During the Information Gathering phase, DNS enumeration is one of the most critical steps. When we mention DNS enumeration, we are referenced to all the techniques we use to gather as much information as possible by querying the DNS server of a website or host. These steps will be analyzed in this article. We will use both automatic and manual techniques to achieve our goal, and we will see their differences. Essentially what we will see in this article is:
- Nslookup and dig tools
- Zone Transfer attack with dig
- Fierce, DNSenum and DNSrecon
- Finding subdomains by using Search Engines
As you can see from the contents, we are going to cover, a complete understanding of the DNS Protocol is required. Here are some useful links you can start with:
Nslookup, dig, host
Most commonly, the first attempt to gain DNS information is made by using one of these three tools. Personally, I use both Nslookup and Dig. Let’s see how to use them to perform DNS queries successfully. For the following lines, I will be using my website, http://nikosdano.com as the DNS enumeration “target.” Feel free to use it for your DNS enumeration tests but please, do not brute force for subdomains or try any other attacks as this may harm my personal website.
Let’s begin with nslookup, one of the oldest – yet awesome – DNS querying tools. One of the first commands we can run is: $nslookup nikosdano.com
TIP 1: Never run Kali or any other machine under root privileges if there is no reason to do so. During a penetration test, you may need to run tools such as Wireshark that are not recommended to run as root.
WARNING 1: I have seen many people querying for: www.website.com. This is not correct as you will query the www subdomain. For instance, if a website is hosted under 18.104.22.168 (like nikosdano.com), the mail or www subdomain might be hosted on a different server and thus, on a different IP.
As you can see, that was the default nslookup usage. As no extra parameters were given, nslookup will just resolve the domain name to an IP. During DNS enumeration, though, we want to find other records too such as Nameserver (NS), Mail Exchanger (MX), Start Of Authority(SOA), TXT and others.
The main way to query those records is by using the following syntax:
$ nslookup -query=<record type>
Where <record type> is the DNS Record you would like to query. Here are some examples:
Of course, we can also use the ANY record to get as much information as possible.
We can also use nslookup differently. What we can do is to enter the “nslookup” interactive shell by simply typing “nslookup.” From there, we can execute our queries by using the “set q” parameter followed by the domain we would like to query. Here are some examples:
Let’s now move to another DNS lookup tool, Dig. Dig, as nslookup, is one of the most commonly used tools during the Information Gathering phase. It is used to execute DNS queries. On its most basic syntax we can simply run the following command:
$ dig nikosdano.com
As you can see the default query record is “A.” Moreover, you can see several other information that may make the output more difficult to read. To simplify the output, we will be using those extra parameters on the following commands:
- +nocmd – Removes the +cmd options output
- +noall – Removes extra headers, flags, time information, message size, etc.
- +answer – Tells dig to return the answer section (the “juicy” part of the output).
To specify the record we would like to query, we just have to add the record type right after the domain specification. Here is a basic syntax we will use:
dig +nocmd nikosdano.com <record> +noall +answer
Here are some examples:
In case this photo is not clear enough, here is one with the full resolution: Photo
Zone Transfer attack with dig
Let’s now see how we can perform one of the most common DNS attacks occurred by misconfigured DNS servers. It is unlucky to see this bug nowadays, but it is worth to mention it. If you are not familiar with Zone Transfer attacks, please have a look at the following links before moving on:
For this example, we will use a – on purpose – misconfigured server. zonetransfer.me has been set up for this purpose. What we need first to know is the Name Server(s) of zonetrasfer.me. By running: $ dig zonetransfer.me NS we can see that there are two available Name Servers. The first is: nsztm1.digi.ninja and the second is: nsztm2.digi.ninja.
Here is the command syntax to attempt a Zone Transfer attack with dig: $ dig axfr @<nameserver> target
So, in our case that we have two Name Servers available, we will use these commands:
- dig +nocmd axfr @nsztm1.digi.ninja zonetransfer.me +noall +answer
- dig +nocmd axfr @nsztm2.digi.ninja zonetransfer.me +noall +answer
As you can see from the output, we are able to see all the information leaked.
