DNS Recon - Documentation

Link to this headingDNS Recon

Link to this headingAmass

Get Whois Information from domain:

>>> amass intel -d owasp.org -whois appseceu.com owasp.com appsecasiapac.com appsecnorthamerica.com appsecus.com [...] owasp.org appsecapac.com appsecla.org [...]

Get Whois Information from Organization:

>>> amass intel -org 'Example Ltd' 111111, MAIN_PRODUCT – Example Ltd 222222, SECONDARY_PRODUCT - Example Ltd [...]

Look for Subdomains on other sites:

>>> amass enum -passive -d owasp.org -src [...] [ThreatCrowd] update-wiki.owasp.org [...] BufferOver] my.owasp.org [Crtsh] www.lists.owasp.org [Crtsh] www.ocms.owasp.org [...] Querying VirusTotal for owasp.org subdomains Querying Yahoo for owasp.org subdomains [...]

Try Zone Transfer to get information:

>>> amass intel -active -d owasp.org -whois appseceu.com owasp.com appsecasiapac.com appsecnorthamerica.com appsecus.com [...] owasp.org appsecapac.com appsecla.org [...]

Active DNS Brute forcing:

>>> amass enum -active -d owasp.org -public-dns -brute -w /root/dns_lists/deepmagic.com-top50kprefixes.txt -src -ip -dir amass4owasp -config /root/amass/config.ini -o amass_results_owasp.txt

>>> amass -src -ip -d generalzero.org generalzero.org has a static DNS wildcard [Forward DNS] generalzero.org,163.172.132.11 [Forward DNS] mail.generalzero.org,163.172.132.11 [CertSpotter] travel.generalzero.org,163.172.132.11 [CertSpotter] beta.generalzero.org,163.172.132.11 [CertSpotter] totoro.generalzero.org,98.109.153.106 [CertSpotter] cal.generalzero.org,163.172.132.11 [CertSpotter] www.generalzero.org,163.172.132.11 [CertSpotter] dev.generalzero.org,98.109.153.106 [CertSpotter] test.generalzero.org,98.109.153.106 [Entrust] my.generalzero.org,163.172.132.11 [CertSpotter] zero.generalzero.org,98.109.153.106 [Entrust] blog.generalzero.org,163.172.132.11 [Entrust] note.generalzero.org,163.172.132.11 [Entrust] bak.generalzero.org,163.172.132.11 [Entrust] t1ns.generalzero.org,163.172.132.11 [Entrust] chat.generalzero.org,163.172.132.11

Link to this headingDIG commands

DNS Lookup

whois domain-name-here.com

Perform DNS IP Lookup

dig a domain-name-here.com @nameserver

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

Windows DNS zone transfer

nslookup -> set type=any -> ls -d blah.com

Link to this headingBrute Force DNS addresses

Link to this headingSublist3r

This runs Sublist3r on a list of domains and outputs the results in separate files.

. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)

Link to this headingAquatone

Aquatone One-liner

echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh ./aqua.sh domain.com

Link to this headingDNSRecon

DNS Recon

python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt

dnsrecon -d generalzero.org -D /opt/Hacking/Enumeration/SecurityLists/Discovery/DNS/sorted_knock_dnsrecon_fierce_recon-ng.txt -t std --xml /opt/Hacking/Enumeration/dnsrecon.xml

Scripts for enumeration

Link to this headingSearch for other domains using certificates.

Link to this headingCertspotter

curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq

Link to this headingScans.io

Command to parse & extract sub-domains for a given domain:

curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep “.icann.org” | jq

Link to this headingCert.sh database

psql -h crt.sh -p 5432 -U guest certwatch

Link to this headingResolve domains

Use Certificate Transparency logs to find DNS addresses. Then use them to resolve to IP addresses and add them to the list.

./ct.py icann.org | ./bin/massdns -r resolvers.txt -t A -q -a -o -w icann_resolvable_domains.txt -

Link to this headingSearch for other domains using IPv4 scans.

curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep “.icann.org” | jq

Resolution

Reconnaissance
domain research tool

Older Tools:

https://dnslytics.com/bgp/us
Reverse IP Lookup (Domainmonitor)
Security headers (Security Report, missing headers)
http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
https://mxtoolbox.com (wide range of DNS-related recon tools)
https://publicwww.com/ (Source Code Search Engine)
http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)
HackerTarget Tools (DNS recon, site lookup, and scanning tools)
VirusTotal (WHOIS, DNS, and subdomain recon)
crt.sh (SSL certificate search)
Google CT (SSL certificate transparency search)
PenTest Tools (Google dorks)
Wayback Machine (Find stuff which was hosted on the domain in past)
FindSubdomains (Find subdomains using domain or keywords)
https://scans.io/

Link to this headingInternal DNS

Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.

Link to this headingDNS Walking

Performs DNS zone dumps by walking DNSSEC NSEC(3) records.