MITRE ATT&CK™ Gather Victim Network Information: DNS - T1590.002
Theory
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.
Each domain can use different types of DNS records. Some of the most common types of DNS records include:
NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.megacorpone.com).
AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.megacorpone.com).
MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.
CNAME: Canonical Name Records are used to create aliases for other host records.
TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.
Practice
The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the queried name server(s).
# Simple DNS resolutiondigdomain.com#Enum recordsdigMXdomain.comdigNSdomain.comdigAdomain.comdigtxtdomain.comdigAAAAdomain.com#If supported by the DNS server, we can use the ANY query and dump all recordsdiganydomain.com#Zone transfertdigaxfrdomain.com@ns.domain.com
Using the host command, we may perform DNS and revers DNS enumeration
# Simple DNS resolutionhostdomain.com# Enum recordshost-tMXwww.domain.comhost-tNSdomain.comhost-tAdomain.comhost-ttxtdomain.comhost-tAAAAdomain.com# Reverse DNS# Works if the DNS is configured with a PTR recordhost149.56.244.87# Bash script reverse DNS lookup an IP addresses rangefor ip in $(seq200254); dohost51.222.169.$ip; done|grep-v"not found"
Nslookup is a native Windows & Linux command that may be used as a LOLBAS to perform DNS enumeration
# Simple DNS resolutionnslookup domain.com# Enum records, you may use set=allnslookup> set type=ns>domain.com# Specify a DNS servernslookup> server 10.10.10.8>domain.com# One-liner: request TXT records for info.domain.com on 10.10.10.8 DNS servernslookup -type=TXT info.domain.com10.10.10.8# Reverse DNS# Works if the DNS is configured with a PTR recordnslookup 149.56.244.87
DNSRecon is a Python script that provides the ability to perform DNS enumeration.
#Basic enumdnsrecon-ddomain.com# -t std for standar scandnsrecon-ddomain.com-tstd#Brute force domains and hostsdnsrecon-tbrt-ddomain.com-D/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt#Bing (-b) and yandex (-y) search enumdnsrecon-by-ddomain.com#Zone transfertdnsrecon-a-ddomain.com#DNSSEC zone walkdnsrecon-z-ddomain.com
DNSMap scans a domain for common subdomains using a built-in or an external wordlist (if specified using -w option). The internal wordlist has around 1000 words
#Brute force domains and hostsdnsmapdomain.com-w/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
DNSEnum Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. The main purpose of Dnsenum is to gather as much information as possible about a domain.
dnsenumdomain.com
dnsdumpster is a usefull website to perform DNS enumeration.
