Enumeration Cheatsheets

Enumerating DNS (Port 53)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.

Enumerating Hostname of Server

Run the following commands to see if you can make the server leak its own hostname.

server <targetIP>


Note: It’s probably worth enumerating other live hosts on the network to confirm the domain name is the same.

Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:

Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
sudo dig @<targetDNSServer> <targetDomain> -t AXFR +nocookie

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/

Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain>

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>

Using DNSRecon to enumerate hostnames within local subnet.

We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.

-n : Will be the nameserver to use.
-r : Will be the network “range” that you want to lookup records for.
--db : Will save the found records to a SQLite DB file.

dnsrecon -n <ipAddr> -r <subnet> --db target.db

If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:

dnsrecon -n -r --db target.db
dnsrecon -n -r --db target.db
dnsrecon -n -r --db target.db

Running this script will enumerate all possible internal IPs for associated hostname records.

Additional Enumeration Techniques

Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.

Hacking Tutorial

Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

When you find that DNS is running on a box, you may want to check if it’s vulnerable to a DNS Zone Transfer. If it is, and you’re able to successfully perform the attack, it will return a list of all subdomains available on the server — making the enumeration process that much easier.

Table of Contents:

  • Background
  • Performing the DNS Zone Transfer Attack
  • Formatting the Results
  • Viewing the Results w/ Aquatone

In this guide, we will use the Hack The Box machine named FriendZone as an example. Note: This document is not intended to be a walkthrough of the box.


At this point, we have already found the following information about the target machine.

  • DNS is running on TCP Port 53.
  • Machine located at
  • We’ve found two domain names already; friendzoneportal.red & friendzone.red

Performing the DNS Zone Transfer Attack

Let’s start by attempting a zone transfer on our first domain name with a tool called dig.

sudo dig axfr @ friendzoneportal.red

Let’s check the other domain name too.

sudo dig axfr @ friendzone.red

Comparing the results of both, looks like each returns a different list of results. Let’s rerun each command, but add >> zonetransfer to the end of the commands so that we can create a new file called zonetransfer and append the results to it.

sudo dig axfr @ friendzone.red >> zonetransfer
sudo dig axfr @ friendzoneportal.red >> zonetransfer

Formatting the Results

Let’s do some magic to strip out everything we don’t care about and output the results to a file named hosts.

cat zonetransfer | grep friendzone | grep IN | awk '{print $1}' | sed 's/\.$//g' | sort -u > hosts

Nice! The goal is to place these domain names into our /etc/hosts file, which requires each host being separated by a space rather than a new line. Let’s use vi to perform a find & replace. Open the file by running vi hosts.

While in command mode, let’s run the following commands to find all new lines, replace them with a space. :%s/\n/ /g

Press Enter to run the above command. Confirm your file looks like the screenshot below, and then run the following command to write the results to a new file named tmp. :w tmp

Run :q! to exit the file and then we can cat the contents of tmp to ensure things worked correctly.

Viewing the Results w/ Aquatone

Go ahead and copy out the contents of tmp. With those domain names in your clipboard, let’s update our /etc/hosts file.

sudo vi /etc/hosts

Add a new line to the file to include the hostnames at the IP address

Now, we want to edit our list of hosts (not the /etc/hosts file) to append http:// at the beginning of each line. There’s many ways to do this, but we’ll use a vi macro to speed up the process for us. Go ahead and run the command vi hosts to open the file in command mode.

Press qa to start recording a macro. You should be able to see the footer change to recording @a.

We’ll still be in command mode, so we want to press i to enter insert mode.

Then, we can type http:// to the first line. Press the Down Arrow key, and then press the Home key. If you do this correctly, you’ll be taken to the 2nd line where you want the http:// text to show up.

We’re done recording our macro, so press the Esc key to exit insert mode and go back to command mode, and then press q to stop recording the macro. The footer showing recording @a should no longer be present.

With our macro recorded, let’s run it by pressing @a within command mode.

So that ran it once, but we have seven additional lines to run it on. Let’s type 7@a to run it seven times.

Nice! Now let’s run :wq to write our changes and quit, and then cat the file to review the results.

Now we have a list of all the websites we want to view! Luckily there is a tool that can go out to each of these websites for us, let us know if the page is active, and even take a screenshot of it so we don’t have to open each one manually. This tool is called Aquatone, and you can find the precompiled binary from GitHub.

One you have the binary download, extracted, and on your system, you may want to move it to /bin so that you can execute it from anywhere.

With Aquatone on our system, let’s make a new directory to store our loot, move our hosts file (containing our targets) into, change into it ourselves, and then run the tool.

mkdir aquatone
mv hosts aquatone/
cd aquatone/
cat hosts | aquatone

The output of the command shows us which domains return pages, and which ones don’t — but the real beauty of this tool is in the generated html file. Let’s open up the report and see what we can find.

firefox aquatone_report.html

Here we can easily see which pages are live and even get a sneak peak into what they’re running to know which ones we may be interested in.