Skip to main content

DNS Enumeration - Port 53

 


#Find the DNS server 
nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16

nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10
#DNS Server Processes Unauthoritative Recursive Queries
nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10
#DNS Server Cache Snooping Remote Information Disclosure
nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10
#DNS Enum via Metasploit
auxiliary/gather/enum_dns

auxiliary/scanner/dns/dns_amp
# DNS Enum 

nslookup
>SERVER 10.10.10.1
# Give the ip address of the server to find its hostname 
> 10.10.10.10 
10.10.10.10.in-addr.arpa      name = host02.test.domain.

dig axfr host02.test.domain @10.10.10.1
Finding SPF Records
  • -all (Hard Fail): Strict rejection of emails from unauthorized servers.
  • ~all (Soft Fail): Flag or mark emails from unauthorized servers as suspicious.
  • +all (Allow All): Allows emails from any server, effectively disabling SPF checks.
  • ?all (Neutral): No strong recommendation; recipient decides.
  • #Single domain dig txt <fqdn> | grep "include:_spf" #Bulk Scan while read -r domain; do echo "$domain:"; dig txt "$domain" | grep "include:_spf"; done < domains.txt
    Checking DMarc Records 
    
    - Start with p=none, review reports to ensure legitimate senders are authenticated, and then move to stricter policies (p=quarantine or p=reject). 
    Example: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;
    
    #Single Domain
    dig txt _dmarc.example.com 
    
    #Bulk Scan
    while read -r domain; do echo "$domain:"; dig txt "_dmarc.$domain" | grep "DMARC"; done < domains.txt
    #Find the Domain Name of the DC
    ldapsearch -x -h "10.10.10.1" -s base
    
    #Find some info or creds
    ldapsearch -LLL -x -H ldap://DOMAIN.FQDN.COM -b '' -s base '(objectclass=*)'
    
    DNS Enum via DIG 
    dig @[server] [name] [type] dig -t SRV _gc._tcp.<domain fqdn> dig -t SRV _ldap._tcp.<domain fqdn> dig -t SRV _kerberos._tcp.<domain fqdn> dig -t SRV _kpasswd._tcp.<endpoint fqdn> dig txt <fqdn> | grep "include:_spf" dig txt _dmarc.example.com nmap --script dns-srv-enum --script-args "dns-srv-enum.domain"='DOMAIN.FQDN.COM'
    DNS Zone transfer 

    #To get dig to perform a zone transfer, we invoke it with the -t AXFR notation as
    dig @[server] [domain] -t AXFR

    #Pull all information about a given domain. Alternatively, dig can perform an incremental zone transfer, pulling only recently updated records, using this syntax:
    #N is an integer that refers to the serial number of a Start of Authority record
    dig @[server] [domain] -t IXFR=[N]
    DNSRecon Cheatsheet

    #List all the DNS entries in the domain dnsrecon -r "10.10.0.0/16"
    #Scan a domain
    dnsrecon -d hackingdream.net

    # -t = standard DNS records (default),
    #reverse IP address lookup(rvl),
    #zone transfers(axfr),
    #DNSSEC zone walks (zonewalk), and
    #cache nooping(snoop)

    dnsrecon -d domain.FQDN -t type

    #Displays S0A, NS, A, AAAA, MX, and SRV of the target domain
    dnsrecon -d [domain]

    #Performs reverse DNS lookup for IP address or CIDR range
    dnsrecon -d [domain] -t rvl

    #Attempts a zone transfer of all NS record nameservers
    dnsrecon -d [domain] -t axfr

    #Performs a DNSSEC zone walk by querying for NSEC records

    dnsrecon -d [domain] -t zonewalk

    #Scans for DNS cache snooping using a supplied dictionary file
    dnsrecon -d [domain] -t snoop -D [dictionary file] #Bruteforcing DNS sub-domains dnsrecon -d 10.10.10.1 -t brt -D /usr/share/wordlists/dnsmap.txt dnsenum domain.fqdn.com fierce -dns domain.fqdn.com -wordlist dictionary.txt

    Can also use DNSDumpster --> Online tool to identify DNS records

    - Check for all the DNS records/Sub-Domains
    - MX records usually show the email service provider details (outlook or whatever service they are using)

    DNS Zone Transfer
    host -la $DOMAIN. $DNSSERVER perl fierce.pl -dns $DOMAIN. -search $HOST dig axfr $TARGET @$DNSSERVER dnsrecon -d $DOMAIN -t axfr
     






    Comments

    Popular posts from this blog

    SQL DB & SQL Injection Pentest Cheat Sheet

    1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...

    Host and Application locally and access it over the internet via ngrock

     ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...

    Cloud Pentest Cheatsheet - Azure

    Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...