DNS & Subdomains

WHOIS

eldeim@htb[/htb]$ whois inlanefreight.com

[...]
Domain Name: inlanefreight.com
Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.amazon
Registrar URL: https://registrar.amazon.com
Updated Date: 2023-07-03T01:11:15Z
Creation Date: 2019-08-05T22:43:09Z
[...]

Each WHOIS record typically contains the following information:

  • Domain Name: The domain name itself (e.g., example.com)

  • Registrar: The company where the domain was registered (e.g., GoDaddy, Namecheap)

  • Registrant Contact: The person or organization that registered the domain.

  • Administrative Contact: The person responsible for managing the domain.

  • Technical Contact: The person handling technical issues related to the domain.

  • Creation and Expiration Dates: When the domain was registered and when it's set to expire.

  • Name Servers: Servers that translate the domain name into an IP address.

DNS

Record Type
Full Name
Description
Zone File Example

A

Address Record

Maps a hostname to its IPv4 address.

www.example.com. IN A 192.0.2.1

AAAA

IPv6 Address Record

Maps a hostname to its IPv6 address.

www.example.com. IN AAAA 2001:db8:85a3::8a2e:370:7334

CNAME

Canonical Name Record

Creates an alias for a hostname, pointing it to another hostname.

blog.example.com. IN CNAME webserver.example.net.

MX

Mail Exchange Record

Specifies the mail server(s) responsible for handling email for the domain.

example.com. IN MX 10 mail.example.com.

NS

Name Server Record

Delegates a DNS zone to a specific authoritative name server.

example.com. IN NS ns1.example.com.

TXT

Text Record

Stores arbitrary text information, often used for domain verification or security policies.

example.com. IN TXT "v=spf1 mx -all" (SPF record)

SOA

Start of Authority Record

Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters.

example.com. IN SOA ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400

SRV

Service Record

Defines the hostname and port number for specific services.

_sip._udp.example.com. IN SRV 10 5 5060 sipserver.example.com.

PTR

Pointer Record

Used for reverse DNS lookups, mapping an IP address to a hostname.

1.2.0.192.in-addr.arpa. IN PTR www.example.com.

Digging DNS

Command
Description

dig domain.com

Performs a default A record lookup for the domain.

dig domain.com A

Retrieves the IPv4 address (A record) associated with the domain.

dig domain.com AAAA

Retrieves the IPv6 address (AAAA record) associated with the domain.

dig domain.com MX

Finds the mail servers (MX records) responsible for the domain.

dig domain.com NS

Identifies the authoritative name servers for the domain.

dig domain.com TXT

Retrieves any TXT records associated with the domain.

dig domain.com CNAME

Retrieves the canonical name (CNAME) record for the domain.

dig domain.com SOA

Retrieves the start of authority (SOA) record for the domain.

dig @1.1.1.1 domain.com

Specifies a specific name server to query; in this case 1.1.1.1

dig +trace domain.com

Shows the full path of DNS resolution.

dig -x 192.168.1.1

Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.

dig +short domain.com

Provides a short, concise answer to the query.

dig +noall +answer domain.com

Displays only the answer sec

Subdomain Bruteforcing

DNSEnum

Let's see dnsenum in action by demonstrating how to enumerate subdomains for our target, inlanefreight.com. In this demonstration, we'll use the subdomains-top1million-5000.txt wordlist from SecLists, which contains the top 5000 most common subdomains.

-r: This option enables recursive subdomain brute-forcing, meaning that if dnsenum finds a subdomain, it will then try to enumerate subdomains of that subdomain

Exploiting Zone Transfers

You can use the dig command to request a zone transfer:

This command instructs dig to request a full zone transfer (axfr) from the DNS server responsible for zonetransfer.me. If the server is misconfigured and allows the transfer, you'll receive a complete list of DNS records for the domain, including all subdomains.

zonetransfer.me is a service specifically setup to demonstrate the risks of zone transfers so that the dig command will return the full zone record.

Virtual Hosting

The --append-domain flag appends the base domain to each word in the wordlist.

Crt.sh lookup

While crt.sh offers a convenient web interface, you can also leverage its API for automated searches directly from your terminal. Let's see how to find all 'dev' subdomains on facebook.com using curl and jq:

ReconSpider

Google Dorking

Here are some common examples of Google Dorks, for more examples, refer to the Google Hacking Database:

  • Finding Login Pages:

    • site:example.com inurl:login

    • site:example.com (inurl:login OR inurl:admin)

  • Identifying Exposed Files:

    • site:example.com filetype:pdf

    • site:example.com (filetype:xls OR filetype:docx)

  • Uncovering Configuration Files:

    • site:example.com inurl:config.php

    • site:example.com (ext:conf OR ext:cnf) (searches for extensions commonly used for configuration files)

  • Locating Database Backups:

    • site:example.com inurl:backup

    • site:example.com filetype:sql

PreviousInformation Gathering - Web EditionNextAttacking Web Applications with Ffuf

Last updated