Skip to content

DNS Recon

DNS Recon

All in one Discover Script

Amass

Get Whois Information from domain:

>>> amass intel -d owasp.org -whois
appseceu.com
owasp.com
appsecasiapac.com
appsecnorthamerica.com
appsecus.com
[...]
owasp.org
appsecapac.com
appsecla.org
[...]

Get Whois Information from Organization:

>>> amass intel -org 'Example Ltd'
111111, MAIN_PRODUCT  Example Ltd
222222, SECONDARY_PRODUCT - Example Ltd
[...]

Look for Subdomains on other sites:

>>> amass enum -passive -d owasp.org -src
[...]
[ThreatCrowd]     update-wiki.owasp.org
[...]
BufferOver]      my.owasp.org
[Crtsh]           www.lists.owasp.org
[Crtsh]           www.ocms.owasp.org
[...]
Querying VirusTotal for owasp.org subdomains
Querying Yahoo for owasp.org subdomains
[...]

Try Zone Transfer to get information:

>>> amass intel -active -d owasp.org -whois
appseceu.com
owasp.com
appsecasiapac.com
appsecnorthamerica.com
appsecus.com
[...]
owasp.org
appsecapac.com
appsecla.org
[...]

Active DNS Brute forcing:

>>> amass enum -active -d owasp.org -public-dns -brute -w /root/dns_lists/deepmagic.com-top50kprefixes.txt -src -ip -dir amass4owasp -config /root/amass/config.ini -o amass_results_owasp.txt


>>> amass -src -ip -d generalzero.org
generalzero.org has a static DNS wildcard
[Forward DNS]     generalzero.org,163.172.132.11
[Forward DNS]     mail.generalzero.org,163.172.132.11
[CertSpotter]     travel.generalzero.org,163.172.132.11
[CertSpotter]     beta.generalzero.org,163.172.132.11
[CertSpotter]     totoro.generalzero.org,98.109.153.106
[CertSpotter]     cal.generalzero.org,163.172.132.11
[CertSpotter]     www.generalzero.org,163.172.132.11
[CertSpotter]     dev.generalzero.org,98.109.153.106
[CertSpotter]     test.generalzero.org,98.109.153.106
[Entrust]         my.generalzero.org,163.172.132.11
[CertSpotter]     zero.generalzero.org,98.109.153.106
[Entrust]         blog.generalzero.org,163.172.132.11
[Entrust]         note.generalzero.org,163.172.132.11
[Entrust]         bak.generalzero.org,163.172.132.11
[Entrust]         t1ns.generalzero.org,163.172.132.11
[Entrust]         chat.generalzero.org,163.172.132.11

DIG commands

DNS Lookup

whois domain-name-here.com

Perform DNS IP Lookup

dig a domain-name-here.com @nameserver

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

Windows DNS zone transfer

nslookup -> set type=any -> ls -d blah.com

Brute Force DNS addresses

Sublist3r

This runs Sublist3r on a list of domains and outputs the results in separate files.

. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)

Aquatone

Aquatone One-liner

echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh
./aqua.sh domain.com

DNSRecon

DNS Recon

python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt


dnsrecon -d generalzero.org -D /opt/Hacking/Enumeration/SecurityLists/Discovery/DNS/sorted_knock_dnsrecon_fierce_recon-ng.txt -t std --xml /opt/Hacking/Enumeration/dnsrecon.xml

Scripts for enumeration

Search for other domains using certificates.

Certspotter

curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq


curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -

Scans.io

Command to parse & extract sub-domains for a given domain:

curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep “.icann.org” | jq

Cert.sh database

psql -h crt.sh -p 5432 -U guest certwatch

Resolve domains

Use Certificate Transparency logs to find DNS addresses. Then use them to resolve to IP addresses and add them to the list.

./ct.py icann.org | ./bin/massdns -r resolvers.txt -t A -q -a -o -w icann_resolvable_domains.txt -

Search for other domains using IPv4 scans.

curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep “.icann.org” | jq

Resolution

  • http://dnsbin.zhack.ca (DNS)
  • http://pingb.in (DNS)
  • http://requestb.in (HTTP)
  • https://www.mockbin.org/ (HTTP)

Reconnaissance
https://dnsdumpster.com/

  • https://dnslytics.com/bgp/us
  • Reverse IP Lookup (Domainmonitor)
  • Security headers (Security Report, missing headers)
  • http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
  • https://mxtoolbox.com (wide range of DNS-related recon tools)
  • https://publicwww.com/ (Source Code Search Engine)
  • http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)
  • HackerTarget Tools (DNS recon, site lookup, and scanning tools)
  • VirusTotal (WHOIS, DNS, and subdomain recon)
  • crt.sh (SSL certificate search)
  • Google CT (SSL certificate transparency search)
  • PenTest Tools (Google dorks)
  • Wayback Machine (Find stuff which was hosted on the domain in past)
  • FindSubdomains (Find subdomains using domain or keywords)
    https://scans.io/

Internal DNS

Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.