DNS - 53
DIG
# NS query
dig ns nothing.htb @10.10.10.10
# ANY query
dig any nothing.htb @10.10.10.10
# AXFR Zone Transfer - Internal
dig axfr internal.nothing.htb @10.10.10.10
# check zone exists, look for SOA entry
dig SOA @10.10.10.10 nothing.htb
# ZONE TRANSFER USING FIERCE
# LINK : <https://github.com/mschwager/fierce>
fierce --domain zonetransfer.meNslookup
# Querying: A Records
nslookup facebook.com
# Querying: A Records for a Subdomain
nslookup -query=A www.facebook.com
# Querying: PTR Records for an IP Address
nslookup -query=PTR 31.13.92.36
# Querying: ANY Existing Records
nslookup -query=ANY google.com
# Querying: TXT Records
nslookup -query=TXT facebook.com
# Querying: MX Records
nslookup -query=MX facebook.comBrute Forcing Subdomains
# Subdomain Brute Forcing
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.nothing.htb @10.10.10.10 | grep -v ';\\|SOA' | sed -r '/^\\s*$/d' | grep $sub | tee -a subdomains.txt;done
# DNSenum
dnsenum --dnsserver 10.10.10.10 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt nothing.htb
# Subfinder
# LINK : <https://github.com/projectdiscovery/subfinder>
./subfinder -d something.com -v
# Subbrute
git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
cd subbrute
echo "ns1.something.com" > ./resolvers.txt
./subbrute something.com -s ./names.txt -r ./resolvers.txtLast updated