Red Team Toolkit
  • 👊Welcome!
  • Methodology
    • MITRE
    • NIST
    • OWASP
    • PTES
    • SANS
  • Reconnaissance
    • DNS Recon
    • Open Source Intelligence
    • Web Application Recon
  • Initial Access
    • Phishing
    • Web Authentication Bypass
    • Network Services Attacks
    • Breaching Active Directory
    • Windows Exploits
    • Linux Exploits
    • SQL Injection
    • XSS
    • Burp Suite
    • Hyrdra
    • Metasploit
    • Nessus
    • Wordlists
    • OWASP ZAP
  • Discovery
    • NMAP
    • PowerView
    • Active Directory Enumeration
    • Windows Post Exploitation Discovery
    • Linux Post Exploitation Discovery
    • Other Scanning Methods
  • Privilege Escalation
    • Password Cracking
    • AD Privilege Escalation
    • Local Windows Privilege Escalation
    • Linux Privilege Escalation
    • Mimikatz
  • Movement
    • Movement
    • Evasion
  • Collection
    • Persistence
    • Exfiltration
  • Other
    • Bookmarks
    • OpeSec
Powered by GitBook
On this page
  • Background
  • Techniques for Using DNS to Find Services
  • Tools
  • Nslookup
  • dig
  • Fierce
  • DNSRecon
  • Zone Transfers
  • Zone Transfers Using dig
  • Zone Transfer Using Windows CMD
  • DNS Online Tools

Was this helpful?

  1. Reconnaissance

DNS Recon

PreviousReconnaissanceNextOpen Source Intelligence

Last updated 1 year ago

Was this helpful?

Techniques for enumerating DNS for penetration testing

Background

DNS discovery is the process of finding and mapping domain names and IP addresses in a network. It's a key step in the reconnaissance phase of a penetration testing process, aimed at identifying systems, services, and potential vulnerabilities. DNS discovery can be done manually or through automated tools and provides valuable information for more targeted penetration testing.

Techniques for Using DNS to Find Services

Follow these techniques to find services using DNS in penetration testing

  • Scan target domain with tools such as nslookup, dig, and dnsrecon.

  • Use bruteforce techniques to identify all hostnames within the domain.

  • Perform subdomain enumeration with wordlists.

  • Monitor target domain for changes to its DNS records.

  • Use tools like Fierce to perform active scans.

  • Gather OSINT information about the target domain.

  • Minimize the amount of network traffic generated.

Tools

DNS discovery can be performed manually, using tools such as the ping command or the nslookup utility, or by using automated tools, such as port scanners or vulnerability assessment software. The information obtained from DNS discovery can be used to plan and execute more targeted and effective penetration testing and security assessments.

Nslookup

Resolve a given hostname to the corresponding IP:

nslookup targetorganization.com

Obtain CNAME DNS record:

nslookup --type=CNAME targetorganization.com

Obtain MX DNS record:

nslookup -query=mx example.com

Displays nameservers for given domain:

nslookup -type=ns domain

Use reverse DNS lookup to resolve an IP address to the given PTR record hostname:

nslookup -type=PTR IP_address

dig

The dig command is a tool for querying the DNS system to retrieve information about domain names and IP addresses. It provides more detailed output than nslookup.

Use the dig command in linux to return DNS information

dig a domain-name-here.com @nameserver 

Fierce

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains using DNS.

DNSRecon

DNSRecon is a reconnaissance tool in Kali Linux that gathers information about a target domain's DNS infrastructure by performing techniques such as zone transfers, subdomain enumeration, and brute-force attacks.

Example using Kali dnsrecon on TARGET using the wordlist file dnsmap.txt and outputs results to output.xml:

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Zone Transfers

A DNS zone transfer is the process of copying the entire database of DNS records from one DNS server to another, allowing for replication of the DNS information.

Zone Transfers Using dig

An example where the dig command is used to transfer the entire zone database for the domain "example.com" from the DNS server "ns1.example.com". The AXFR option specifies that the query is a request for a zone transfer.

dig @ns1.example.com example.com AXFR

Zone Transfer Using Windows CMD

An example of the nslookup command where type=any sets query to retrieve all DNS record types, and ls -d blah performs zone tranfers for the domain example.com:

nslookup -> set type=any -> ls -d example.com

DNS Online Tools

is a tool for querying DNS to obtain domain name or IP address information. In DNS discovery, it can be used to retrieve information about specific hostnames or IP addresses, providing valuable insights into a network's infrastructure during penetration testing reconnaissance.

: An online reconnaissance tool that allows you to perform scans on a target domain, including a comprehensive DNS scan.

: A reconnaissance tool that provides a visual representation of a target domain's DNS infrastructure, including its subdomains, DNS servers, and other associated information.

: A tool that helps you enumerate subdomains and perform reconnaissance on a target domain's DNS infrastructure.

: A tool that provides a visual representation of a target domain's DNS infrastructure, as well as historical information about changes to its DNS records.

: A tool that provides a comprehensive set of diagnostic and monitoring services for DNS, email delivery, and website uptime.

nslookup
Fierce
HackerTarget
DNSDumpster
DNSTwist
DNSlytics
MXToolbox
Active & Passive Recon Cheatsheet
DNS Recon Cheat Sheet
IP, DNS, Domain Enumeration Cheat Sheet
DNS Query Web Tool
Online NsLookup Tool
Background
Techniques for Using DNS to Find Services
Tools
Nslookup
dig
Fierce
DNSRecon
Zone Transfers
Zone Transfers Using dig
Zone Transfer Using Windows CMD
DNS Online Tools