DNS

Find other nameservers:

dig ns @<IP>

Sometimes it's possible to get the version:

dig CH TXT version.bind <IP>

Show all records:

dig any <domain> <IP>

Zone transfers or Asynchronous Full Transfer Zone (AXFR)

They use TCP port 53

dig axfr <domain> @<IP>

If the administrator used a subnet for the allow-transfer option for testing purposes or as a workaround solution or set it to any, everyone would query the entire zone file at the DNS server. In addition, other zones can be queried, which may even show internal IP addresses and hostnames.

Manual bruteforcing:

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

Tool

DNSenum