Activity 3.1 DNS Enumeration - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

Dns Resolver

Port Scanner

"Sudo nmap -Pn -p80 --open -oG scanoutput.txt 10.0.5.0/24" - Scans for port 80 on the 10.0.5.0/24 network, only reports addresses with an open port 80, and outputs it to scanoutput.txt.

"sudo nmap -sL 10.0.5.0/24 --dns-servers 10.0.5.22"" - lists targets while specifying a dns server. can add | grep "(" to get the responding ip addresses (and some extraneous bits)

"dig axfr (nameserver) zonetransfer.me > textfile";

"dig axfr (nameserver2) zonetransfer.me >> textfile"

Transfers DNS information from the specified nameserver to the specified text file. This is done to ensure that if a DNS server is lost, the crucial data it stored is not, and something else can quickly be made to replace its service. It also provides many vectors for attack; as an unsecured protocol it essentially will list all hosts known to a server.

cat zt.txt | awk {'print $1"\t\t\t"$5'} | grep -v ";" - Prints all data found with dig axfr that is correlated directly with a web server. Can somehow be further refined with "| grep - E" before the awk command, and changing the awk to {'print $1","$5'}.