☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • TCP and UDP
  • Banner Grabbing
  • DNS Enumeration
  • Zone Transfer
  • Configuration files

Was this helpful?

Edit on GitHub
  1. Services Exploitation

53 - DNS

Previous25, 465, 587 - SMTPNext88 - Kerberos

Last updated 2 years ago

Was this helpful?

TCP and UDP

By default, DNS uses UDP on port 53 to serve requests. When the size of the request, or the response, exceeds the single packet size of 512 bytes, the query is re-sent using TCP. Multiple records responses, IPv6 responses, big TXT records, DNSSEC responses, and zone transfers are some examples of these requests.

Note: When DNS is running on TCP, it is worth checking if is enabled.

Banner Grabbing

DNS does not provide an information banner per se but BIND DNS exposes its version by default.

Note: The version.bind directive is stored under the options section in the /etc/named.conf configuration file.

dig

dig version.bind CHAOS TXT @10.0.0.3

NSE Script

nmap -sV --script dns-nsid -p53 -Pn 10.0.0.3

DNS Enumeration

whois <RHOST>
host <RHOST> <RHOST>
host -l <RHOST> <RHOST>
dig @<RHOST> -x <RHOST>
dig {a|txt|ns|mx} <RHOST>
dig {a|txt|ns|mx} <RHOST> @ns1.<RHOST>
dig axfr @<RHOST> <RHOST>    # zone transfer

fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185

gobuster

gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

wfuzz

wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST>
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100

Zone Transfer

DNS reconnaissance is an extremely useful tool during the information gathering stage as it can provide valuable insights into the domain and infrastructure. However, it can also uncover new attack vectors, such as when Virtual Routing is enabled.

One method of DNS reconnaissance is through a zone transfer, which involves a Master DNS server copying a zone to another DNS server, typically a Slave server. Although these transfers are ideally restricted to specific IPs, misconfigured servers sometimes allow anyone to request them.

dig

dig axfr @10.0.0.3 domain
Parameters
  • axfr: initiate an AXFR zone transfer query.

  • @10.0.0.3: name or IP of the server to query.

  • domain: name of the resource record that is to be looked up.

Note: It is worth trying to initiate a zone transfer without a domain.

Configuration files

Examine configuration files:

host.conf
resolv.conf
named.conf
zone trasfer
dns-nsid