Information Gathering

DNS Enumeration

Passive Info Gathering

WHOIS (Extract IP, Servers, DNS, Registrar, Company, Emails, etc)

whois <target.com /  $IP>
https://whois.icann.org/en
http://who.is/
http://whois.domaintools.com/
https://whois.net/

Active Info Gathering

DNS Lookup (Extract DNS records like NS, MX, PTR, CNAME, SOA, AAAA.

host target.com
nslookup target.com
nslookup -type= <NS,MX,PTR,A,CNAME,SOA> target.com 
//Interactive Mode
nslookup
>set q=<ns,mx,ptr,a,cname,soa>
>target.com
dig target.com +short
dig target.com any
dig target.com <NS,MX,PTR,A,CNAME,SOA>
fierce -dns target.com
fierce -dns target.com --dnsserver <DNS Server>
dnsmap target.com
dnsrecon -d target.com
dmitry -iwnse target.com

Zone Transfers (Exploit misconfigurations by pretending to be slave to master DNS server which passes a copy of part of database and give out network info/topology, etc.)

nslookup
>server target.com
>ls -d target.com

dig axfr @$IP target.com
dig axfr @$IP target.com -t AXFR +nocookie
dnsenum target.com
dnsenum -f hosts.txt target.com 
host  -l target.com <dns_server>
host -t axfr target.com $IP      //-t: type
dnsrecon -d target.com -t axfr

Reverse Lookup (Find Netblocks, Owner, Organization)

http://viewdns.info/
whois -h target.com
host -l target.com
dnsrecon -r <range of IP's>

IPv6 Enumeration

dnsdict6 target.com

PreviousNetwork Pentesting NextScanning

Last updated 1 year ago