Hacking Tutorial

Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

When you find that DNS is running on a box, you may want to check if it’s vulnerable to a DNS Zone Transfer. If it is, and you’re able to successfully perform the attack, it will return a list of all subdomains available on the server — making the enumeration process that much easier.

Table of Contents:

  • Background
  • Performing the DNS Zone Transfer Attack
  • Formatting the Results
  • Viewing the Results w/ Aquatone

In this guide, we will use the Hack The Box machine named FriendZone as an example. Note: This document is not intended to be a walkthrough of the box.


At this point, we have already found the following information about the target machine.

  • DNS is running on TCP Port 53.
  • Machine located at
  • We’ve found two domain names already; friendzoneportal.red & friendzone.red

Performing the DNS Zone Transfer Attack

Let’s start by attempting a zone transfer on our first domain name with a tool called dig.

sudo dig axfr @ friendzoneportal.red

Let’s check the other domain name too.

sudo dig axfr @ friendzone.red

Comparing the results of both, looks like each returns a different list of results. Let’s rerun each command, but add >> zonetransfer to the end of the commands so that we can create a new file called zonetransfer and append the results to it.

sudo dig axfr @ friendzone.red >> zonetransfer
sudo dig axfr @ friendzoneportal.red >> zonetransfer

Formatting the Results

Let’s do some magic to strip out everything we don’t care about and output the results to a file named hosts.

cat zonetransfer | grep friendzone | grep IN | awk '{print $1}' | sed 's/\.$//g' | sort -u > hosts

Nice! The goal is to place these domain names into our /etc/hosts file, which requires each host being separated by a space rather than a new line. Let’s use vi to perform a find & replace. Open the file by running vi hosts.

While in command mode, let’s run the following commands to find all new lines, replace them with a space. :%s/\n/ /g

Press Enter to run the above command. Confirm your file looks like the screenshot below, and then run the following command to write the results to a new file named tmp. :w tmp

Run :q! to exit the file and then we can cat the contents of tmp to ensure things worked correctly.

Viewing the Results w/ Aquatone

Go ahead and copy out the contents of tmp. With those domain names in your clipboard, let’s update our /etc/hosts file.

sudo vi /etc/hosts

Add a new line to the file to include the hostnames at the IP address

Now, we want to edit our list of hosts (not the /etc/hosts file) to append http:// at the beginning of each line. There’s many ways to do this, but we’ll use a vi macro to speed up the process for us. Go ahead and run the command vi hosts to open the file in command mode.

Press qa to start recording a macro. You should be able to see the footer change to recording @a.

We’ll still be in command mode, so we want to press i to enter insert mode.

Then, we can type http:// to the first line. Press the Down Arrow key, and then press the Home key. If you do this correctly, you’ll be taken to the 2nd line where you want the http:// text to show up.

We’re done recording our macro, so press the Esc key to exit insert mode and go back to command mode, and then press q to stop recording the macro. The footer showing recording @a should no longer be present.

With our macro recorded, let’s run it by pressing @a within command mode.

So that ran it once, but we have seven additional lines to run it on. Let’s type 7@a to run it seven times.

Nice! Now let’s run :wq to write our changes and quit, and then cat the file to review the results.

Now we have a list of all the websites we want to view! Luckily there is a tool that can go out to each of these websites for us, let us know if the page is active, and even take a screenshot of it so we don’t have to open each one manually. This tool is called Aquatone, and you can find the precompiled binary from GitHub.

One you have the binary download, extracted, and on your system, you may want to move it to /bin so that you can execute it from anywhere.

With Aquatone on our system, let’s make a new directory to store our loot, move our hosts file (containing our targets) into, change into it ourselves, and then run the tool.

mkdir aquatone
mv hosts aquatone/
cd aquatone/
cat hosts | aquatone

The output of the command shows us which domains return pages, and which ones don’t — but the real beauty of this tool is in the generated html file. Let’s open up the report and see what we can find.

firefox aquatone_report.html

Here we can easily see which pages are live and even get a sneak peak into what they’re running to know which ones we may be interested in.

One thought on “Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s