DNS ENUMERATION AND ZONE TRANSFER WITH NSLOOKUP, HOST, DNSRECON, DNSENUM, FIERCE AND NSE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGcGyv4aT9NWFVPdKYubkXe85KksVSgsyMPZT6RW1UDPy5fx5kLJjOgaf-XG_G2XWG2K2OluvH_dzXxvkVVd8BueNqL8HjFGnQWMjNr9QbS2y-K6kyTLtpLdtoiTMpSxia4nEY_SAB4ICy/s1600/screenshot.39.jpg)
1 - Introduction
- DNS servers are some of the best sources for gathering information about a domain or an organization.
- DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.
- Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.
- DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.
- DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
- A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.
- The portion of the database containing the list of all DNS names is the zone file.
- The data contained in a DNS zone may be sensitive from an operational security aspect.
- This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
https://en.wikipedia.org/wiki/DNS_zone_transfer
2 - nslookup
- nslookup is a popular tool that queries name and email servers in the Internet given the domain:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm0U953zOxAT4_h0jzBja7jU9FrIQfec3Ony8Nh7_nSSFNw6q6mFkEeI3ZSL8Jm_R1vPC4qlXGemHL48dOyPsQ_nWIHtYzZd2HDm-kTAqNq_VZ9HWP_FEIk4j0S2hYRWRaIfGNrOGhM-zZ/s400/screenshot.32.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX-2bm8Mmjqk2-bnSm5GZT75u8cQiqya2oPnpow0dclfl1yo3syGiRSGsQQ-y3GtYuE-PKHzEYIqXHsum6eQ9PwBfVQ2fRKT5x1-b73GXZjB64fj4Srr6yxD_ZN0_X7Eokyw-HxgwvAumT/s1600/screenshot.33.jpg)
- Applying the NS query option for name servers:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj892a6CX5nrTu_3NgKAXF3mAiOEKOhBPuEalzm4pShOJ32oSJJTNyH9SVqubH86q_xLPm7vFEF4bGB6Nx4FX7jS3CN2_0oRjlNgyO2IeI3nR1x4TCnqOH9jQw58sQ8A9eHZkGXnVTfu0EA/s1600/screenshot.30.jpg)
- Applying the MX query option for mail servers:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifja2kwIuZ2CAp1d79sd4PIaWJ5zr3Ts4cNgWezRRJa5OK8pGZieoHGJTNocPczeheWUZUNCwezmW7Pfsy6WlA5wF1UOutpkccAQFuHAo0ydroAgqGZ2cstg8-vTzFryRecRqLAreyOLSU/s1600/screenshot.31.jpg)
- Applying the ANY query option for both name and mail servers:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhziIpkJe3rCV1GsRQ8c8l2huRY5qXvDDyZqoXy7LcvQ1gi9KL-bZot4o6R8y8UXhE4Y0zRBNI70Fgb7rx-ID_5i27h3RtyRWYOv7-bqD1VjsvX0H-9UKCdXv_ymfKzvZzzLUk86PRYkNwk/s1600/screenshot.34.jpg)
3 - host
- host is a Linux command that performs powerful DNS lookups given a domain name:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBZDZfPfBVVqEVlBs4Y2D2UCB2JdLc4sM6Dq9RyDIZ3At6hFhWrFOsp4GzsOs5mfrHfjcwuJPND4Iku8zfwBTi7JEMkywGWD9z88WpIqWvDDsvhAnVEzIMlhNCXR6IIJubGSesHK4r9DlF/s400/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK1ZotRzJOJU71kcnkQSJjmNwu0gY0mTz8lpOu66pMW254bSYpEw2RlNkxvgabHaEinN7VCyHNAATLBEBaKDXkBTNTJH_F7g8cWQcKZCPqjOWWV0n08vwgYraUZ6rP0nCAyDGG2N4xpOxH/s1600/screenshot.1.jpg)
