Port 53 - DNS

Nmap:

nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com

Dig:

dig any domain.name $IP

dig axfr domain.name $IP

nslookup

Forward Lookup Brute Force

for ip in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt); do host $ip.megacorpone.com; done | grep -v "not found"

Reverse Lookup Brute Force

(Useful if a range was found and it's possible there are hostnames within that range that are not on your wordlist from the forward lookup)

for ip in $(seq  50 240); do host 51.222.169.$ip; done | grep -v "not found"

DNS Zone Transfer:

(This makes a copy of the DNS file and should never be allowed, so it represents a severe misconfiguration)

host -l megacorpone.com ns2.megacorpone.com

Last updated 3 years ago