DNS RECORDS
Dig
Retrieve DNS record
1
2
3
4
dig @10.10.10.224 realcorp.htb # Retrieve DNS record
dig @10.10.10.224 realcorp.htb ns # Retrieve Name Servers
dig @10.10.10.224 realcorp.htb axfr # Transfer Zone
dig @10.10.10.224 realcorp.htb mx # Mail Server
Examples: Tentacle
Retrieve Name Servers
Host
Manually discover DNS records
1
2
3
host -t mx www.megacorpone.com 10.10.10.224
host -t txt www.megacorpone.com 10.10.10.224
host -t ptr www.megacorpone.com 149.56.244.87
Automatically resolve another websites from subnet discovered
1
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"
Dnsenum
Enumeration of subdomains:
1
dnsenum --dnsserver 10.10.10.224 --threads 50 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt realcorp.htb
Examples: Cascade
DNS Zone Transfers
A zone transfer is basically a database replication between related DNS servers in which the zone file is copied from a master DNS server to a slave server. The zone file contains a list of all the DNS names configured for that zone. Zone transfers should only be allowed to authorized slave DNS servers but many administrators misconfigure their DNS servers, and in these cases, anyone asking for a copy of the DNS server zone will usually receive one.
Host
First you need to grab the dns FQDN with:
1
host -t ns megacorpone.com
Then you must use the following command with each NS server:
1
host -l megacorpone.com ns1.megacorpone.com
Retrieve hostname from IPs by knowing the DNS IP:
1
for ip in $(seq 1 255); do host 192.168.173.$ip 192.168.173.149; done
The host command syntax for performing a zone transfer is as follows:
1
host -l <domain name> <dns server address>
REMEMBER THAT IF YOU ARE SEARCHING ONTO A PRIVATE NETWORK FIRST STEP IS TO FIND THE DNS SERVER THIS WILL RETRIEVE ALL THE INFORMATION WITHIN THE NETWORK:
Always use DNS server after the domain name to perform all the queries:
1
2
host -l dc.mailman.com <DNS SERVER>
host -t txt dc.MAILMAN.com 192.168.173.149
After retrieve the whole information about an specific site, which means that txt, a, aaa, ptr records are already substracted the most interesting part are NS records:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
dig axfr @192.168.173.149 mailman.com
; (1 server found)
;; global options: +cmd
mailman.com. 3600 IN SOA dc.mailman.com. hostmaster.mailman.com. 158 900 600 86400 3600
mailman.com. 3600 IN NS dc.mailman.com. `<---`
_msdcs.mailman.com. 3600 IN NS dc.mailman.com.
_gc._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 3268 dc.mailman.com.
_kerberos._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 88 dc.mailman.com.
_kerberos._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 88 winserv19-temp.mailman.com.
_ldap._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 389 winserv19-temp.mailman.com.
_gc._tcp.mailman.com. 600 IN SRV 0 100 3268 dc.mailman.com.
_gc._tcp.mailman.com. 600 IN SRV 0 100 3268 winserv19-temp.mailman.com.
_kerberos._tcp.mailman.com. 600 IN SRV 0 100 88 dc.mailman.com.
_kpasswd._tcp.mailman.com. 600 IN SRV 0 100 464 dc.mailman.com.
_kpasswd._tcp.mailman.com. 600 IN SRV 0 100 464 winserv19-temp.mailman.com.
_ldap._tcp.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_kerberos._udp.mailman.com. 600 IN SRV 0 100 88 dc.mailman.com.
_kerberos._udp.mailman.com. 600 IN SRV 0 100 88 winserv19-temp.mailman.com.
_kpasswd._udp.mailman.com. 600 IN SRV 0 100 464 dc.mailman.com.
_kpasswd._udp.mailman.com. 600 IN SRV 0 100 464 winserv19-temp.mailman.com.
dc.mailman.com. 3600 IN A 192.168.173.149
dc.mailman.com. 3600 IN TXT "OS{1221212}"
DomainDnsZones.mailman.com. 600 IN A 192.168.50.149
DomainDnsZones.mailman.com. 600 IN A 192.168.120.149
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 winserv19-temp.mailman.com.
ForestDnsZones.mailman.com. 600 IN A 192.168.50.149
ForestDnsZones.mailman.com. 600 IN A 192.168.120.149
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.ForestDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
mailman.com. 3600 IN SOA dc.mailman.com. hostmaster.mailman.com. 158 900 600 86400 3600
;; Query time: 100 msec
;; SERVER: 192.168.173.149#53(192.168.173.149) (TCP)
;; WHEN: Fri Sep 02 02:22:24 EDT 2022
;; XFR size: 30 records (messages 1, bytes 1454)
It’s time to attack another domain server to gather further information, this can be done by doing an axfr request first on the initial compromised DNS server and then call the other DNS with the same technique:
1
dig axfr @192.168.173.149 _msdcs.mailman.com
The same result can be achieved with:
1
host -l -a _msdcs.mailman.com 192.168.173.149
Domain Zone Transfer Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d " " -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"
done
DNSRecon
Zone Transfer
1
dnsrecon -d megacorpone.com -t axfr
Brute Force
1
dnsrecon -d megacorpone.com -D ~/list.txt -t brt
DNSEnum
1
dnsenum zonetransfer.me<
Bluto
Bluto TODO
Each domain can use different types of DNS records. Some of the most common types of DNS records include:
- NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
- A - Also known as a host record, the “a record” contains the IP address of a hostname (such as www.megacorpone.com).
- MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
- PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.
- CNAME - Canonical Name Records are used to create aliases for other host records.
- TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.