DNS Enumeration



NMAP DNS Hostnames Lookup 
nmap -F --dns-server <dns server ip> <target ip range>

• Find Name Servers
host -t ns megacorpone.com

Find email servers
host -t mx guif.re


Perform DNS IP Lookup
dig a domain-name-here.com @nameserver
Perform MX Record Lookup
dig mx domain-name-here.com @nameserver



Dnsrecon DNS List of megacorp
dnsrecon -d megacorpone.com -t axfr

DNSEnum
dnsenum zonetransfer.me

Find Hosts.
dig guif.re a; @8.8.8.8                 # types: a, mx, ns, soa, srv, txt, axfr
dig -x guif.re                          # reverse lookup


Web Services
./whatweb guif.re

There is a nice collection of OSINT tools


http://osintframework.com/

Map their infrastructure: middleware, programming languages, backends, services. This can help --> wapapawapa

Brute forcing For Data

// Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.guif.re; done


Dnsrecon DNS Brute Force
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml


// Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

PreviousTCPDump NextFind E-mail Addresses

Last updated 3 years ago