DNS
Find other nameservers:
dig ns @<IP>
Sometimes it's possible to get the version:
dig CH TXT version.bind <IP>
Show all records:
dig any <domain> <IP>
Zone transfers or Asynchronous Full Transfer Zone (AXFR)
They use TCP
port 53
dig axfr <domain> @<IP>
If the administrator used a subnet for the allow-transfer
option for testing purposes or as a workaround solution or set it to any
, everyone would query the entire zone file at the DNS server. In addition, other zones can be queried, which may even show internal IP addresses and hostnames.
Manual bruteforcing:
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
Tool
Last updated