Enumeration Cheatsheets

Enumerating DNS (Port 53)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.

Enumerating Hostname of Server

Run the following commands to see if you can make the server leak its own hostname.

server <targetIP>


Using DNSRecon to enumerate hostnames within the subnet.

We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.

-n : Will be the nameserver to use.
-r : Will be the network “range” that you want to lookup records for.
--db : Will save the found records to a SQLite DB file.

dnsrecon -n <ipAddr> -r <subnet> --db target.db

If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:

dnsrecon -n -r --db target.db
dnsrecon -n -r --db target.db
dnsrecon -n -r --db target.db

Running this script will enumerate all possible internal IPs for associated hostname records.

Performing Zone Transfers.

Please see my guide on performing zone transfers.
Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

Additional Enumeration Techniques

Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s