Goal: Create DNS enumeration scripts

Deliverable Scripts of note:

Deliverable #1 Script

for i in {1..254}; do nmap -p 53 -Pn 10.0.5.$i; done

• This is a hilarious inefficient way to do this.... It outputs all the info individually rather than as an easy to read list

Deliverable #5 Script and output:

nmap -p 53 --open -Pn -oG - 10.0.5.0/24 | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort -u > dns-servers2.txt

• nmap -p 53 --open -Pn -oG - 10.0.5.0/24: Performs the nmap scan, skipping host discovery, and outputting results in grepable format ("-oG -" sends output to stdout).
• grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b': Extracts IP addresses from the nmap output using a regular expression.
• sort -u: Sorts and lists the unique IP addresses.

Deliverable #6 Script:

for i in {1..254}; do host 10.0.5.$i 10.0.5.22 | awk '{print $1, "("$NF")"}'; done

• This one-liner iterates through the IP addresses from 10.0.5.1 to 10.0.5.254, performs DNS lookups using the host command with the specified DNS server (10.0.5.22), and formats the output as "hostname (IP address)".

Deliverable #7 Script and Output:

awk '{if ($5 ~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) ips[++ip_count] = $5; else domains[++domain_count] = $5;}
  END {
    printf("IP\tDomain\n");
    for (i = 1; i <= (ip_count > domain_count ? ip_count : domain_count); i++) {
      printf("%s\t%s\n", ips[i], domains[i]);
    }
  }' zt.txt | sort

• The results are not pretty, however you can make semblance of them...

Reflection:

• Overall I believe I have a pretty good grasp of the scripting needed for this lab. In the future I'd like to spend more time working on formatting and continuing the trend of making one-liners as I have in class. Whilst powershell scripts that you can save definitely have their advantages, I think the ability for me to condense my work into one-liners is absolutely indispensable for rapid fire scripting.