DNS Enumeration
Enumerating Domain Name System or DNS can help reveal a larger scope for potential attacks.
dig cyberbotic.io +short
follow up with:
whois <dns.io>
nslookup
SERVER victim-ip
127.0.0.1
victim-ip again
dig axfr cronos.htb @10.10.10.13
We then add those subdomains to our /etc/hosts file.
Little Cheatsheet
Command
Description
nslookup $TARGET
Identify the A record for the target domain.
nslookup -query=A $TARGET
Identify the A record for the target domain.
dig $TARGET @<nameserver/IP>
Identify the A record for the target domain.
dig a $TARGET @<nameserver/IP>
Identify the A record for the target domain.
nslookup -query=PTR <IP>
Identify the PTR record for the target IP address.
dig -x <IP> @<nameserver/IP>
Identify the PTR record for the target IP address.
nslookup -query=ANY $TARGET
Identify ANY records for the target domain.
dig any $TARGET @<nameserver/IP>
Identify ANY records for the target domain.
nslookup -query=TXT $TARGET
Identify the TXT records for the target domain.
dig txt $TARGET @<nameserver/IP>
Identify the TXT records for the target domain.
nslookup -query=MX $TARGET
Identify the MX records for the target domain.
dig mx $TARGET @<nameserver/IP>
Identify the MX records for the target domain.
Subdomain Enumeration
https://nuclei.projectdiscovery.io/nuclei/get-started/
Spoofcheck
Weak email security (SPF, DMARC and DKIM) may allow us to spoof emails to appear as though theyβre coming from their own domain. Spoofcheck is a Python tool that can verify the email security of a given domain.
$ ./spoofcheck.py cyberbotic.io
[+] cyberbotic.io has no SPF record!
[*] No DMARC record found. Looking for organizational record
[+] No organizational DMARC record
[+] Spoofing possible for cyberbotic.io!Last updated