Domain Name Service

Footprinting the Service

DIG - NS Query

dig ns inlanefreight.htb @10.129.14.128

DIG - Version Query

dig CH TXT version.bind 10.129.120.85

DIG - ANY Query

dig any inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer

dig axfr inlanefreight.htb @10.129.14.128

DIG - AXFR Zone Transfer - Internal

dig axfr internal.inlanefreight.htb @10.129.14.128

Using subdomain internal from previous zone transfer on inlanefreight.htb. Also attemp to do zonetransfers and all subdomains.

Subdomain Brute Forcing

dnsenum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

dnsrecon

dnsrecon -r 127.0.0.1 -n 127.0.1.1

Passive Subdomain Enumeration

virustotal

certificates

crt.sh

Another source of information we can use to extract subdomains is SSL/TLS certificates. The main reason is Certificate Transparency (CT).

A project that requires every SSL/TLS certificate issued by a Certificate Authority (CA) to be published in a publicly accessible log

perform a curl request to the target website asking for a JSON output as this is more manageable

curl -s "https://crt.sh/?q=domain.com&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u

Passive Infrastructure Identification

Wayback Machine

you can find old versions that may have interesting comments in the source code or files that should not be there

Waybackurls

wget https://github.com/tomnomnom/waybackurls/releases/download/v0.1.0/waybackurls-linux-amd64-0.1.0.tgz

waybackurls -dates https://facebook.com > waybackurls.txt

Dangerous Settings

allow-query	Defines which hosts are allowed to send requests to the DNS server.
allow-recursion	Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer	Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics	Collects statistical data of zones.