Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page

Was this helpful?

  1. Services

DNS

DNS enumeration is one of the most important recon move for a pentester as it can be used to map an entire network without snooping around too much. Before performing recon on a DNS you need to have a good understanding of how the DNS ecosystem works so that you can interpret the output of a DNS recon tool. I will try to explain some of the basics here, but you can find execellent articles that explain most of this in detail else where.

Why do we need DNS?

Its impossible to remember every IP address of the website that you visit everyday, so instead every website is given a name (Domain Name) such as www.google.com. This name is linked to the IP address of the website that computers can understand.

Now when you type a domain name in your browser, your computer should be able to look up the IP address associated with the domain name. The DNS takes care of this association.

What are the different types of DNS out there?

In order to keep the entire record keeping tidy, a large ecosystem with different parts are formed. To start with the domain name is split into 3 parts - "www." "google" ".com". Now there is a "." after the ".com" that denotes the top of the DNS tree. When your computer wants to get the IP address of a domain name, the query starts at the top called the "Root DNS". Now this server points to the Top Level Domain "TLD" server, which is assigned the domain ".com". This chain continues until it reaches the server that contains the domain name at which point this server is called the "Name Server (NS)" of the domain and it serves the IP address. There is one more server called the Recursive Server that takes care of the communication between your computer and the entire ecosystem of DNS.

What are the different types of records stored?

There are plenty of different servers out on the Internet and these have to be categoried properly. The DNS maintains records of the servers and domains along with an indicator of the record type. For e.g. the record type "A" is the simplest of all and it simply is an association of IP address to domain name. Another example "MX" denotes the mail server associated with the IP address. An "NS" record is the IP address of the "Name Server" that contains the record of the domain that you are searching for.

What is a zone transfer?

Some of the DNS may be wrongly configured to allow you to dump all the records of a specific domain when you query it. There are plenty of tools such as dig, dnsrecon, etc. that can be used to request for a zone transfer with a DNS for a mentioned domain. You can find working examples in the next article.

PreviousWebdavNextDNS Recon

Last updated 1 year ago

Was this helpful?