Enum
Resolve domain name to IP host -t a domain.com
host -l friendzone.red 10.10.10.123
host -t mx domain.com
host -t ns domain.com
dig axfr domain.com @primary-name-server
dig -t ns domain.com +short
dig -t ns domain.com
dig @192.168.177.196 -x 192.168.177.196
dnsenum mydomain
fierce
nslookup
> server 10.10.10.100
> ee.htb.local
nslookup
> set type=ns
> ee.htb.local
Reverse lookup
dnsrecon -d 10.10.10.12 -r 10.0.0.0/24
└─$ dnsrecon -r 10.10.11.0-10.10.11.254 --name_server 10.10.11.3
[*] Performing Reverse Lookup from 10.10.11.0 to 10.10.11.254
[+] PTR aa.local 10.10.11.5
[+] PTR cc.local 10.10.11.7
[+] PTR bb.local 10.10.11.8
[+] 23 Records Found
Snoop into the DNS cache
dnsrecon -t snoop -n 10.10.11.3
nslookup -norecursive whatever.com
Zone walking
└─$ dnsrecon -t zonewalk -d aa.local
[*] Performing NSEC Zone Walk for aa.local
[*] Getting SOA record for phoenix.thinc.local
[-] This zone appears to be misconfigured, no SOA record found.
[*] A aa.local no_ip
[+] 1 records found
Zone transfer
dnsrecon -t zonewalk -d mailman.com -n 192.168.156.149
dnsrecon -d mailman.com --type axfr -n 192.168.156.149
dig axfr @10.11.21.99 jewel.uploadvulns.thm +nostat +nocomments +nocmd
DNS Brute force
Manual DNS Brute force
for ip in $(seq 1 254); do host -a 192.168.156.$ip 192.168.156.$ip; done