🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • DNS Entries
  • Enumeration
  • References
  1. Misc
  2. Information Gathering
  3. Active Reconnaissance

DNS Enumeration

DNS enumeration involves gathering information about a domain's DNS records to map out its structure. Tools like dig, nslookup, or dnsenum can be used to discover subdomains, mail servers, and other DNS entries.

DNS Entries

Entry
Description

NS

Nameserver record - contains the name of the authoritative servers hosting the DNS records for a domain.

A

A record - contains the IPv4 address of a hostname.

AAAA

Quad A record - contains the IPv6 of a hostname.

MX

Mail Exchange record - contains the name of the email management servers.

PTR

Pointer record - contains the zones for reverse search using IP address.

CNAME

Canonical Name record - contains aliases for other A records.

TXT

Text record - contains any aribary data.

Enumeration

Retrieve records using host: 

host -t <record_type> <domain_name>

Retrieve DNS records using nslookup (useful for live of the land in Windows):

nslookup -type=<record_type> <Domain_name> <ns_server>

Subdomain brute force:

for ip in $(cat <wordlist>); do host $ip.<domain_name>; done | grep -v "not found"

Brute forcing records

dnsrecon -d <domain_name> -D <wordlist> -t brt

Useful scans to automate the process:

dnsrecon -d megacorpone.com -t std
dnsenum <domain_name>

References

PreviousActive ReconnaissanceNextHost Discovery

Last updated 8 months ago

💡
GitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub
dnsrecon
Logo
GitHub - SparrowOchon/dnsenum2: dnsenum is a perl script that enumerates DNS information. Officially mainlined in Kali LinuxGitHub
dnsenum
Logo