dns/subdomain

DNS dumpster: Seclists:

dig

dig piratemoo.com
dig –x piratemoo.com // Reverse DNS lookup
dig piratemoo.com -t mx +short // Grab mail info
dig piratemoo.com -t ns +short // Grab NS info
dig piratemoo.com -t cname // Grab CNAME info
dig axfr piratemoo.com ns08.domaincontrol.com // Check DNS xfers

host

host piratemoo.com // find the address of said host
host -t mx piratemoo.com // Check mail info
-t flagged is used to specify a specific type of scan (ns/mx/cname)
host -t axfr piratemoo.com ns08.domaincontrol.com // Check DNS zone xfers
Success? host -l zonetransfer.me piratemoo.com

dnsmap

dnsmap piratemoo.com -w /usr/share/wordlists/seclists/Discovery/DNS/tab
 -w wordlist
 -r regular-results
 -c csv-results
 -d delay-ms
 -i ips-to-ignore

DNSEnum

dnsenum --noreverse -o file.txt piratemoo.com // Google scrape to get subdomains
dnsenum --dnsserver piratemoo.com github.com -p 10 -s 50
 -o output file
 -p pages value // specifies # of pages searched on google 
 -s scrap value // defines max # of subdomains from google
 -w whois 
 --dnsserver // uses dns server for A/NS/MX queries
 --noreverse // skip reverse lookup
 --enum shortcut to --threads 5 -s 15 -w

NMAP

nmap -sSU -p 53 --script dns-nsid piratemoo.com // Retrieves info through nameserver ID 
nmap -T4 -p 53 --script dns-brute piratemoo.com // Enumerate hostnames by brute forcing common subdomains

NSE Script List:

ls -al /usr/share/nmap/scripts | grep dns 

broadcast-dns-service-discovery.nse
dns-blacklist.nse
dns-cache-snoop.nse
dns-check-zone.nse
dns-client-subnet-scan.nse
dns-fuzz.nse
dns-ip6-arpa-scan.nse
dns-nsec-enum.nse
dns-nsec3-enum.nse
dns-random-srcport.nse
dns-random-txid.nse
dns-recursion.nse
dns-service-discovery.nse
dns-srv-enum.nse
dns-update.nse
dns-zeustracker.nse
dns-zone-transfer.nse
fcrdns.nse

fierce

// Some code

Google dorks:

“site:*.piratemoo.com -www -us”

Sublist3r

sublist3r -d piratemoo.com

amass

amass enum -passive -d piratemoo.com -o results.txt
amass enum -brute -w subdomains.txt -d piratemoo.com -o results.txt
  -brute: brute force after searches
  -w: path to wordlist
  -d: domain name
  -o: path to output text file

gobuster

gobuster dns -t 30 -w subdomains.txt -d piratemoo.com
  -t # of concurrent threads (default 10)
  -w wordlist
  -d domain

Previousreverse shells Nextssl

Last updated 1 year ago

DNS dumpster: Seclists:

dig

dig piratemoo.com
dig –x piratemoo.com // Reverse DNS lookup
dig piratemoo.com -t mx +short // Grab mail info
dig piratemoo.com -t ns +short // Grab NS info
dig piratemoo.com -t cname // Grab CNAME info
dig axfr piratemoo.com ns08.domaincontrol.com // Check DNS xfers

host

host piratemoo.com // find the address of said host
host -t mx piratemoo.com // Check mail info
-t flagged is used to specify a specific type of scan (ns/mx/cname)
host -t axfr piratemoo.com ns08.domaincontrol.com // Check DNS zone xfers
Success? host -l zonetransfer.me piratemoo.com

dnsmap

dnsmap piratemoo.com -w /usr/share/wordlists/seclists/Discovery/DNS/tab
 -w wordlist
 -r regular-results
 -c csv-results
 -d delay-ms
 -i ips-to-ignore

DNSEnum

dnsenum --noreverse -o file.txt piratemoo.com // Google scrape to get subdomains
dnsenum --dnsserver piratemoo.com github.com -p 10 -s 50
 -o output file
 -p pages value // specifies # of pages searched on google 
 -s scrap value // defines max # of subdomains from google
 -w whois 
 --dnsserver // uses dns server for A/NS/MX queries
 --noreverse // skip reverse lookup
 --enum shortcut to --threads 5 -s 15 -w

NMAP

nmap -sSU -p 53 --script dns-nsid piratemoo.com // Retrieves info through nameserver ID 
nmap -T4 -p 53 --script dns-brute piratemoo.com // Enumerate hostnames by brute forcing common subdomains

NSE Script List:

ls -al /usr/share/nmap/scripts | grep dns 

broadcast-dns-service-discovery.nse
dns-blacklist.nse
dns-cache-snoop.nse
dns-check-zone.nse
dns-client-subnet-scan.nse
dns-fuzz.nse
dns-ip6-arpa-scan.nse
dns-nsec-enum.nse
dns-nsec3-enum.nse
dns-random-srcport.nse
dns-random-txid.nse
dns-recursion.nse
dns-service-discovery.nse
dns-srv-enum.nse
dns-update.nse
dns-zeustracker.nse
dns-zone-transfer.nse
fcrdns.nse

fierce

// Some code

Google dorks:

“site:*.piratemoo.com -www -us”

DNS dumpster: CRT.SH: testssl.sh

Sublist3r

sublist3r -d piratemoo.com

amass

amass enum -passive -d piratemoo.com -o results.txt
amass enum -brute -w subdomains.txt -d piratemoo.com -o results.txt
  -brute: brute force after searches
  -w: path to wordlist
  -d: domain name
  -o: path to output text file

gobuster

gobuster dns -t 30 -w subdomains.txt -d piratemoo.com
  -t # of concurrent threads (default 10)
  -w wordlist
  -d domain