DNS & Subdomains
WHOIS
eldeim@htb[/htb]$ whois inlanefreight.com
[...]
Domain Name: inlanefreight.com
Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.amazon
Registrar URL: https://registrar.amazon.com
Updated Date: 2023-07-03T01:11:15Z
Creation Date: 2019-08-05T22:43:09Z
[...]
Each WHOIS record typically contains the following information:
Domain Name
: The domain name itself (e.g., example.com)Registrar
: The company where the domain was registered (e.g., GoDaddy, Namecheap)Registrant Contact
: The person or organization that registered the domain.Administrative Contact
: The person responsible for managing the domain.Technical Contact
: The person handling technical issues related to the domain.Creation and Expiration Dates
: When the domain was registered and when it's set to expire.Name Servers
: Servers that translate the domain name into an IP address.
DNS
A
Address Record
Maps a hostname to its IPv4 address.
www.example.com.
IN A 192.0.2.1
AAAA
IPv6 Address Record
Maps a hostname to its IPv6 address.
www.example.com.
IN AAAA 2001:db8:85a3::8a2e:370:7334
CNAME
Canonical Name Record
Creates an alias for a hostname, pointing it to another hostname.
blog.example.com.
IN CNAME webserver.example.net.
MX
Mail Exchange Record
Specifies the mail server(s) responsible for handling email for the domain.
example.com.
IN MX 10 mail.example.com.
NS
Name Server Record
Delegates a DNS zone to a specific authoritative name server.
example.com.
IN NS ns1.example.com.
TXT
Text Record
Stores arbitrary text information, often used for domain verification or security policies.
example.com.
IN TXT "v=spf1 mx -all"
(SPF record)
SOA
Start of Authority Record
Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters.
example.com.
IN SOA ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400
SRV
Service Record
Defines the hostname and port number for specific services.
_sip._udp.example.com.
IN SRV 10 5 5060 sipserver.example.com.
PTR
Pointer Record
Used for reverse DNS lookups, mapping an IP address to a hostname.
1.2.0.192.in-addr.arpa.
IN PTR www.example.com.
Digging DNS
dig domain.com
Performs a default A record lookup for the domain.
dig domain.com A
Retrieves the IPv4 address (A record) associated with the domain.
dig domain.com AAAA
Retrieves the IPv6 address (AAAA record) associated with the domain.
dig domain.com MX
Finds the mail servers (MX records) responsible for the domain.
dig domain.com NS
Identifies the authoritative name servers for the domain.
dig domain.com TXT
Retrieves any TXT records associated with the domain.
dig domain.com CNAME
Retrieves the canonical name (CNAME) record for the domain.
dig domain.com SOA
Retrieves the start of authority (SOA) record for the domain.
dig @1.1.1.1 domain.com
Specifies a specific name server to query; in this case 1.1.1.1
dig +trace domain.com
Shows the full path of DNS resolution.
dig -x 192.168.1.1
Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.
dig +short domain.com
Provides a short, concise answer to the query.
dig +noall +answer domain.com
Displays only the answer sec
Subdomain Bruteforcing
DNSEnum
Let's see dnsenum
in action by demonstrating how to enumerate subdomains for our target, inlanefreight.com
. In this demonstration, we'll use the subdomains-top1million-5000.txt
wordlist from SecLists, which contains the top 5000 most common subdomains.
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r
-r
: This option enables recursive subdomain brute-forcing, meaning that ifdnsenum
finds a subdomain, it will then try to enumerate subdomains of that subdomain
eldeim@htb[/htb]$ dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
dnsenum VERSION:1.2.6
----- inlanefreight.com -----
Host's addresses:
__________________
inlanefreight.com. 300 IN A 134.209.24.248
[...]
Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:
_______________________________________________________________________________________
www.inlanefreight.com. 300 IN A 134.209.24.248
support.inlanefreight.com. 300 IN A 134.209.24.248
[...]
done.
Exploiting Zone Transfers
You can use the dig
command to request a zone transfer:
eldeim@htb[/htb]$ dig axfr @nsztm1.digi.ninja zonetransfer.me
This command instructs dig
to request a full zone transfer (axfr
) from the DNS server responsible for zonetransfer.me
. If the server is misconfigured and allows the transfer, you'll receive a complete list of DNS records for the domain, including all subdomains.
eldeim@htb[/htb]$ dig axfr @nsztm1.digi.ninja zonetransfer.me
; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
...
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
...
;; Query time: 10 msec
;; SERVER: 81.4.108.41#53(nsztm1.digi.ninja) (TCP)
;; WHEN: Mon May 27 18:31:35 BST 2024
;; XFR size: 50 records (messages 1, bytes 2085)
zonetransfer.me
is a service specifically setup to demonstrate the risks of zone transfers so that the dig
command will return the full zone record.
Virtual Hosting
sudo nano /etc/hosts
## Add
94.237.52.18 inlanefreight.htb
## Run
gobuster vhost -u http://inlanefreight.htb:39472 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
The
--append-domain
flag appends the base domain to each word in the wordlist.
Crt.sh lookup
While crt.sh
offers a convenient web interface, you can also leverage its API for automated searches directly from your terminal. Let's see how to find all 'dev' subdomains on facebook.com
using curl
and jq
:
eldeim@htb[/htb]$ curl -s "https://crt.sh/?q=facebook.com&output=json" | jq -r '.[]
| select(.name_value | contains("dev")) | .name_value' | sort -u
*.dev.facebook.com
*.newdev.facebook.com
*.secure.dev.facebook.com
dev.facebook.com
devvm1958.ftw3.facebook.com
facebook-amex-dev.facebook.com
facebook-amex-sign-enc-dev.facebook.com
newdev.facebook.com
secure.dev.facebook.com
ReconSpider
## Download
eldeim@htb[/htb]$ pip3 install scrapy
eldeim@htb[/htb]$ wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
eldeim@htb[/htb]$ unzip ReconSpider.zip
## Use
eldeim@htb[/htb]$ python3 ReconSpider.py http://inlanefreight.com
Google Dorking
Here are some common examples of Google Dorks, for more examples, refer to the Google Hacking Database:
Finding Login Pages:
site:example.com inurl:login
site:example.com (inurl:login OR inurl:admin)
Identifying Exposed Files:
site:example.com filetype:pdf
site:example.com (filetype:xls OR filetype:docx)
Uncovering Configuration Files:
site:example.com inurl:config.php
site:example.com (ext:conf OR ext:cnf)
(searches for extensions commonly used for configuration files)
Locating Database Backups:
site:example.com inurl:backup
site:example.com filetype:sql
Last updated