DNS Enumeration

DNS Enumeration

• Distributed database responsible for translating user friendly domain name into ip address

• Hierarchical structure that is divided into several zones starting with the top level root zone

Most Common type of DNS Records

• NS - Nameserver Records contain the name of the authoritative server hosting the DNS records for domain

• A - contains IPV4 address of a hostname

• AAAA - Known as quad A record conatins IPV6 address of a hostname

• MX - Mail Exchange Record

• PTR - Pointer Record are used in reverse lookup zones and find record associated with IP address

• CNAME Canonical Name Record are used to create aliases for other host records

• TXT - can contain any arbitary data used for various purposes such as domain ownership verification

DNS Recon Scripting

host command

host command can find the IP Address of www.megacorpone.com

• host www.megacorpone..com

• host -t mx/txt meagcorpone.com

To determine megacorpone.com has hostname idontexit we can use:

host idontexit.megacorpone.com

There was not same response for valid and not valid domain. So We can use this, to enumerate DNS query and scirpting

DNS query brute-forcing Script

!#/bin/bash
read -p "Type domain name : " domain
read -p "Type wordlist path : " path
echo $(cat $path)
for sub in $(cat $path); do
host $sub.$domain;done | grep -v "not found"

Example common wordlist for brute-force

www
ftp
mail
owa
proxy
router
staging
staging2
staging3
no-prod
prod
test

Other Kali Tools

dnsrecon

• Standard Scan

  • dnsrecon -d magacorpone.com -t std

• Bruteforce Scan

  • dnsrecon -d megacorpone.com -D ~/list.txt -t brt

1. dnsenum

   dnsenum megacorpone.com

Window DNS Enumeration

window can be use nslookup command for dns enumeration

nslookup -type=TXT info.megacorptwo.com