dns/subdomain
DNS dumpster: https://www.dnsdumpster.com Seclists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
dig
dig piratemoo.com
dig –x piratemoo.com // Reverse DNS lookup
dig piratemoo.com -t mx +short // Grab mail info
dig piratemoo.com -t ns +short // Grab NS info
dig piratemoo.com -t cname // Grab CNAME info
dig axfr piratemoo.com ns08.domaincontrol.com // Check DNS xfers
host
host piratemoo.com // find the address of said host
host -t mx piratemoo.com // Check mail info
-t flagged is used to specify a specific type of scan (ns/mx/cname)
host -t axfr piratemoo.com ns08.domaincontrol.com // Check DNS zone xfers
Success? host -l zonetransfer.me piratemoo.com
dnsmap
dnsmap piratemoo.com -w /usr/share/wordlists/seclists/Discovery/DNS/tab
-w wordlist
-r regular-results
-c csv-results
-d delay-ms
-i ips-to-ignore
DNSEnum
dnsenum --noreverse -o file.txt piratemoo.com // Google scrape to get subdomains
dnsenum --dnsserver piratemoo.com github.com -p 10 -s 50
-o output file
-p pages value // specifies # of pages searched on google
-s scrap value // defines max # of subdomains from google
-w whois
--dnsserver // uses dns server for A/NS/MX queries
--noreverse // skip reverse lookup
--enum shortcut to --threads 5 -s 15 -w
NMAP
nmap -sSU -p 53 --script dns-nsid piratemoo.com // Retrieves info through nameserver ID
nmap -T4 -p 53 --script dns-brute piratemoo.com // Enumerate hostnames by brute forcing common subdomains
NSE Script List:
ls -al /usr/share/nmap/scripts | grep dns
broadcast-dns-service-discovery.nse
dns-blacklist.nse
dns-cache-snoop.nse
dns-check-zone.nse
dns-client-subnet-scan.nse
dns-fuzz.nse
dns-ip6-arpa-scan.nse
dns-nsec-enum.nse
dns-nsec3-enum.nse
dns-random-srcport.nse
dns-random-txid.nse
dns-recursion.nse
dns-service-discovery.nse
dns-srv-enum.nse
dns-update.nse
dns-zeustracker.nse
dns-zone-transfer.nse
fcrdns.nse
fierce
// Some code
Google dorks:
“site:*.piratemoo.com -www -us”
DNS dumpster: https://www.dnsdumpster.com CRT.SH: https://crt.sh/ testssl.sh https://www.testssl.sh
Sublist3r
sublist3r -d piratemoo.com
amass
amass enum -passive -d piratemoo.com -o results.txt
amass enum -brute -w subdomains.txt -d piratemoo.com -o results.txt
-brute: brute force after searches
-w: path to wordlist
-d: domain name
-o: path to output text file
gobuster
gobuster dns -t 30 -w subdomains.txt -d piratemoo.com
-t # of concurrent threads (default 10)
-w wordlist
-d domain
Last updated