DNS
Last updated
Was this helpful?
Last updated
Was this helpful?
DNS Typically runs on port 53 UDP but it can also run on TCP DNS translates domain names to IP addresses Useful resources:
A
Returns an IPv4 address of the requested domain as a result.
AAAA
Returns an IPv6 address of the requested domain.
MX
Returns the responsible mail servers as a result.
NS
Returns the DNS servers (nameservers) of the domain.
TXT
This record can contain various information. For example, it can be used to validate the Google Search Console or validate SSL certificates.
CNAME
This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR
The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA
Provides information about the corresponding DNS zone and email address of the administrative contact.
dig ns <domain.tld> @dns-ip
NS request to the specific nameserver.
dig any <domain.tld> @dns-ip
ANY request to the specific nameserver.
dig axfr <domain.tld> @dns-ip
AXFR (ZONE TRANSFER) request to the specific nameserver.
fierce --domain zonetransfer.me
Use fierce to scan for Zone Transfers
There are different tools to perform subdomain enumeration:
./subfinder -d test.com -v
sublist3r.py -d test.com
./subbrute test.com -s ./names.txt -r ./resolvers.txt
Subdomain Fuzzing:
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.server.com/
gobuster dns -d example.com -w wordlists.txt
VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs <num>
gobuster vhost --url test.example --wordlist /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
Subdomain Bruteforcing: