DNS 53,5353

The Domain Name Systems (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses.

PORT STATE SERVICE REASON

53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

5353/udp open zeroconf udp-response

53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

Protocol_Name: DNS #Protocol Abbreviation if there is one.

Port_Number: 53 #Comma separated if there is more than one.

Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out

• Enum

To get domain name:

nslookup

server {IP}

{IP}

Then we shoul import this to /etc/hosts --> {IP} {Domain}

dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name}

dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}

dig @{IP} {Domain_Name} ns (name server)

dig @{IP} {Domain_Name} mx (mail servers)

wfuzz -c -t 200 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.example.com" http://example.com

If this shows all of them correct but most of them send the same amounth of characters we should hide them --> --hh={ch_amounth}

gobuster vhost -u http://example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 200

for name in $(cat dnsnames.txt); do host $name.sportsfoo.com 172.16.5.10 -W 2; done | grep 'has address'

To Reverse DNS Lookup to see what an IP Address name is:

dig @{IP} -x {IP} +nocookie

For this we can also use a shell script. Example:

First, let's create a file named iplist.txt file which will contain a list of IP addresses from 172.16.5.1 to 172.16.5.99.

We can do that by running the following command:

crunch 11 11 -t 172.16.5.%% -o iplist.txt

Now we create a reverse-dnsscript.sh with the following content:

#!/bin/bash
for ip in $(cat iplist.txt); do dig @172.16.5.10 -x $ip +nocookie; done

Then we execute it and grep by the results we are interested in. Before trying to fingerprint every single host, let's first determine which ones are alive:

nmap -sP 172.16.5.* -oG - | awk '/Up/{print $2}'> alive.txt && cat alive.txt

Now we can do nmap fingerprinting:

sudo nmap -A -O -iL alive.txt --osscan-guess

(After finding new subdomains we should add them in /etc/hosts to let the machine know the target when ping that subdomain)

nslookup

SERVER {IP}

127.0.0.1

{IP}

Domain_Name

exit

• Grab DNS Banner

dig version.bind CHAOS TXT @DNS

• Scan for Vulnerabilities with Nmap

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP}

• Zone Transfer

dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce -dns {Domain_Name}

dig axfr @{IP}

dig axfr @{IP} {Domain_Name}

dig @{IP} -t AXFR {Domain_Name} +nocookie

dig @{IP} {Domain_Name} -t AXFR +nocookie

host -t axfr {Domain_Name} {IP}

• Active Directory, Eunuerate a DC via DNS

dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}"

• DNS enumeration without the need to run msfconsole

Note: sourced from https://github.com/carlospolop/legion

msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'