DNS Enumeration
dig
find the nameserver of a domain
dig ns zonetransfer.me
Now try the zone transfer for the domain from its primary and secondary name servers
dig axfr zonetransfer.me @nsztm2.digi.ninja
Host
Host provides a simple way to perform DNS lookups and retrieve DNS records.
zone transfer
host -t ns zonetransfer.me
host –l zonetransfer.me nsztm2.digi.ninja
nslookup
fire up the tool on windows
nslookup
set querytype=ns
zonetransfer.me
server nsztm2.digi.ninja
Now execute the zone transfer
ls -d nsztm2.digi.ninja
Zone transfer using DNSSEC transfer
./dnsrecon.py -d zonetransfer.me -z
-d target domain
-z DNSSEC Zone walk
Zone transfer
dnsrecon –d zonetransfer.me –t axfr
Other tools
DNSenum (automated tool very good)
dnsenum zonetransfer.me
Fierce (supports bruteforcing)
fierce zonetransfer.me
fierce --domain zonetransfer.me --subdomain-file /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
DNSMAP (Dns bruteforcing) too slow not recommended
dnsmap zonetransfer.me -w /usr/share/wordlist/Seclists/discovery/DNS/fierce-hostlists.txt
DNS Enumeration using nmap
nmap --script=broadcast-dns-service-discovery zonetransfer.me
DNS brute forcing
nmap -T5 -p 53 --script dns-brute zonetransfer.me
common service records
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='zonetransfer.me'"