Fierce, DNSenum and DNSrecon
Let’s now see how we can automate the previous enumeration techniques. The first tool we will explore is Fierce. Fierce combines several techniques to return as much information as possible. To view its help menu run: $ fierce -h . On its default scan, it will:
- Find out the available Name Servers,
- Try to perform a Zone Transfer attack and finally
- Find the subnets available
- Use a built-in or custom wordlist to brute force subdomains available.
To run the default scan against nikosdano.com run: $ fierce -dns nikosdano.com
Of course, we can specify the DNS server we would like to use for our reverse lookups. To do this, an extra parameter “-dnsserver” is required. So, if we choose to use dns2.registrar-servers.com we can run: $ fierce -dns nikosdano.com -dnsserver dns2.registrar-servers.com
Fierce uses a default wordlist for its tests. We can always specify our own wordlist by using the “-wordlist” parameter. Here is an example: fierce -dns nikosdano.com -wordlist wordlist.txt.
Dnsenum is one of the author’s favorite tool during the DNS Enumeration steps. With a single command, we are able to query several DNS Records (A, MX, NS and more) and also attempt a zone transfer attack, a subdomain enumeration and more. The default command syntax looks like this: $ dnsenum nikosdano.com
From the image, you can see that all the A, NS, and MX records were returned. Moreover, we are able to see the IP of each server returned.
Again, we are able to specify a default DNS server by using the “–dnsserver” option. Moreover, we can specify a wordlist with the “–file” parameter. A good wordlist you may find useful is the following: Subbrute – Names.txt. Keep in mind though that there are also other tools, explicitly designed for Subdomain enumeration like Subbrute and dnsmap.
DNSrecon is one of the most powerful tools you can use while performing DNS enumeration. It’s very simple usage, and the numerous tests it performs will result in a very detailed and informative output. With this tool, we are able to
- Query all the available DNS records
- Brute force for subdomains A
- ttempt Zone Transfer attacks against every NS record
- Check for Wildcard resolution and more.
The default command to run is: $ dnsrecon -d nikosdano.com
Ethical Hacking Training – Resources (InfoSec)
Again, we are able to specify a Domain Server with the “-n” option. A dictionary for subdomain enumeration can be imported with the “-D” parameter.
Finding subdomains by using Search Engines
Another very popular and accurate way to find subdomains is by using search engines like Google, Bing and more. For this example, I will be using Google to find subdomains. We will be mainly using the so-called Google Dorks to discover them.
Before moving on, it is important to understand what Google Dorks are and how they work. You can also have a look at the Google Hacking Database and Exploit-DB: GHDB to get an idea of some popular Google Dorks. We will focus on the simplest dorks, as we are only trying to find subdomains.
Let’s suppose now that our test domain is Google. Please note that I will only use Google to find subdomains at google.com. Do not run any automatic tool against websites you do not own.
So, my first Google Dork is inurl google.com.
Here we basically tell Google to return all the results that contain “google” in the URL. As you can see though other sites, other than Google.com, were returned (like rpmseek.com). This is normal as there are many websites that contain the string “google.com” in their URL. To avoid similar problems, we can just use the “site:” dork. Here is an example: “site: google.com.”
As you can see, Google returned several results for Google.com. Among them, we can also find subdomains other than www. Some of them are cloud, gsuite and sites (not included in the screenshot). We can now perform a new search and filter out those subdomains from the result. We can do this by adding a “–” symbol before each subdomain. My query looks like this: “site: google.com -www -gsuite -cloud -sites.”
From the results, we can also see other subdomains like support, play, and productforums. Of course, this is not the fastest way to enumerate subdomains passively. Other techniques, such as using Netcraft can be used, but I strongly suggest you use Google Dorks during your penetration tests as it may reveal critical information.
If you have any questions, you are more than welcome to comment and ask them freely. I hope you enjoyed this article as much as I did.