MODULE 4:- Information Gathering
- How to use dnsenum for dns enumeration – Kali
- How to use dig command in Kali Linux
- whois Kali Linux commands with example
- Enumerating DNS Records through dnsenum tool in Kali Linux
- Email Harvesting by theharvester tool in Kali Linux
- Google Hacking | Open Web Information Gathering
- dnsmap | DNS Domain name system brute force attacks
- Zone Transfer using dnswalk tool
- Website information Gathering through Nikto tool
- Search Senstive Data through Metagoofil Kali Linux 2.0
- 8 Steps to run Maltego Kali Linux – beginner guide
What is DNS Enumeration?
DNS identification is the procedure of finding all the DNS servers and their relating records for an organization. An organization may have both internal and external DNS servers that can yield data, for example, usernames, PC names, and IP addresses of potential target System. There are a lot of tools that can be used to gain information for performing DNS enumeration. The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, dnsenum, firecie,host,dig and Whois. To enumerate DNS, you must have understanding about DNS and how it functions. You must have knowledge about DNS records. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes. The following list describes the common DNS record types and their use:
- A (address)—Maps a host name to an IP address
- SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
- CNAME (canonical name)—Provides additional names or aliases for the address record
- MX (mail exchange)—Identifies the mail server for the domain
- SRV (service)—Identifies services such as directory services
- PTR (pointer)—Maps IP addresses to host names
- NS (name server)—Identifies other name servers for the domain.
Definition of a Zone Transfer
A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are copied from a primary DNS server to a secondary DNS server.
A Zone transfer will occur during any of the following scenarios:
- When starting the DNS Service on the secondary DNS server.
- When the refresh time expires.
- When changes are saved to the Primary Zone file and there is a Notify List.
Zone Transfers are always initiated by the secondary DNS server. The primary DNS server simply answers the request for a Zone Transfer. If the name server allows zone transfers to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
More Detail : https://support.microsoft.com/en-us/kb/164017
Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. This tool is inbuilt in kali Linux by default and following options are covered by this tool.
Operations by dnsenum
Following operation are performed by dnsenum:
- Get the host’s addresse (A record).
- Get the namservers (threaded).
- Get the MX record (threaded).
- Perform axfr queries on nameservers and get BIND VERSION (threaded).
- Get extra names and subdomains via google scraping.
(google query = “allinurl: -www site:domain”).
- Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
- Calculate C class domain network ranges and perform whois queries on them (threaded).
- Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
- Write to domain_ips.txt file ip-blocks.
General Options with in dnsenum
Usage example of dnsenum
Don’t do a reverse lookup (–noreverse) and save the output to a file (-o result.xml) for the domain example.com: