GitHub: HorrorClause

DNSRecon

Related Pages:

This script provides the ability to perform the following:

  • Check all NS Records for Zone Transfers.

  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).

  • Perform common SRV Record Enumeration.

  • Top Level Domain (TLD) Expansion.

  • Check for Wildcard Resolution.

  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.

  • Perform a PTR Record lookup for a given IP Range or CIDR.

  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

Example 1:

Port 53 is open, so we need to perform recon on DNS. Let's use dnsrecon:

$ dnsrecon -r 127.0.0.0/24 -n 192.168.240.140 -d nodictionary

-r : local range (because that's where the box is located) -n : Name Server, the target box because it is using DNS -d : dictionary (Even though one is not being used, this field still needs to be filled out with anything)

We see the PTR record for a domain blackpearl.tcm at 127.0.0.1. This needs to be added to our DNS and /etc/hosts

Now we can try navigating to the domain in the web browser:

Enumerate Subdomains:

$ dnsrecon -d microsoft.com

[*] std: Performing General Enumeration against: microsoft.com...  
[-] DNSSEC is not configured for microsoft.com  
[*] SOA ns1-39.azure-dns.com 150.171.10.39  
[*] SOA ns1-39.azure-dns.com 2603:1061:0:10::27  
[*] NS ns3-39.azure-dns.org 13.107.222.39  
[*] NS ns3-39.azure-dns.org 2a01:111:4000:10::27  
[*] NS ns4-39.azure-dns.info 13.107.206.39  
[*] NS ns4-39.azure-dns.info 2620:1ec:bda:10::27  
[*] NS ns2-39.azure-dns.net 150.171.16.39  
[*] NS ns2-39.azure-dns.net 2620:1ec:8ec:10::27  
[*] NS ns1-39.azure-dns.com 150.171.10.39  
[*] NS ns1-39.azure-dns.com 2603:1061:0:10::27  
[*] MX microsoft-com.mail.protection.outlook.com 40.93.207.1  
[*] MX microsoft-com.mail.protection.outlook.com 104.47.53.36  
[*] MX microsoft-com.mail.protection.outlook.com 40.93.207.5  
[*] MX microsoft-com.mail.protection.outlook.com 52.101.40.29  
[*] MX microsoft-com.mail.protection.outlook.com 104.47.54.36  
[*] MX microsoft-com.mail.protection.outlook.com 40.93.207.7  
[*] MX microsoft-com.mail.protection.outlook.com 40.93.212.0  
[*] A microsoft.com 20.103.85.33  
[*] A microsoft.com 20.112.52.29  
[*] A microsoft.com 20.53.203.50  
[*] A microsoft.com 20.81.111.85  
[*] A microsoft.com 20.84.181.62  
[*] TXT microsoft.com fg2t0gov9424p2tdcuo94goe9j  
[*] TXT microsoft.com t7sebee51jrj7vm932k531hipa  
[*] TXT microsoft.com google-site-verification=uFg3wr5PWsK8lV029RoXXBBUW0_E6qf1WEWVHhetkOY  
[*] TXT microsoft.com d365mktkey=j2qHWq9BHdaa3ZXZH8x64daJZxEWsFa0dxDeilxDoYYx  
[*] TXT microsoft.com d365mktkey=3uc1cf82cpv750lzk70v9bvf2  
[*] TXT microsoft.com google-site-verification=GfDnTUdATPsK1230J0mXbfsYw-3A9BVMVaKSd4DcKgI  
[*] TXT microsoft.com google-site-verification=pjPOauSPcrfXOZS9jnPPa5axowcHGCDAl1_86dCqFpk  
[*] TXT microsoft.com d365mktkey=6358r1b7e13hox60tl1uagv14  
[*] TXT microsoft.com d365mktkey=SxDf1EZxLvMwx6eEZUxzjFFgHoapF8DvtWEUjwq7ZTwx  
[*] TXT microsoft.com d365mktkey=QDa792dLCZhvaAOOCe2Hz6WTzmTssOp1snABhxWibhMx  
[*] TXT microsoft.com v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net include:spf-a.hotmail.com include:_spf1-meo.microsoft.com -all  
[*] TXT microsoft.com 8RPDXjBzBS9tu7Pbysu7qCACrwXPoDV8ZtLfthTnC4y9VJFLd84it5sQlEITgSLJ4KOIA8pBZxmyvPujuUvhOg==  
[*] TXT microsoft.com docusign=d5a3737c-c23c-4bd0-9095-d2ff621f2840  
[*] TXT microsoft.com facebook-domain-verification=fwzwhbbzwmg5fzgotc2go51olc3566  
[*] TXT microsoft.com hubspot-developer-verification=OTQ5NGIwYWEtODNmZi00YWE1LTkyNmQtNDhjMDMxY2JjNDAx  
[*] TXT microsoft.com google-site-verification=M--CVfn_YwsV-2FGbCp_HFaEj23BmT0cTF4l8hXgpvM  
[*] TXT _dmarc.microsoft.com v=DMARC1; p=reject; pct=100; rua=itex-rua@microsoft.com; ruf=itex-ruf@microsoft.com; fo=1  
[*] Enumerating SRV Records  
[+] SRV _xmpp-server._tcp.microsoft.com sipdog3.microsoft.com 131.107.1.47 5269  
[+] SRV _sipfederationtls._tcp.microsoft.com sipfed.online.lync.com 52.113.101.30 5061  
[+] SRV _sip._tls.microsoft.com sipdir.online.lync.com 52.113.67.75 443  
[+] SRV _sip._tls.microsoft.com sipdir.online.lync.com 2603:1047:0:d::f 443  
[+] 4 Records Found

DNS Zone Transfer

$ dnsrecon -d medium.com -t axfr

[*] Checking for Zone Transfer for medium.com name servers  
[*] Resolving SOA Record  
[+] SOA alina.ns.cloudflare.com 173.245.58.61  
[+] SOA alina.ns.cloudflare.com 108.162.192.61  
[+] SOA alina.ns.cloudflare.com 172.64.32.61  
[+] SOA alina.ns.cloudflare.com 2606:4700:50::adf5:3a3d  
[+] SOA alina.ns.cloudflare.com 2803:f800:50::6ca2:c03d  
[+] SOA alina.ns.cloudflare.com 2a06:98c1:50::ac40:203d  
[*] Resolving NS Records  
[*] NS Servers found:  
[+] NS alina.ns.cloudflare.com 172.64.32.61  
[+] NS alina.ns.cloudflare.com 173.245.58.61  
[+] NS alina.ns.cloudflare.com 108.162.192.61  
[+] NS alina.ns.cloudflare.com 2803:f800:50::6ca2:c03d  
[+] NS alina.ns.cloudflare.com 2a06:98c1:50::ac40:203d  
[+] NS alina.ns.cloudflare.com 2606:4700:50::adf5:3a3d  
[+] NS kip.ns.cloudflare.com 172.64.33.128  
[+] NS kip.ns.cloudflare.com 173.245.59.128  
[+] NS kip.ns.cloudflare.com 108.162.193.128  
[+] NS kip.ns.cloudflare.com 2a06:98c1:50::ac40:2180  
[+] NS kip.ns.cloudflare.com 2606:4700:58::adf5:3b80  
[+] NS kip.ns.cloudflare.com 2803:f800:50::6ca2:c180  
[*] Removing any duplicate NS server IP Addresses...  
[*]  
[*] Trying NS server 173.245.58.61  
[+] 173.245.58.61 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 108.162.192.61  
[+] 108.162.192.61 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 108.162.193.128  
[+] 108.162.193.128 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 172.64.32.61  
[+] 172.64.32.61 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 2606:4700:50::adf5:3a3d  
[-] Zone Transfer Failed for 2606:4700:50::adf5:3a3d!  
[-] Port 53 TCP is being filtered  
[*]  
[*] Trying NS server 2803:f800:50::6ca2:c03d  
[-] Zone Transfer Failed for 2803:f800:50::6ca2:c03d!  
[-] Port 53 TCP is being filtered  
[*]  
[*] Trying NS server 2a06:98c1:50::ac40:203d  
[-] Zone Transfer Failed for 2a06:98c1:50::ac40:203d!  
[-] Port 53 TCP is being filtered  
[*]  
[*] Trying NS server 173.245.59.128  
[+] 173.245.59.128 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 2803:f800:50::6ca2:c180  
[-] Zone Transfer Failed for 2803:f800:50::6ca2:c180!  
[-] Port 53 TCP is being filtered  
[*]  
[*] Trying NS server 2606:4700:58::adf5:3b80  
[-] Zone Transfer Failed for 2606:4700:58::adf5:3b80!  
[-] Port 53 TCP is being filtered  
[*]  
[*] Trying NS server 172.64.33.128  
[+] 172.64.33.128 Has port 53 TCP Open  
[-] Zone Transfer Failed (Zone transfer error: FORMERR)  
[*]  
[*] Trying NS server 2a06:98c1:50::ac40:2180  
[-] Zone Transfer Failed for 2a06:98c1:50::ac40:2180!  
[-] Port 53 TCP is being filtered

Base Domain Enumeration

$ dnsrecon.py -d <domain>

Zonewalk

$ dnsrecon.py -d <domain> -t zonewalk
PreviousDNSNextFierce

Last updated