# DNS (53)
[](https://ko-fi.com/Y8Y41FQ2GA)
## DNS Hierarchy
## Nmap
/!\ Script fonctionne pas sous exegol, essayer avec Kali
```
nmap -sSU -p 53 --script dns-nsid 10.129.11.180
```
```
nmap -sSU -p 53 --script=dns-service-discovery 10.129.11.180
```
```shell-session
nmap -p53 -Pn -sV -sC 10.10.110.213
```
## Host
```shell-session
host support.inlanefreight.com
support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com
```
## FQDN
```shell-session
$ export TARGET="facebook.com"
$ nslookup $TARGET
```
```shell-session
$ export TARGET=www.facebook.com
$ nslookup -query=A $TARGET
```
```shell-session
$ nslookup -query=PTR 31.13.92.36
```
```
nslookup -type=NS inlanefreight.htb 10.129.104.34
Server: 10.129.104.34
Address: 10.129.104.34#53
inlanefreight.htb nameserver = ns.inlanefreight.htb.
```
```shell-session
dig facebook.com @1.1.1.1
```
```shell-session
dig a www.facebook.com @1.1.1.1
```
```shell-session
dig -x 31.13.92.36 @1.1.1.1
```
## DNS record
| **DNS Record** | **Description** |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `A` | Returns an IPv4 address of the requested domain as a result. |
| `AAAA` | Returns an IPv6 address of the requested domain. |
| `MX` | Returns the responsible mail servers as a result. |
| `NS` | Returns the DNS servers (nameservers) of the domain. |
| `TXT` | This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam. |
| `CNAME` | This record serves as an alias. If the domain [www.hackthebox.eu](http://www.hackthebox.eu) should point to the same IP, and we create an A record for one and a CNAME record for the other. |
| `PTR` | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. |
| `SOA` | Provides information about the corresponding DNS zone and email address of the administrative contact. |
```shell-session
$ export TARGET="facebook.com"
$ nslookup -query=TXT $TARGET
```
```shell-session
dig txt facebook.com @1.1.1.1
```
```shell-session
$ dig CH TXT version.bind 10.129.120.85
; <<>> DiG 9.10.6 <<>> CH TXT version.bind
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.10.6-P1"
;; ADDITIONAL SECTION:
version.bind. 0 CH TXT "9.10.6-P1-Debian"
;; Query time: 2 msec
;; SERVER: 10.129.120.85#53(10.129.120.85)
;; WHEN: Wed Jan 05 20:23:14 UTC 2023
;; MSG SIZE rcvd: 101
```
```shell-session
dig any inlanefreight.com
```
```shell-session
dig any google.com @8.8.8.8
```
```shell-session
$ export TARGET="google.com"
$ nslookup -query=ANY $TARGET
```
```shell-session
$ nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja
```
### **Zone transfer**
If we manage to perform a successful zone transfer for a domain, there is no need to continue enumerating this particular domain as this will extract all the available information.
`https://hackertarget.com/zone-transfer/`
```shell-session
$ dig axfr inlanefreight.htb @10.129.14.128
; <<>> DiG 9.16.1-Ubuntu <<>> axfr inlanefreight.htb @10.129.14.128
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 10.129.34.136
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 4 msec
;; SERVER: 10.129.14.128#53(10.129.14.128)
;; WHEN: So Sep 19 18:51:19 CEST 2021
;; XFR size: 9 records (messages 1, bytes 520)
```
```shell-session
fierce --domain zonetransfer.me
NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
'172800 900 1209600 3600\n'
'@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
'@ 301 IN TXT '
'"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
'@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
'@ 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.\n'
'@ 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.\n'
'@ 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.\n'
'@ 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.\n'
'@ 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.\n'
'@ 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.\n'
--SNIP--
```
**Internal zone transfer**
```shell-session
$ dig axfr internal.inlanefreight.htb @10.129.14.128
; <<>> DiG 9.16.1-Ubuntu <<>> axfr internal.inlanefreight.htb @10.129.14.128
;; global options: +cmd
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
dc1.internal.inlanefreight.htb. 604800 IN A 10.129.34.16
dc2.internal.inlanefreight.htb. 604800 IN A 10.129.34.11
mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200
ns.internal.inlanefreight.htb. 604800 IN A 10.129.34.136
vpn.internal.inlanefreight.htb. 604800 IN A 10.129.1.6
