> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-dns.md).

# Pentesting DNS

### **Whois**

* Whois lookup is used to get general information about the domain such as the registrar, domain owner, contact info, and DNS Server used

```
whois [domain]
whois cisco.com
```

### **Nslookup**

* Stands for name server lookup used for querying the dns in order to obtain records

```
nslookup [domain]
nslookup cisco.com
```

* May have to install the dnsutils package

```
sudo apt-get install dnsutils -y
```

#### **Query the DNS records**

```
nslookup -type=[record type] [domain]
nslookup -type=any cisco.com
```

### nslookup information leakage

* You can often get a computer with dns open to disclose its hostname to you by getting it to query itself.

```
nslookup
> server <ip of target>
> 127.0.0.1
> 127.0.0.2
> <ip of target>
```

### **Host**

* Another application to perform DNS lookups.

```
host [domain]
```

### **Zone Transfers**

* DNS servers need to be highly available, when one goes down another steps in. In order to have this setup function properly we have to make sure that both DNS servers have the same data, they need to synchronize data with each other on a regular basis.
* A mechanism to replicate DNS databases is called a zone transfer, and the replicated database is called a DNS zone.
* Zone transfer is when one DNS server -> transfers information to another DNS server
* Contains potentially a complete list of all hosts for a given zone
* Testing for Zone Transfers
* First you need to retrieve name servers for this domain with the Host tool. Then we will use Host again to test for zone transfers on the name server
* To retrieve the name servers for cisco.com domain name we use:

```
host -t ns cisco.com
```

* Output:

```
Cisco.com name server ns1.cisco.com
```

* Now that we know the name server we can supply it as an argument in the following command

```
host -t axfr -l cisco.com ns1.cisco.com
```

### **Dig**

-Short for Domain Information Groper, is another tool for DNS servers.

* To query a specific record type you can use the -t option (just like with Host). The following command retrieves the mx records for the google.com domain:

```
dig -t mx google.com
```

* Or you can request all records

```
dig -t any google.com
```

* Can also test for zone transfers:

```
dig axfr @nsztm1.digi.ninja zonetransfer.me [@name server domain]
```

* Using dig to subdomain bruteforce

```
for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.trilocor.local @10.129.204.10 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains-dig.txt;done
```

### **Fierce**

* Fierce is a recon tool written in perl to locate non contiguous IP space and hostnames using DNS.
* This tool helps locate targets inside and out of the corporate network.

```
fierce -h  
fierce -dns google.com
```

Updated syntax (newer versions):

```bash
fierce --domain zonetransfer.me
```

* Fierce will first list DNS Servers, attempt a zone transfer on every name server, checks for wildcard DNS record and attempts to brute force subdomains using an internal wordlist.
* By default fierce has its own wordlist but you can also use your own word list:

```
fierce -dns google.com -wordlist [path to wordlist]
```

### **DNSenum**

* DNSenum is a perl script that can be used to enumerate the DNS information of a domain and to discover non contiguous IP blocks. This tool will also attempt zone transfers.

```
dnsenum [domain name]
```

* subdomain bruteforce
* <https://github.com/fwaeytens/dnsenum>

```
dnsenum --dnsserver 10.129.33.40 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt inlanefreight.htb --threads 64
```

### **DNSrecon**

* DNSrecon is another automated tool that can be used to query DNS records, check for zone transfers and other tasks.

```
dnsrecon -d google.com
```

<pre><code><strong>user@slingshot:~$ dnsrecon -n 8.8.8.8 -d clifbar.com  -w
</strong>[*] Performing General Enumeration of Domain: clifbar.com
[-] DNSSEC is not configured for clifbar.com
[*]      SOA ns-1288.awsdns-33.org 205.251.197.8
...trimmed for brevity...
[*]      SRV _sip._tls.clifbar.com pulsip.clifbar.com 87.246.98.42 443 0
[+] 9 Records Found
[*] Performing Whois lookup against records found.
[*] The following IP Ranges where found:
[*]      0) 205.251.192.0-205.251.255.255 Amazon.com, Inc.
[*]      1) 205.251.192.0-205.251.199.255 Amazon Data Services NoVa
[*]      2) 67.231.144.0-67.231.159.255 Proofpoint, Inc.
[*]      3) 13.200.0.0-13.239.255.255 Amazon Technologies Inc.
[*]      4) 13.224.0.0-13.227.255.255 Amazon.com, Inc.
[*]      5) 213.128.224.0-213.128.255.255 UK-SOL-20020703
[*]      6) 87.246.76.32-87.246.76.63 pulsant15311
[*]      7) 87.246.98.0-87.246.98.127 pulsant1880
[*] What Range do you wish to do a Revers Lookup for?
[*] number, comma separated list, a for all or n for none
</code></pre>

* `-w` is for a more in depth enumeration.