- Without any other parameter host provides help:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyGC2DKSyuGrlneXIh6E1q1BSTJIdSQt3aYIW18DqDIyH2T1bqdXG7BmesQuPIZnUkfGyCWBpVaR_N5xFxXGtTqSP3QiOt2W6SP3uvtXhTMqxSOKlpMS_kv5zcBc8Lu77p7Y0uBGCSzQhJ/s1600/screenshot.3.jpg)
- Looking for name servers (-t type ns):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSR0fLFHDxkSoqAik3SZ8Lolo1ar1WXAtaOCBpqsOaUgZQ41ubXp_epoVV9GZ79GAFE9qSWMEL8hBpQn9eGQ8e3Sn019E72YkkX2NjeC6DfwdzEX5P1HMGatGAEfGtMdKb-n-ahpvRNlSc/s1600/screenshot.4.jpg)
- Looking for email servers (-t type mx):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyknUyN_5BKV_Ap0gyEdYCPVhnNgUA1-TCGLpUNrL6CgdQUE0db34SSnNhztJBBNVYlr8w6bV83Tc1Av5mSL6DG_u9HRt5_t3pijpnCWA4HIwVtoptzcXFOf_iFLUg36zw7ZWpDU5qOi7P/s1600/screenshot.5.jpg)
- Looking for web servers :(-t type www):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZLIeR_1tyi6Ys2u4tw9KsO7v5OTk4VDd6oNHNAnVe3U_MiSCAdVNhzvJJpO0gvcED9cBOaW5GUU-YrPRYwGb11jSBU2LpC3VrsU9lZFiIxfz9BYqvIpnDpfNMHprz5P0SGBIDvhNMcfW0/s1600/screenshot.6.jpg)
4 - DNS Zone Transfer with host
- Now, let's use host for a little more complicated task like a DNS Zone Transfer.
- First, let's try with the previously enumerated ns1 name server. The zone transfer fails:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhic9FxzCNb8q5VojkVGKF5zLN1vIgwOht69MLNBpq2Ob0EEaaJrUVk5F6vxHFvzrxWP6_qxtJ3LY6a2Fm4gYzmfZbwu-_l2p4shu3Doo_3B8xDb7M-c1Y5bMAAVdEBwpAYeXW_IOIdAeKc/s1600/screenshot.7.jpg)
- However, the zone transfer with ns2 is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtZ95FZNau7IKGQIsNzgbDMP6G99CpiVJeefr9e0FaXUDwVi68mz5ns4z1ZAdt9o8VWnKzP2zevYd-3o1kx7lcuw4bb64xIL56Xp4wJBRoVARCuYXufaK5z1sYJJx33rAfoOqcHZMr2U7V/s1600/screenshot.8.jpg)
- Finally the zone transfer with ns3 also fails:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4IgzscihLuxKs2AxLKZa-tXk5ZB7yd-zoywGKMAKIbWlKd7Gfc-7Nw5Ljn3ycynBqpN79d-HN1i-JavtWTPenBze6Afj_ZBDcmpftxq2N9kwv7SdQS02m1-vorkEjs_SwdUZO2ixQi00w/s1600/screenshot.9.jpg)
- The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.
- Let's try entering into a browser some of the IPs obtained from the DNS Zone Transfer:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI68kuCI2rWvYsRJmRQDbSGCoYCK3AomFyPGHwPRHC-F0KcvukihVf0_0kzqfZIaZ4B4sUzH40YP-9BLq4tUO2clOXClbH5OuZSqYmxcXITHqI8r0x0FjnI8Gm-4V3Ap3CUsfir1dkNC7U/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOOHnbYaFA2OFjEtS2WdK8g0NyNPMOJ_eld_8VyYpCTiiKe4dtCFv7yCD-gOvn24N8Be3LWpZkrGBde0sQsGqiclFgfN_FpJRyoemztXGNPd-PzEdgyVziCa3vd1tuYIztehwgqqwo3ix8/s1600/screenshot.10.