Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Dig
  • Fierce
  • DNSRecon
  • AltDNS
  • DNSDumpster
  • Autonomous System (AS) Numbers
  • Zone Transfers
  • Zone Walking
  • ForwardDNS
  • Sublist3r

Was this helpful?

  1. Reconnaissance

Domains

Get hostnames and info from DNS servers

PreviousAutomated ReconnaissanceNextScour the Web

Last updated 3 years ago

Was this helpful?

Dig

If you've identified a DNS nameserver, then you can query that server with .

Fierce

is a DNS reconnaissance tool for locating non-contiguous IP space.

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

DNSRecon

Use a dictionary attack to enumerate subdomains against a DNS server.

python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt

AltDNS

AltDNS is a useful tool for enumerating subdomains. You can use subdomains you already know about and then apply changes and permutations to them to try to discover new ones.

DNSDumpster

Autonomous System (AS) Numbers

Finding Autonomous System (AS) Numbers will help us identify netblocks belonging to an organization which in-turn may have valid domains.

  1. Resolve the IP address of a given domain using dig or host

  2. There are tools to find ASN given an IP address — https://asn.cymru.com/cgi-bin/whois.cgi

  3. There are tools to find ASN given a domain name — http://bgp.he.net/

  4. Finding AS Number using IP address

  5. The ASN numbers found can be used to find netblocks of the domain. There are Nmap scripts to achieve that — https://nmap.org/nsedoc/scripts/targets-asn.htm

nmap --script targets-asn --script-args targets-asn.asn=17012

Zone Transfers

If zone transfers are enabled, you can pull all the DNS data from a nameserver:

dig +multi AXFR @ns1.insecuredns.com insecuredns.com

Zone Walking

You can try zone walking if they have NSEC.

What it is:

Tool usage:

ldns-walk @ns1.insecuredns.com insecuredns.com

ForwardDNS

There’s a huge database called Forward DNS that’s been compiled. You can access it on scans.io’s website I think? It’s supposed to be pretty thorough.

curl -silent https://scans.io/data/rapid7/sonar.fdns_v2/20170417-fdns.json.gz | pigz -dc | grep ".icann.org" | jq

The database is 19GB compressed and 300GB uncompressed though. You’ll have to download it and uncompress it so make sure you have a good internet and lots of disk space.

Sublist3r

Is a tool that uses a lot of different search engines and aggregates the data.

https://github.com/aboul3la/Sublist3r

Queries DNS servers and returns subdomains it finds. Here’s the explanation about how it works:

https://dnsdumpster.com/
https://dnsdumpster.com/footprinting-reconnaissance/
http://info.menandmice.com/blog/bid/73645/Take-your-DNSSEC-with-a-grain-of-salt
dig
Fierce
GitHub - infosec-au/altdns: Generates permutations, alterations and mutations of subdomains and then resolves themGitHub
Logo