
  echo "[*] Usage   : $0 <domain name> "
  exit 0
fi

for server in $(host -t ns $1 | cut -d " " -f4); do
  # For each of these servers, attempt a zone transfer
  host -l $1 $server |grep "has address"
done
PreviousHandmade Network ScanNextSMB Enumeration

Last updated 2 years ago