DNS (53)

ko-fi

DNS Hierarchy

Nmap

/!\ Script fonctionne pas sous exegol, essayer avec Kali

Host

FQDN

DNS record

DNS Record

Description

A

Returns an IPv4 address of the requested domain as a result.

AAAA

Returns an IPv6 address of the requested domain.

MX

Returns the responsible mail servers as a result.

NS

Returns the DNS servers (nameservers) of the domain.

TXT

This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.

CNAME

This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.

PTR

The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.

SOA

Provides information about the corresponding DNS zone and email address of the administrative contact.

Zone transfer

If we manage to perform a successful zone transfer for a domain, there is no need to continue enumerating this particular domain as this will extract all the available information.

https://hackertarget.com/zone-transfer/

Internal zone transfer

MX Records

DNSSEC Exploitation

DNS zones that use DNSSEC must use NSEC or NSEC3 records as a means of authenticated denial-of-existence. NSEC allows for fully extracting DNS zones akin to an AXFR zone transfer or a "zone dump". NSEC3 adds hashes to this process which must be cracked, but offline cracking is faster than online brute-forcing. NSEC(3) Walker automates this extraction process

LogoGitHub - Harrison-Mitchell/NSEC-3-Walker: Performs DNS zone dumps by walking DNSSEC NSEC(3) records.GitHub

TLD Brute Force

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Whois

Whois

DNS Takeover

Logodnsreaper - test a domain for subdomain hijackingpunksecurity.co.uk
LogoA Guide To Subdomain Takeovers 2.0 | HackerOneHackerOne
LogoA Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers — ProjectDiscovery BlogProjectDiscovery
LogoHunting down subdomain takeover vulnerabilitiesIntigriti
LogoGitHub - indianajson/can-i-take-over-dns at blog.projectdiscovery.ioGitHub

Detection - Nuclei Template

Subdomain takeover

LogoGitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub
LogoA Guide To Subdomain Takeovers 2.0 | HackerOneHackerOne
LogoDomain/Subdomain takeover - HackTricksbook.hacktricks.xyz

AWS NS Takeover

LogoGitHub - shivsahni/NSBrute: Python utility to takeover domains vulnerable to AWS NS TakeoverGitHub

Tools

LogoGitHub - PentestPad/subzy: Subdomain takeover vulnerability checkerGitHub
LogoGitHub - haccer/subjack: Subdomain Takeover tool written in GoGitHub
LogoGitHub - M1S0-0/CNAME-Sniffer: CNAME Sniffer is a subdomain takeover tool designed to help identify subdomains with vulnerable CNAME records that can be exploited for takeover purposes.GitHub
LogoGitHub - ifconfig-me/subowner: SubOwner - A Simple tool check for subdomain takeovers.GitHub
LogoGitHub - r3curs1v3-pr0xy/sub404: A python tool to check subdomain takeover vulnerabilityGitHub
LogoGitHub - JordyZomer/autoSubTakeover: A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.GitHub
LogoGitHub - HacktivistRO/HostileSubBruteForcer: Bruteforce subdomains for subdomains takeover and enumerate the service pointing toGitHub

Nuclei

CDN or Bucket takeover (S3/Azure)

Always investigate if the main application loads any resources from that subdomain, such as scripts and images.

Check the Network tab in your web console and filter by your subdomain to confirm!

DNS Spoofing

Local DNS Cache Poisoning

From a local network perspective, an attacker can also perform DNS Cache Poisoning using MITM tools like Ettercap or Bettercap.

map the target domain name (e.g., inlanefreight.com) that they want to spoof and the attacker's IP address (e.g., 192.168.225.110) that they want to redirect a user to:

Next, start the Ettercap tool and scan for live hosts within the network by navigating to Hosts > Scan for Hosts. Once completed, add the target IP address (e.g., 192.168.152.129) to Target1 and add a default gateway IP (e.g., 192.168.152.2) to Target2.

Activate dns_spoof attack by navigating to Plugins > Manage Plugins. This sends the target machine with fake DNS responses that will resolve inlanefreight.com to IP address 192.168.225.110:

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

  • Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

  • The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

  • Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousMindMapNextFTP (21)

Last updated