-
Notifications
You must be signed in to change notification settings - Fork 0
/
dns.cheat
84 lines (59 loc) · 2.89 KB
/
dns.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
% DNS Enum
$ qtype: dig -h | grep 'q\-type' | tail -n1 | cut -d '(' -f 2 | cut -d '.' -f 1 | sed 's|,|\n|g' | grep .
# $ options_dig: locate \/dig.1.gz | xargs -I {} zcat {} | grep '\fB' | grep '\.B' | head -n-5 | tail -n+4 | sed 's/.B \\fB//g' | sed 's/\\fP//g' | sed 's/\\-/-/g'
# $ target: if [[ ! -z <target> ]]; then; echo <target>; fi
$ wordlist: fdfind . "$(pwd)" /usr/share/{seclists,wordlists} /usr/share/amass/ -Ltf | grep -i dns | sort -u
$ dns_server: echo -e '$(cat nameserver.out 2>/dev/null)\nns.<target>\nns1.<target>\nns2.<target>'
# whois on the target
whois <target>
# query the dns and export it
export dns_server=$(host -t ns $(echo '<target>' | rev | cut -d '.' -f 1,2 | rev) $(ping -c 1 <target> | head -n 1 | cut -d '(' -f 2 | cut -d ')' -f 1) | tail -n 1 | rev | awk '{print $1}' | rev | sed 's/\.$//g'); echo $dns_server
# get ns server from an hostname
host -t ns $(echo '<target>' | rev | cut -d '.' -f 1,2 | rev) $dns_server | tee nameserver.out
# list 'all' options with host
host -a <target>
# host with nameserver
host -l <target> $dns_server
# zonetransfer on nameserver with dnsrecon
dnsrecon -d <target> -t axfr -n $dns_server
# dnsenum the target
dnsenum <target>
# nslookup with server and ns to lookup
printf "server $dns_server\nset type=any\n<reverse-lookup-ip>\nexit\n" | nslookup
# gobuster basic
gobuster -t 15 dns --domain <domain> --wordlist <wordlist> --show-ips
# gobuster with resolver
gobuster -t 15 dns --resolver <resolver> --domain <domain> --wordlist <wordlist> --show-ips
# enum with msfconsole basic settings
msfconsole -q -x 'use auxiliary/gather/enum_dns;set DOMAIN <domain>; set WORDLIST <wordlist>;options; run' # ctrl c out of it if you want to do more settings
# dig on the target, default nameserver with default q-type (a) and nameserver defined in system
dig <target>
# zonetransfer on nameserver with dig
q-type axfr <target> @$dns_server
# dig on the target with nameserver
dig q-type <qtype> <target> @$dns_server
# To use a specific query type
dig q-type <qtype> <target>
# To do a DNS reverse look up
dig -x <ip_adress> +short
# To use a specific DNS server
dig @<specific_dns> <target>
# To do a bulk DNS query (where <file> has all the domains, one to a line)
dig -f <file>
# (hack the box cheats) Identify the A record for the target domain.
nslookup <target>
nslookup -query=A <target>
dig <target> @$dns_server
dig a <target> @$dns_server
# (hack the box cheats) Identify the PTR record for the target IP address.
nslookup -query=PTR <target>
dig -x <target> @$dns_server
# (hack the box cheats) Identify ANY records for the target domain.
nslookup -query=ANY <target>
dig any <target> @$dns_server
# (hack the box cheats) Identify the TXT records for the target domain.
nslookup -query=TXT <target>
dig txt <target> @$dns_server
# (hack the box cheats) Identify the MX records for the target domain.
nslookup -query=MX <target>
dig mx <target> @$dns_server