OSCP Notes
Search…
DNS

Nmap command

1
nmap -sC -sV -p53 $ip/24
Copied!

Find the IP and authoritative servers.

1
nslookup $ip
Copied!

Dig deeper

1
dig axfr cronos.htb @10.10.10.13
Copied!

Find name servers

1
host -t ns $ip
Copied!

Find txt records

1
host -t txt $ip
Copied!

Fierce – Domain DNS scanner

1
fierce -dns $domain
Copied!

Find email servers

1
host -t mx $ip
Copied!

Subdomain bruteforcing using common hostname

1
for ip in $(cat list.txt); do host $ip.website.com; done
Copied!

Reverse dns lookup bruteforcing

1
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Copied!
The ip is based on subdomain bruteforcing result

Zone transfer request

1
host -l $ip ns1.$ip
Copied!
1
host -l $ip ns2.$ip
Copied!
1
#!/bin/bash
2
# Simple Zone Transfer Bash Script
3
# $1 is the first argument given after the bash script
4
# Check if argument was given, if not, print usage
5
if [ -z "$1" ]; then
6
echo "[*] Simple Zone transfer script"
7
echo "[*] Usage : $0 <domain name> "
8
exit 0
9
fi
10
# if argument was given, identify the DNS servers for the domain
11
for server in $(host -t ns $1 | cut -d " " -f4); do
12
# For each of these servers, attempt a zone transfer
13
host -l $1 $server |grep "has address"
14
done
Copied!
Bash script for zone transfer

DNS enumeration script

1
dnsrecon -d $ip -t axfr
Copied!

Bruteforce using wordlist

1
dnsrecon -d $ip -D ~/list.txt -t brt
Copied!

Finds nameservers for a given domain

1
host -t ns $ip| cut -d " " -f 4
Copied!
1
dnsenum $ip
Copied!

Nmap zone transfer scan

1
nmap $ip --script=dns-zone-transfer -p 53
Copied!

Finds the domain names for a host.

1
whois $ip
Copied!

Finds miss configure DNS entries.

1
host -t ns $ip
Copied!

TheHarvester finds subdomains in google, bing, etc

1
python theHarvester.py -l 500 -b all -d $ip
Copied!

Find DNS (A) records by trying a list of common sub-domains from a wordlist.

1
nmap -p 80 --script dns-brute.nse domain.com
Copied!
1
python dnscan.py -d domain.com -w ./subdomains-10000.txt
Copied!

Exploitation

  • Gather version numbers
  • Searchsploit
  • Default Creds
  • Creds previously gathered
  • Download the software
Last modified 1yr ago