ws1.internal.inlanefreight.htb. 604800 IN A 10.129.1.34
ws2.internal.inlanefreight.htb. 604800 IN A 10.129.1.35
wsus.internal.inlanefreight.htb. 604800 IN A 10.129.18.2
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 10.129.14.128#53(10.129.14.128)
;; WHEN: So Sep 19 18:53:11 CEST 2021
;; XFR size: 15 records (messages 1, bytes 664)
```
### MX Records
```shell-session
$ export TARGET="facebook.com"
$ nslookup -query=MX $TARGET
```
```shell-session
dig mx facebook.com @1.1.1.1
```
## DNSSEC Exploitation
DNS zones that use DNSSEC must use NSEC or NSEC3 records as a means of authenticated denial-of-existence. NSEC allows for fully extracting DNS zones akin to an AXFR zone transfer or a "zone dump". NSEC3 adds hashes to this process which must be cracked, but offline cracking is faster than online brute-forcing. NSEC(3) Walker automates this extraction process
{% embed url="" %}
## TLD Brute Force
```
$ wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt
$ domain="domain"
while read tld; do
fqdn="${domain}.${tld}"
if host "$fqdn" > /dev/null 2>&1; then
echo "$fqdn exists"
fi
done < tlds-alpha-by-domain.txt
```
## DNS Subdomain Enumeration
{% content-ref url="/pages/SCrO3Y5edNNTmZbcS19w" %}
[DNS Subdomain Enumeration](/0xss0rz/pentest/recon/dns-subdomain-enumeration.md)
{% endcontent-ref %}
## Whois
{% content-ref url="/pages/aCctqZSMA3lwSgj5SJLX" %}
[Whois](/0xss0rz/pentest/recon/whois.md)
{% endcontent-ref %}
## DNS Takeover
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
### Detection - Nuclei Template
```yaml
id: servfail-refused-hosts
info:
name: DNS Servfail Host Finder
author: pdteam
severity: info
description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary
networking issue.
classification:
cwe-id: CWE-200
tags: dns,takeover
dns:
- name: "{{FQDN}}"
type: A
matchers:
- type: word
words:
- "SERVFAIL"
- "REFUSED"
```
## Subdomain takeover
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
### AWS NS Takeover
{% embed url="" %}
### Tools
{% embed url="" %}
```
subzy --targets subdomains.txt
```
{% embed url="" %}
```
subjack -w ./targets -v
subjack -w subdomains.txt -t 50 -o results.txt
```
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
#### Nuclei
```
subfinder -d domain | httpx -silent > subdomains.txt ; nuclei -t /root/nuclei-templates/http/takeovers -l subdomains.txt
```
### CDN or Bucket takeover (S3/Azure)
Always investigate if the main application loads any resources from that subdomain, such as scripts and images.
Check the Network tab in your web console and filter by your subdomain to confirm!
## DNS Spoofing
### **Local DNS Cache Poisoning**
From a local network perspective, an attacker can also perform DNS Cache Poisoning using MITM tools like [Ettercap](https://www.ettercap-project.org/) or [Bettercap](https://www.bettercap.org/).
map the target domain name (e.g., `inlanefreight.com`) that they want to spoof and the attacker's IP address (e.g., `192.168.225.110`) that they want to redirect a user to:
```shell-session
cat /etc/ettercap/etter.dns
inlanefreight.com A 192.168.225.110
*.inlanefreight.com A 192.168.225.110
```
Next, start the `Ettercap` tool and scan for live hosts within the network by navigating to `Hosts > Scan for Hosts`. Once completed, add the target IP address (e.g., `192.168.152.129`) to Target1 and add a default gateway IP (e.g., `192.168.152.2`) to Target2.
Activate `dns_spoof` attack by navigating to `Plugins > Manage Plugins`. This sends the target machine with fake DNS responses that will resolve `inlanefreight.com` to IP address `192.168.225.110`:
## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)
[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books
{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}
{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}
* [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\
The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
* [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\
A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
* [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\
The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.
## Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
[](https://ko-fi.com/Y8Y41FQ2GA)
[](https://buymeacoffee.com/0xss0rz)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/dns-53.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.