### **Sublist3r**

* Sublist3r is a DNS meta-query spider that uses an extensive wordlist to enumerate DNS records and subdomains.
* In attempting large numbers of entries Subbrute uses open resolvers to circumvent rate limiting issues
* To install:

```
apt update && apt -y install sublist3r
```

* Default scan without subbrute:

```
sublist3r -d google.com
```

* To apply brute forcing with subbrute we add the -b option to the command and can specify the number of threads to use with the -t option

```
sublist3r -d google.com -b -t 100
```

### SUBBRUTE

* <https://github.com/TheRook/subbrute>

```
git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1 
cd subbrute 
echo "ns1.inlanefreight.htb" > ./resolvers.txt 
./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt ./subbrute.py inlanefreight.htb -s ./newnames.txt -r ./resolvers.txt -c 16 -p
```

### SUBFINDER

<https://github.com/projectdiscovery/subfinder>

```
./subfinder -d inlanefreight.com -v
```

### **The Harvester**

* Example: we want to find any email address for the cisco.com domain using Yahoo.
* We will specify the domain to search for with -d, the data source with -b and limit the results to 100 by adding -l 100:

```
theharvester -d cisco.com -b yahoo -l 100
```

### crt.sh (Certificate Transparency)

* Certificate Transparency site can reveal subdomains via SSL certificates
* <https://crt.sh>

```bash
# Find all subdomains via crt.sh API
curl -s "https://crt.sh/?q=TARGET.com&output=json" | jq -r '.[].name_value' | sort -u

# Filter for specific subdomain pattern (e.g., "dev")
curl -s "https://crt.sh/?q=TARGET.com&output=json" | jq -r '.[] | select(.name_value | contains("dev")) | .name_value' | sort -u
```

### DNSCAN

* <https://github.com/rbsec/dnscan>

```
./dnscan.py -d cyberbotic.io -w subdomains-100.txt
```

### PUREDNS

* <https://github.com/d3mondev/puredns#getting-started>
* <https://sidxparab.gitbook.io/subdomain-enumeration-guide/active-enumeration/dns-bruteforcing>

```
puredns bruteforce best-dns-wordlist.txt trilocor.local -r resolvers.txt -w stuff/subdomains-out.txt
```

## GOTATOR - WORD LIST GENERATOR TOOL

* <https://sidxparab.gitbook.io/subdomain-enumeration-guide/active-enumeration/permutation-alterations>
* ```
  gotator -sub subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md > gotator1.txt puredns resolve permutations.txt -r resolvers.txt
  ```

## Subdomain Takeover

* <https://0xpatrik.com/takeover-proofs/>
* Validate with
  * <https://punksecurity.co.uk/dnsreaper/>
  * <https://github.com/EdOverflow/can-i-take-over-xyz>

## Domain Spoofing

### Ettercap

* <https://www.ettercap-project.org/>
* EDIT /etc/ettercap/etter.dns TO MAP TARGET DOMAIN

```
cat /etc/ettercap/etter.dns

inlanefreight.com      A   192.168.225.110
*.inlanefreight.com    A   192.168.225.110
```

* Start ettercap and scan for live hosts

```
Hosts > Scan for Hosts
```

* Add ips to targets, activate DNS\_SPOOF

```
Plugins > Manage Plugins
```

### Spoofy

* <https://github.com/MattKeeley/Spoofy.git>

```
python3 -m venv venv / source venv/bin/activate / pip3 install -r requirements
```

* Tool use

```
python3 spoofy.py -d cyberbotic.io -o stdout
```

#### Example output

```
[*] Domain: cyberbotic.io
[*] Is subdomain: False
[*] DNS Server: 1.1.1.1
[?] No SPF record found.
[?] No DMARC record found.
[+] Spoofing possible for fakedomain.io.
```

## DNS Cache Poisoning

Locally performed via MITM tools (Ettercap, Bettercap). The attacker intercepts DNS queries on the local network and responds with a forged IP. Not the same as classic remote cache poisoning (Kaminsky-style).

Verify from victim perspective:

```
C:\>ping inlanefreight.com

Pinging inlanefreight.com [192.168.225.110] with 32 bytes of data:
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
```

## DNS Server Configuration (Bind9)

### Config Files

* `/etc/bind/named.conf.local`
* `/etc/bind/named.conf.options`
* `/etc/bind/named.conf.log`

### Local DNS Configuration

```
root@bind9:~# cat /etc/bind/named.conf.local
zone "domain.com" {
    type master;
    file "/etc/bind/db.domain.com";
    allow-update { key rndc-key; };
};
```

### Dangerous Settings

| Option          | Description                                             |
| --------------- | ------------------------------------------------------- |
| allow-query     | Defines which hosts can send requests to the DNS server |
| allow-recursion | Defines which hosts can send recursive requests         |
| allow-transfer  | Defines which hosts can receive zone transfers          |
| zone-statistics | Collects statistical data of zones                      |

### DIG Queries

```
dig ns inlanefreight.htb @10.129.14.128
dig CH TXT version.bind 10.129.120.85
dig any inlanefreight.htb @10.129.14.128
```

### DIG Zone Transfer (AXFR)

```
dig axfr inlanefreight.htb @10.129.14.128
dig axfr internal.inlanefreight.htb @10.129.14.128
```

### Subdomain Brute Forcing (Bash)

```bash
for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
```

### DNSenum

```
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
```

***

## MX Record Enumeration

```bash
host -t MX hackthebox.eu
host -t MX microsoft.com
dig mx plaintext.do | grep "MX" | grep -v ";"
dig mx inlanefreight.com | grep "MX" | grep -v ";"
```

Resolve the mail server:

```bash
host -t A mail1.inlanefreight.htb.
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-dns.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.