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW6lZ5MEp6XBADcgAzqKSNUGJuh0Ug5wzN-JMFSyK8yZ2njqUWw7EZFmJOE4ozUq1-r_-Pwts8WQMofLXzIGslVb5lyAT9dP18UgZoXbI3ntDiuQbhOEhx7haGHme_xzIeRAjemYvlOg5S/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqG2n0-FzS6JiyvdHmyNQRQ4NhBULFPOosjHqhcR2JDVjveyXXoZn1EVj0NRfCIS3877oq0WkUHGz5Ee7Ne0LOKSFCv7l4DIIxV94JogOALZeY3r5L_qA9lXgWL9PouCX7dztPzWdcdNB0/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyU-g099F9D_6CF8WnRm1JYngn-MG87w3rXtzcbcPHaTbcYSdo8WxctZZwC5HXV0GXVVz6tir6oMiEXUMYQgz51aQUL3qspqPvNkzOcyjHCgMDINldKabJr9fblTCjmCmFsBEnwjiWJBR_/s1600/screenshot.27.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsxqBGbzeg0Lu4TnYnOJhTXj8EOQYu7MD4LD1WcQ-soFyzIP2E32_0TdLcildQnaWt0SPt-ZXGfEtOXKD0HKdd4XRJp8oDF0OVNTxagNGEYHlZzTGnXktNzGsMfFtTDj2RS9MrP7j9eLTh/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cY6RNhgaCzPH9mz6Kabv_TQOljAlBISppiA8Kq8rI4BrfyyrhsMam3MB5Lu5y6r-D4Vp2aO8mJFHPvf4SoO2h9ORgnq8IGgHYQ2cKPOOA6GiQGFlI_UrOVNFIYUp4o0ShiGPAufzLCoi/s1600/screenshot.28.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiMlAZHlGvfOG1HA0omvDvFMmgbuO5P5kgZT-nNhu9mUZ_zc1Oj6ObskRKRLHHucwxObfYdZEd-tTEnLGkcZ-7M5YfV021U4lpQXmqmIZ0mVKbMV7nIgJAzW_h1-4Xbaj_pkq8jF4lSRpy/s1600/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW0saS4hiEiVBXsn2D6tu-PlSaQejBcCtr-ckAYhauyQFrJJifC5buGZuRN33sYyHIVZtkPB7e7DT493oVbvxopbd0LNGqYcvedutzAPTxT1aCmJe7ENVmWsQxDe-Tmm4QadIvIUmhpssq/s1600/screenshot.29.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFlgxsZeV_ma88Bl5aAt0g169TBsZhKDwy0jMMRjIZZYPTdnce-HxWu4fwrdfo8E-aXceW8glErvDtYxPsg1Rew9gaOQjRaF-fDCOpRacFfdDL1xADOvrbCDMhOOkVciYKghWbWlLCA6_Y/s1600/screenshot.14.jpg)
5 - dnsrecon
- dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.
https://tools.kali.org/information-gathering/dnsrecon
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5EPgx3j2x_A7KRcI_pyWv7jZWgAjUcePXbirELAE90pv61ZQiwFelO_vfN8iBbWr1BrJdWzNgyr4bBRjpmneAp4e6BN47zIRtMHmYT6IRhKVaQCarQsZKiABBAvuEbVW6s179G1_3h1jc/s400/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG3FSJ1l2OYoIRnL7k_jCaZ9zp_35eE_nMArc2u2LNRcNRoFgYvjsRGKURlAvBvil5r17-16gCfSYtShdF0eK9f5bu8KOQs8gTQ1rQ3DX_LEbmIprK3VZygWtirXzsGkBu045vWMHbM3Zr/s1600/screenshot.19.jpg)
- Let's see that information provided by dnsrecon is the same as obtained before.
- First, dnsrecon detects the DNS servers ns1, ns2 and ns3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPPZ80Ikbpz4VYi-bAxKyCvZ-oaF5HnOH_QRH2lhyphenhyphen89x4vDiLdT_Bf4QXHM5XPe0B8ePWkeTTdz2qCxD8fvDIpumA_sGFzvzpziJ2g5CKOsoTxTaD04O6Kh4HzB7MvcmpZ02-2DJ6de6ja/s1600/screenshot.15.jpg)
- Then, dnsrecon tries a successful DNS zone transfer with ns2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMq9RDQOyugP88qgpP1AIoB27FZnV5isyRM2lBEE9TWyUeKM1rAQ8hysfB_UNtpyXXALxW1I14k8dXBZj-Ow9eK8II2mTVDwdOpW8emTe23dfN2Bs1s22rg9e3zEK8mKjE__tNLOGPkBw/s1600/screenshot.16.jpg)
- Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB-tK2WSssHims2F29UhydxjbOQ_WquF-FjMRSyhvnzwzU7_wqhGCnrmiM1ImAni6XkledemTmab6fYYPHw426HTqv8jKAu-DkYkfVHm7u31Rt9nDqL09Zf8pqWPXPVZ0kkk2T9pedWQRF/s1600/screenshot.24.jpg)
6 - dnsenum
- dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.
