[53] DNS Enumeration

DNS Concept	Description	Example
Domain Name	A human-readable label for a website or other internet resource.	www.example.com
IP Address	A unique numerical identifier assigned to each device connected to the internet.	192.0.2.1
DNS Resolver	A server that translates domain names into IP addresses.	Your ISP's DNS server or public resolvers like Google DNS (8.8.8.8)
Root Name Server	The top-level servers in the DNS hierarchy.	There are 13 root servers worldwide, named A-M: a.root-servers.net
TLD Name Server	Servers responsible for specific top-level domains (e.g., .com, .org).	Verisign for .com, PIR for .org
Authoritative Name Server	The server that holds the actual IP address for a domain.	Often managed by hosting providers or domain registrars.
DNS Record Types	Different types of information stored in DNS.	A, AAAA, CNAME, MX, NS, TXT, etc.

Record Type	Full Name	Description	Zone File Example
A	Address Record	Maps a hostname to its IPv4 address.	www.example.com. IN A 192.0.2.1
AAAA	IPv6 Address Record	Maps a hostname to its IPv6 address.	www.example.com. IN AAAA 2001:db8:85a3::8a2e:370:7334
CNAME	Canonical Name Record	Creates an alias for a hostname, pointing it to another hostname.	blog.example.com. IN CNAME webserver.example.net.
MX	Mail Exchange Record	Specifies the mail server(s) responsible for handling email for the domain.	example.com. IN MX 10 mail.example.com.
NS	Name Server Record	Delegates a DNS zone to a specific authoritative name server.	example.com. IN NS ns1.example.com.
TXT	Text Record	Stores arbitrary text information, often used for domain verification or security policies.	example.com. IN TXT "v=spf1 mx -all" (SPF record)
SOA	Start of Authority Record	Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters.	example.com. IN SOA ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400
SRV	Service Record	Defines the hostname and port number for specific services.	_sip._udp.example.com. IN SRV 10 5 5060 sipserver.example.com.
PTR	Pointer Record	Used for reverse DNS lookups, mapping an IP address to a hostname.	1.2.0.192.in-addr.arpa. IN PTR www.example.com.

Common dig Commands

Command	Description
dig domain.com	Performs a default A record lookup for the domain.
dig domain.com A	Retrieves the IPv4 address (A record) associated with the domain.
dig domain.com AAAA	Retrieves the IPv6 address (AAAA record) associated with the domain.
dig domain.com MX	Finds the mail servers (MX records) responsible for the domain.
dig domain.com NS	Identifies the authoritative name servers for the domain.
dig domain.com TXT	Retrieves any TXT records associated with the domain.
dig domain.com CNAME	Retrieves the canonical name (CNAME) record for the domain.
dig domain.com SOA	Retrieves the start of authority (SOA) record for the domain.
dig @1.1.1.1 domain.com	Specifies a specific name server to query; in this case 1.1.1.1
dig +trace domain.com	Shows the full path of DNS resolution.
dig -x 192.168.1.1	Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.
dig +short domain.com	Provides a short, concise answer to the query.
dig +noall +answer domain.com	Displays only the answer section of the query output.
dig domain.com ANY	Retrieves all available DNS records for the domain (Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482).

#Subdomain Bruteforcing
Intrusionz3r0X@htb[/htb]$ dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

#Reverse lookup
Intrusionz3r0X@htb[/htb]$ nslookup            
> SERVER 10.10.10.29
> 127.0.0.1
> 10.10.10.29 #Revere 

#Reverse lookup with dig
dig @10.10.10.10 -x 10.10.10.10 +short

Intrusionz3r0X@htb[/htb]$ dnsrecon -r 127.0.0.1/24 -n 10.10.10.29
Intrusionz3r0X@htb[/htb]$ dnsenum --dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o scans/dnsenum-bitquark-intelligence.htb intelligence.htb

# AXFR Zone Transfer
Intrusionz3r0X@htb[/htb]$ dig axfr inlanefreight.htb @10.129.22.217 | grep -oP "\w*\.inlanefreight.htb" | sort -u > subdomains.txt
Intrusionz3r0X@htb[/htb]$ dig axfr @<DNS_IP> #Try zone transfer without domain

# Query A Records
Intrusionz3r0X@htb[/htb]$ nslookup facebook.com
Intrusionz3r0X@htb[/htb]$ dig facebook.com @1.1.1.1
Intrusionz3r0X@htb[/htb]$ dig +short @10.10.11.205 cerberus.local

#Querying: A Records for a Subdomain
Intrusionz3r0X@htb[/htb]$ nslookup -query=A www.facebook.com

#Querying: PTR Records for an IP Address
Intrusionz3r0X@htb[/htb]$ nslookup -query=PTR 31.13.92.36
Intrusionz3r0X@htb[/htb]$ dig -x 31.13.92.36 @1.1.1.1

#Querying: ANY Existing Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=ANY facebook.com
Intrusionz3r0X@htb[/htb]$ dig any google.com @8.8.8.8

#Querying: TXT Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=TXT facebook.com
Intrusionz3r0X@htb[/htb]$ dig txt facebook.com @1.1.1.1

#Querying: MX Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=MX facebook.com
Intrusionz3r0X@htb[/htb]$ dig mx facebook.com @1.1.1.1

#Get information about specific domain/ip
Intrusionz3r0X@htb[/htb]$ whois 157.240.199.35

#Subdomain Brute Forcing
Intrusionz3r0X@htb[/htb]$ for sub in $(cat /usr/share/secLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
Intrusionz3r0X@htb[/htb]$ dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

#Count the A register (for fun)
Intrusionz3r0X@htb[/htb]$ echo $(($(dig axfr inlanefreight.htb @10.129.22.217 | column -t | awk '{print $5}' | grep -oP "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" | wc -l)+$(dig axfr internal.inlanefreight.htb @10.129.22.217 | column -t | awk '{print $5}' | grep -oP "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" | wc -l)))

#Automatic tool to enumerate
Intrusionz3r0X@htb[/htb]$ fierce --domain zonetransfer.me

#Enumerate subdomainms
Intrusionz3r0X@htb[/htb]$ ./subfinder -d inlanefreight.com -v    

Intrusionz3r0X@htb[/htb]$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
Intrusionz3r0X@htb[/htb]$ cd subbrute
Intrusionz3r0X@htb[/htb]$ echo "ns1.inlanefreight.com" > ./resolvers.txt
Intrusionz3r0X@htb[/htb]$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

DomainTakeOver

Domain takeover is registering a non-existent domain name to gain control over another domain. If attackers find an expired domain, they can claim that domain to perform further attacks such as hosting malicious content on a website or sending a phishing email leveraging the claimed domain.

Tool:

https://github.com/EdOverflow/can-i-take-over-xyz