Domain Name Service

Footprinting the Service

DIG - NS Query

dig ns inlanefreight.htb @10.129.14.128

DIG - Version Query

dig CH TXT version.bind 10.129.120.85

DIG - ANY Query

dig any inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer

dig axfr inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer - Internal

dig axfr internal.inlanefreight.htb @10.129.14.128

Subdomain Brute Forcing

dnsenum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

dnsrecon

dnsrecon -r 127.0.0.1 -n 127.0.1.1

Passive Subdomain Enumeration

virustotal

certificates

crt.sh

Another source of information we can use to extract subdomains is SSL/TLS certificates. The main reason is Certificate Transparency (CT).

A project that requires every SSL/TLS certificate issued by a Certificate Authority (CA) to be published in a publicly accessible log

curl -s "https://crt.sh/?q=domain.com&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u

Passive Infrastructure Identification

Wayback Machine

Waybackurls

wget https://github.com/tomnomnom/waybackurls/releases/download/v0.1.0/waybackurls-linux-amd64-0.1.0.tgz

waybackurls -dates https://facebook.com > waybackurls.txt

Dangerous Settings

allow-query

Defines which hosts are allowed to send requests to the DNS server.

allow-recursion

Defines which hosts are allowed to send recursive requests to the DNS server.

allow-transfer

Defines which hosts are allowed to receive zone transfers from the DNS server.

zone-statistics

Collects statistical data of zones.

PreviousFile Transfer Protocol NextHypertext Transfer Protocol

Last updated 1 year ago