https://tools.kali.org/information-gathering/dnsenum
- The output obtained with dnsenum is the same as before:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvkLqMwPKo9039wWBBdBhPkCCENRfWmG69rFQFULMTf-TBOTiJhhPi6vTSmySe3ghRe0UMTDVGq-N0-nrDSCHgJYHANXKzgZLsPcbx5bR99ZXYoajaF01ghcpeKz9M_qINGcc74S3kI-sG/s1600/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3p2fDnTqfcRNiu9QdSERz7PCrO0xlIVAGW-grse6Gi0AcLqOUKdKQ8j33J4hyphenhyphenSA7Pftr-qoW1B1EusRDtFUFE6PyatD_91c0UqT4pWT3rmXcNJwxxK2rjF1VY6KZZspk9o_aax47j7Fa/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsAuIGgvD-Qt0XOmQQLQspPo4vHSENMlokG-hepqBsTI62ap9eBSzdJFFSohehcB0NUU3z_HQOuYtNp5FtrCdUw6PSnpUFq8rxF5fz1m6UhCsJRWO5QUDpjcjdfuW9WS72VTDbUmoIvJ22/s1600/screenshot.23.jpg)
7 - fierce
- fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyKIHOY2RvZXNKi8gXsdPFrd_FnyzmgFNbs-mVpfwokACqRSbImkQss_FZiqaOIbXN0uk_lGfiy6CwUg-3LCBrydRr9pUsRk9CZPriXSCpevBfZACwq10X5HL5HQCKn7rKMNrA5X6VaFHO/s1600/screenshot.35.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij_AUo9OrKGlq7UWF1Tu1LfSgMOmeRs64mD7bco6KVbzJ5GvQ2V8A2OE8uTouqggzMaKTX1nFKZEUA-ZDch8KaKW8h6oCBAaFFfch26JOPSNEvx76b3Sx_JxtcRcKoItSybD5-LA9zGOqv/s1600/screenshot.36.jpg)
8 - Nmap Scripting Engine (NSE)
- Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:
https://nmap.org/book/nse.html
- The NSE dns-zone-transfer script provides same output than before:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh800QiZ8QRYxU88kwV8H2cExWNm2QdSDfwvuM1ucLynIxMkWlZl3r7uj6qgZnsFYSndBY8z6Ui8yt4e6mnRnCqVH8xepZM8gt0wMFL0N63gME2HHKlvRwA7Ck0iRx7nOC2bl5sITMnbcl/s1600/screenshot.1.jpg)
- A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSzYSRC72MXwMoI9ghX-KXNuYa4btTfkGRfqYsttYqMdcFDfzUHBR-65W9Z7wy9zInwlRPzhIqkwjh0iTKAd4eXRdInbPkK1PnFIINnD0jbCtNciphqqRYktGpX2reuw3Q08mSg28NR0YK/s1600/screenshot.2.jpg)
9 - whois
- whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
- Looking for the domain megacorpone.com:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_fHdPtrs_he1IFQC6Xz4Qlg6CQiRuX0KxUfmTiTT9Sg50Nqf4MsPTUX8qbSyUzix0c5q6SuksM_QP3rmptIlo71Ssipt2Jgp5w4TruItDFm28bAG04bYFrkLU2DDbqEUnfhvGmkahGOf1/s400/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhUQglWtBnwpt8-QjN4gw2U_nPnISA5xto1B6M52SP7g1IY-6W-a1bzNErRpw_o_DiP-_-fmBWBoleyXO9vSQzMJV53perKjJbtS1uEO3zOimJ-hodw0JOlI8wH84h0oZ7wgj4Z1ZZkg-/s1600/screenshot.7.jpg)