Week03: DNS Enumeration - Paiet/SEC-335 GitHub Wiki

  • Remade the port scanning script to accept a subnet and a port to scan for in that subnet. Code here

  • Use git clone to clone a repo to local machine

  • git add to add files, then git commit -m "message" to commit.

  • Finally, git push to push changes to github

  • you can specify dns server when doing an nslookup by typing the target IP first then the server IP

    • nslookup x.x.x.x x.x.x.x

  • Made another bash script to execute a nslookup on an entire subnet using a specified server IP

  • Next I made a one-liner that can find machines with port 53 open using nmap. These are then put into a text file as just an IP address

    • sudo nmap 10.0.5.1-255 -p 53 -Pn --open -oG - | grep "/open" | awk '{ print $2 }' >> dns-servers.txt
    • This command scans the entire 10.0.5.1 network on port 53. It uses -Pn to skip host discovery, --open to only show open ports, and -oG to make the output grepable. We then use grep to find lines containing the string "/open". Once we have those lines awk prints only the second argument in the line which is the IP address. That is then exported to dns-servers.txt

  • I also made a one-liner to do a reverse nslookup on an entire subnet.

    • sudo nmap -sL 10.0.5.0/24 --dns-servers 10.0.5.22 | grep -E ".*\([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\)" | awk {'print $5,$6'}
    • This scan will scan the whole 10.0.5.0 network using the dns server 10.0.5.2 and will list the targets to scan due to the -sL flag. We then grep the lines containing an IP address in brackets using regex. Once we have those lines awk prints the 5th and 6th arguments in the lines which is the dns name and the IP address

  • Finally, we executed a DNS zone transfer. This resulted in the DNS server sending over the records it had. This gave us a large list of DNS names along with their IP addresses. With some help from grep and awk we can trim this list down to just A records and display only IP addresses and DNS names

    • The zone transfer can be accomplished with the following command dig axfr @nsztm1.digi.ninja zontransfer.me > zt.txt
    • cat zonetransfer.txt | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk {'print $1,$5'} | grep -v ";"
    • This command uses grep to find lines with ipv4 addresses, then awk prints the first and fifth arguments, which are the dns name and IP address, then grep is used again with the -v argument to remove any semicolon

https://github.com/Paiet/SEC-335/tree/master/Wee3