search

DNS enumeration/DNS recon-reading

https://medium.com/p/55265457b29a/edit

hashtag
DNS enumeration/DNS recon-reading

https://securitytrails.com/blog/dns-enumerationarrow-up-right

1. Identify what kind of information we need to search through DNS tools, find out those definitions. 2. Find out all services that work behind the DNS 3. make an automation code for enumeration DNS

How DNS Works:

Authoritative Name server: DNS-records (aka zone files): DNS records (aka zone files) are instructions that live in authoritative DNS servers.arrow-up-right

DNS Enumeration:

Wildcard DNS recordarrow-up-right:

If the output of the command is greater than 1 it’s a good indicator that there might be a wildcard configuration. this means for the next step is that brute-forcing will return a lot of false positives. The reason for this is that the wildcard will match anything that is not a registered subdomain and point all of them to the same place.

DNS Dumpsterarrow-up-right

If you look at this you can learn so much before even hitting the domain. Look at the A records and where DNS is hosted. These can contain hugely informative pointers such as:

  • Where is their mail hosted?

  • Where are they hosting DNS? Are they using a WAF or Proxy service like Cloudflare?

  • What platform are they hosting on? They might reuse this service for other things.

  • What countries/geo locations do they host in?

  • Is there any pattern to the type of subdomains? Can you try and enumerate more? For example (server1.mydomain.com), or (mustang.mydomain.com, charger.mydomain.com).

  • Where did they register the domain? Are there other domains registered from the same registrar?

Sublist3r,aiodnsbrutearrow-up-right,subfinder,amass,full on DNS bruteforce using MassDNS or ZDNS.

Host

NsLookup

Digarrow-up-right

Dnsenum

Amass

hashtag

https://www.dionach.com/blog/how-to-use-owasp-amass-an-extensive-tutorial/arrow-up-right https://hakluke.medium.com/haklukes-guide-to-amass-how-to-use-amass-more-effectively-for-bug-bounties-7c37570b83f7arrow-up-right https://www.hackingarticles.in/4-ways-dns-enumeration/arrow-up-right https://medium.com/@klockw3rk/back-to-basics-dns-enumeration-446017957aa3arrow-up-right https://delta.navisec.io/web-enumeration-reference/arrow-up-right https://0x00sec.org/t/what-is-your-go-to-dns-enumeration-methodology-discussion/20169/11arrow-up-right

DNS vulnerabilities: AXFRarrow-up-right (Asynchronous Transfer Full Range) Transfer Similar to zone transfer, there is a so-called NSEC walking attackarrow-up-right, which enumerates DNSSEC-signed zones. DNS spoofing DNS hijacking and DNS server attacks such as domain fronting https://securitytrails.com/blog/most-popular-types-dns-attacksarrow-up-right https://securitytrails.com/blog/risks-of-modern-free-ssl-certificates-and-stale-dns-recordsarrow-up-right https://portswigger.net/daily-swig/dnsarrow-up-right https://securitytrails.com/blog/domain-toolsarrow-up-right

twits:

Here are the tools I am using and why! ShuffleDNS -> Active DNS Enumeration FFUF -> Content Discovery Gau -> Param & Endpoint Curl -> Check Mass Response Burp Suite -> Manual Lookup

2-Active Information Gathering: -Network tracing -DNS Enumeration -Reverse Lookup Brute Force -DNS Zone Transfers -Port Scanning -Network Sweeping -OS Fingerprinting -Service Enumeration -Banner grabbing ,etc

Google Search Strings: DNS attacks DNS vulnerabilities DNS Enumeration

TODO: https://www.youtube.com/watch?v=nlFAj2raoj4arrow-up-right

Dictionary brute force:

In the dictionary brute force, we directly use the wordlist to a brute force domain name to find valid subdomains.

Tools:

Permutation brute force:

In permutation brute force, we create a new resolved subdomain list from already known subdomains/domains by using permutation, mutation, and alteration with a wordlist.

Tool:

PreviousAttacking AuthenticationNextSubdomain Enumeration-reading

Last updated