DNS Enumeration - Foren-Ken/tech-journal GitHub Wiki

What is DNS Enumeration?

Discovering DNS records associated with a domain. This works by checking IPs and seeing if a domain server has records associated to them.

---

NMAP COMMANDS:

To discover DNS Server: nmap IPADDRESS/24 -Pn -p -open -oG result.file This will look for DNS servers on the network.

With result.file, the bash command: cat result.txt | grep "Host:" | awk '{print $2}' | sort --unique

To Discover Host Names: nmap -sL IPADDRESS/24 --dns-server DNSSERVERIP This will check IP address and request the hostname related to it from the DNS server.

If this command is modified, it can carve hostnames and IP addresses from the data provided from the nmap scan. Overall this will change will make it more readable. nmap -sL 10.0.5.0/24 --dns-server 10.0.5.22 | grep "Nmap scan"|grep "(" | awk '{print $5, $6}

---

CUSTOM TOOLS:

dns-resolver.sh is similar to the nmap host name discovery command, but it uses "nslookup" to check. Its very simple and the design is based off the portscannerV2.sh made during the same lab. Its able to accept the input of a DNS server and an IP/24 range to work with and resolves all the IP addresses into their hostname counterparts. dns-resolver.sh

portscannerV2.sh is a complex and easy-to-use script which will either scan a certain IP or IP range with a predefined list of ports. portscannerV2.sh