Checking at host
$ grep “nameserver” /etc/resolv.conf
nameserver 109.78.164.20
3. In newer Linux distributions that use systemd, you can use the systemd-resolve command to check the DNS server.
$ systemd-resolve –status | grep “DNS Servers”
4. If you’re using NetworkManager, you can use the nmcli command to get the DNS server information.
nmcli device show enp0s31f6 |grep IP4.DNS
https://academy.hackthebox.com/module/144/section/1251
DNS
Command Description
dig ns <domain.tld> @<nameserver> NS request to the specific nameserver.
dig any <domain.tld> @<nameserver> ANY request to the specific nameserver.
dig axfr <domain.tld> @<nameserver> AXFR request to the specific nameserver.
dnsenum –dnsserver <nameserver> –enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> Subdomain brute forcing.
A Records
export TARGET="facebook.com"
nslookup $TARGET
dig facebook.com @1.1.1.1 A records sub domaindig a www.facebook.com @1.1.1.1nslookup -query=A $TARGET
PTR Record query
nslookup -query=PTR 31.13.92.36dig -x 31.13.92.36 @1.1.1.1
Querying: ANY Existing Records
export TARGET="google.com"
nslookup -query=ANY $TARGET
dig any google.com @8.8.8.8
Querying: TXT Records
export TARGET="facebook.com"
nslookup -query=TXT $TARGET
dig txt facebook.com @1.1.1.1
Querying: MX Records
export TARGET="facebook.com"
nslookup -query=MX $TARGET
dig mx facebook.com @1.1.1.1
Passive subdomain enumeration
https://www.virustotal.com/
https://censys.io/
https://crt.sh/
export TARGET="facebook.com"
curl -s "https://crt.sh/?q=${TARGET}&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u > "${TARGET}_crt.sh.txt"export TARGET="facebook.com"
export PORT="443"
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "${TARGET}:${PORT}" | openssl x509 -noout -text -in - | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\*.*||g' | tr -d ',' | sort -u
| Baidu | Baidu search engine. |
Bufferoverun |
Uses data from Rapid7’s Project Sonar – www.rapid7.com/research/project-sonar/ |
| Crtsh | Comodo Certificate search. |
| Hackertarget | Online vulnerability scanners and network intelligence to help organizations. |
Otx |
AlienVault Open Threat Exchange – https://otx.alienvault.com |
| Rapiddns | DNS query tool, which makes querying subdomains or sites using the same IP easy. |
| Sublist3r | Fast subdomains enumeration tool for penetration testers |
| Threatcrowd | Open source threat intelligence. |
| Threatminer | Data mining for threat intelligence. |
Trello |
Search Trello boards (Uses Google search) |
| Urlscan | A sandbox for the web that is a URL and website scanner. |
Vhost |
Bing virtual hosts search. |
| Virustotal | Domain search. |
| Zoomeye | A Chinese version of Shodan. |
cat sources.txt
baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeyeexport TARGET="facebook.com"
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";done
cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt"cat facebook.com_*.txt | sort -u > facebook.com_subdomains_passive.txt
mstrkoffee@htb[/htb]$ cat facebook.com_subdomains_passive.txt | wc -l
also https://sitereport.netcraft.comnslookup -type=NS zonetransfer.menslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja
nslookup $TARGET |
Identify the A record for the target domain. |
nslookup -query=A $TARGET |
Identify the A record for the target domain. |
dig $TARGET @<nameserver/IP> |
Identify the A record for the target domain. |
dig a $TARGET @<nameserver/IP> |
Identify the A record for the target domain. |
nslookup -query=PTR <IP> |
Identify the PTR record for the target IP address. |
dig -x <IP> @<nameserver/IP> |
Identify the PTR record for the target IP address. |
nslookup -query=ANY $TARGET |
Identify ANY records for the target domain. |
dig any $TARGET @<nameserver/IP> |
Identify ANY records for the target domain. |
nslookup -query=TXT $TARGET |
Identify the TXT records for the target domain. |
dig txt $TARGET @<nameserver/IP> |
Identify the TXT records for the target domain. |
nslookup -query=MX $TARGET |
Identify the MX records for the target domain. |
dig mx $TARGET @<nameserver/IP> |
Identify the MX records for the target domain. |