DNS
Introduction
DNS Typically runs on port 53 UDP but it can also run on TCP DNS translates domain names to IP addresses Useful resources:
DNS Records
A
Returns an IPv4 address of the requested domain as a result.
AAAA
Returns an IPv6 address of the requested domain.
MX
Returns the responsible mail servers as a result.
NS
Returns the DNS servers (nameservers) of the domain.
TXT
This record can contain various information. For example, it can be used to validate the Google Search Console or validate SSL certificates.
CNAME
This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR
The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA
Provides information about the corresponding DNS zone and email address of the administrative contact.
Basic Interaction
dig ns <domain.tld> @dns-ip
NS request to the specific nameserver.
dig any <domain.tld> @dns-ip
ANY request to the specific nameserver.
dig axfr <domain.tld> @dns-ip
AXFR (ZONE TRANSFER) request to the specific nameserver.
fierce --domain zonetransfer.me
Use fierce to scan for Zone Transfers
Sub-Domain Enumeration:
There are different tools to perform subdomain enumeration:
./subfinder -d test.com -vsublist3r.py -d test.com./subbrute test.com -s ./names.txt -r ./resolvers.txt
Subdomain Fuzzing:
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.server.com/gobuster dns -d example.com -w wordlists.txt
VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs <num>gobuster vhost --url test.example --wordlist /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
Subdomain Bruteforcing:
Last updated