Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
20 views22 pages

DNS Enumeration

This document outlines the steps for conducting DNS enumeration as part of network pentesting, using tools such as nmap, dnsenum, and DNSRecon. It provides commands for checking IP addresses, scanning DNS records, and performing zone transfers for the domain witrapper.com. Additionally, it highlights the importance of using multiple tools to avoid reliance on a single source due to potential limitations.

Uploaded by

aj-111
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views22 pages

DNS Enumeration

This document outlines the steps for conducting DNS enumeration as part of network pentesting, using tools such as nmap, dnsenum, and DNSRecon. It provides commands for checking IP addresses, scanning DNS records, and performing zone transfers for the domain witrapper.com. Additionally, it highlights the importance of using multiple tools to avoid reliance on a single source due to potential limitations.

Uploaded by

aj-111
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Name DNS Enumeration

URL https://attackdefense.com/challengedetails?cid=2019

Type Network Pentesting: DNS

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1:​ Check the IP address of the machine.

Command:​ ip a

The IP address of the target machine is "192.211.79.3".

Step 2:​ Using nmap to scan the target machine.

Command:​ nmap 192.211.79.3


Port 53 is open on the target machine. By default, a DNS server listens for requests on port 53.

Step 3:​ Checking the default nameserver for the host machine.

Command:​ cat /etc/resolv.conf

This is the default nameserver used to resolve a domain name.

Step 4:​ Using DNSEnum tool to enumerate information on a domain and to discover
non-contiguous IP blocks.

1. Using dnsenum tool to extract all the information for witrapper.com:

Command:​ dnsenum witrapper.com


The output above extracts a lot of information on the resource records from witrapper.com:

The IP blocks used by witrapper.com, the reverse lookup mapping, NSEC3, A, MX, SRV, CAA,
LOC, AAAA, TXT, NS, SOA, etc records. It also performs zone transfer on the domain.

DNSEnum can also save the output into a file in XML format which could later be used by
magictree.

Command:​ dnsenum witrap.com -o out.xml


Checking the generated output:

Command:​ cat out.xml


Step 5:​ Using DNSRecon tool to enumerate various DNS records for a target domain.

1. Using dnsrecon tool to extract all the information for witrapper.com:

Command:​ dnsrecon -d witrapper.com


Notice that DNSSEC is enabled for witrapper.com

2. Performing an AXFR query with standard enumeration on witrap.com:

Command:​ dnsrecon -d witrap.com -a


Notice that the tool performed zone transfer for witrap.com. It had also determined the version
of Bind server - 9.11.3-ubuntu1.12-Ubuntu.

Information:​ Berkeley Internet Name Domain (BIND) is the most popular Domain Name
System (DNS) server in use today. BIND can be used to run a caching DNS server or an
authoritative name server, and provides features like load balancing, notify, dynamic update,
split DNS, DNSSEC, IPv6, and more.

3. Performing an AXFR query with standard enumeration on promo.witrap.com and saving the
output in JSON format:

Command:​ dsnrecon -d promo.witrap.com -a -j ~/out.json


Checking the generated output:

Command:​ cat out.json


Note:​ If a file name was given as out.json (without ~/) the output would be saved inside the
directory for dnsrecon: /usr/share/dnsrecon/

Step 6:​ Using the DNS Record Scanner and Enumerator auxiliary module to scan the target
DNS server.
Auxiliary Module:​ auxiliary/gather/enum_dns

Scanning and enumeration DNS records for witrap.com:

Commands:
msfconsole -q
use auxiliary/gather/enum_dns
setg NS 192.211.79.3
set DOMAIN witrap.com
run
Various records like: NS, MX, SOA, TXT, SRV for witrap.com were retrieved from the target
DNS server.
Running the same module for witrapper.com:

Various records like: NS, MX, SOA, TXT, SRV for witrapper.com were retrieved from the target
DNS server.
In the TXT record, it is mentioned that witrapper.com is the parent company of witrap.

Note:​ There are some warnings shown while running the module, this is where Metasploit does
not recognise some of the record types returned by the server. This is particularly noticeable on
witreapper.com where it does not know about the DNSSEC records. This shows that it is good
not to rely on a single tool or, if you have to, then to know its limitations.

Bruteforcing subdomains and hostnames via the supplied wordlist:

Commands:
show options
set ENUM_BRT true
set DOMAIN witrapper.com
run

Default password list file:​ /usr/share/metasploit-framework/data/wordlists/namelist.txt


Various subdomains for witrapper.com are retrieved by this module.

References:

1. dnsenum (​https://github.com/fwaeytens/dnsenum​)
2. DNSRecon (​https://github.com/darkoperator/dnsrecon​)
3. DNS Record Scanner and Enumerator
(​https://www.rapid7.com/db/modules/auxiliary/gather/enum_dns​)

You might also like