DNS (53)
Zone transfer
If you know the domain — Reveals all subdomains/hosts
dig axfr @$IP <domain>
host -l <domain> $IP
Example Output
dig axfr @10.10.10.5 domain.htb
domain.htb. IN SOA ns1.domain.htb.
admin.domain.htb. IN A 10.10.10.10
dev.domain.htb. IN A 10.10.10.11
staging.domain.htb IN A 10.10.10.12
Reverse lookup
Find domain name — Need domain for web enum
dig -x $IP @$IP
Example Output
dig -x 10.10.10.5 @10.10.10.5
;; ANSWER SECTION:
5.10.10.10.in-addr.arpa. IN PTR target.corp.local.
(Found hostname: target.corp.local)
Subdomain brute force
Find hidden subdomains — Virtual hosts, dev sites
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -r $IP:53
Example Output
gobuster dns -d corp.local -w subdomains.txt -r 10.10.10.5:53
Found: dev.corp.local
Found: mail.corp.local
Found: vpn.corp.local
Any records
All DNS records — TXT records may have info
dig any @$IP <domain>
Example Output
dig any @10.10.10.5 corp.local
corp.local. IN A 10.10.10.5
corp.local. IN MX mail.corp.local
corp.local. IN TXT "v=spf1 include:_spf.google.com"
Add to /etc/hosts
Required for web virtual hosts — Web apps may need hostname
echo '$IP <domain>' >> /etc/hosts
Example Output
echo '10.10.10.5 target.htb dev.target.htb' >> /etc/hosts
Now: http://target.htb shows different content
than http://10.10.10.5
(Virtual hosting = different sites on same IP)