A Penetration Testing Framework
DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality.
> host -t ns megacorpone.com # -t : type , ns: dns
> host -t mx megacorpone.com # mx : mail server
nslookup> nslookup anasboureada.com
dig also can be used> dig aboureada.com
we have some initial data from the megacorpone.com domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com.
> host www.megacorpone.com # we will found that it has an ip
> host idontexist.megacorpone.com # this is not found
Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script.
> echo www > list.txt
> echo ftp >> list.txt
> echo mail >> list.txt
> echo owa >> list.txt
> echo proxy >> list.txt
> echo router >> list.txt
> echo api >> list.txt
> for ip in $(cat list.txt);do host $ip.megacorpone.com;done
If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase.
> for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found"
# grep -v :: --invert-match
> host -l megacorpone.com ns1.megacorpone.com # ns1 refused us our zone transfer request
# -l :: list all hosts in a domain
> host -l megacorpone.com ns2.megacorpone.com
# The result is a full dump of the zone file for the megacorpone.com domain,
# providing us a convenient list of IPs and DNS names for the megacorpone.com domain.
> host -t axfr zonetransfer.me nsztm1.digi.ninja.
> dig axfr nsztm1.digi.ninja zonetransfer.me
Now Lets automate the process:
To get the name servers for a given domain in a clean format, we can issue the following command.
> host -t ns megacorpone.com | cut -d " " -f 4
# -d :: --delimiter=DELIM ;
# -f :: --fields=LIST select only these fields on each line;
Taking this a step further, we could write the following simple Bash script to automate the procedure of discovering and attempting a zone transfer on each DNS server found.
# /bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [-z "$1" ]; then
echo "[-] Simple Zone transfer script"
echo "[-] Usage : $0 <domain name> "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d" " -f4);do
# For each of these servers, attempt a zone transfer
host -l $1 $server | grep "has address"
done
Running this script on megacorpone.com should automatically identify both name servers and attempt a zone transfer on each of them
> chmod 755 dns--axfr.sh
> ./dns--axfr.sh megacorpone.com
> dnsrecon -d megacorpone.com -t axfr
# -d :: domain
# -t :: type of Enumeration to perform
# axfr :: test all ns servers for zone transfer
> dnsenum zonetransfer.me
NOTE the one included in the latest version of kali may not work, so try to install the new version from fierce
> pip3 install fierce
> fierce --domain zonetransfer.me
nmap -F --dns-server
host -t ns [megacorpone.com](http://megacorpone.com/)
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
dig a [domain-name-here.com](http://domain-name-here.com/) @nameserver
dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserver
dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserver
nslookup -> set type=any -> ls -d [blah.com ](http://blah.com/)
dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/)
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfr
dnsenum zonetransfer.m