Red Team Notes
1.0.0
1.0.0
  • Introduction
  • PowerShell
    • find_files_by_name
    • powershell_web_access
    • enable_psremoting
    • powershell_sans_cheat
    • powerup_-_privilege_escalation
    • user_enumeration
    • powershell_-_quickies
    • constrained_language_breakout
    • powershell_-_get-system
    • domain_enumeration
    • powershell
    • random_powershell
  • mainframe
    • tso_commands
    • nmap_stuff_-_recon
  • Links and Random
    • Commands--mount-shares
    • Commands--responder
    • Commands--nac_testing
    • trash
    • Commands--nessus-openvas
    • Commands--named_pipes
    • ptx
    • Commands--mortar-shells
    • Redis-Cheatsheet
    • wifi_driver_stuff
    • bypassing_applocker_living_off_land
    • Commands--remote_and_local_file_inclusion
    • Commands--netcat-ftp
    • mimikatz
  • wifi-hacking
    • eaphammer
    • aircrack-ng_and_jtr_attack
    • new_page
    • cracking_wpa_attack
    • aircrack-ng
    • wifite
    • basics
    • hostapd
    • cowpatty_attack
    • rogue_access_point
    • cracking_wep_via_a_client_attack
    • handshake-via-pcap
    • clientless_wep_attack
    • fluxion
    • reaver
    • crack_wep
    • pyrit_attack
    • wep_shared_key_authentication_attack
  • mobile
    • qark
    • dex2jar
    • jd-gui
    • mobile
    • baby_steps
    • apktool
    • smali_and_baksmali
  • Cobalt-Strike
    • apache_rewrite_.htaccess
    • playbook
      • mail_and_smtp_enumeration-manipulation
      • lateral_movement
      • overpass_the_hash_with_rubeus-beacon_-_h
      • persistence
      • privilege_escalation
      • after_initial_access
    • situational_awareness_-_harmj0y
    • malleable
    • sid_hopping
    • generating_certificates
    • safety
    • random_commands
    • golden_ticket
    • go_daddy_domain
    • github_repos
    • malware_av_evasion
    • malware_av_evasion--main.go
    • c2_infrastructure
    • cobalt_strike_certificates
    • cpl_resource_runner_payload
  • Metasploit
    • nessus
    • network
    • meterpreter
  • Information Gathering Enumeration
    • 35 Searchsploit
    • 30 Find
    • 21 WinRM
    • 50 Gobuster
    • Enumeration by Port Number
    • 40 Active Directory
    • Linux Prevesc
    • pivoting
    • 20 Reconnoitre
    • Kerberos cheatsheet
    • 11 SMB Part 1
    • 00 ENUMERATION
    • 10 Nmap
    • 12-check-for-anonymous-smb
    • bruteforcing
    • 60 DNS Enumeration
    • 15 Firefox
  • Commands
    • rbash
    • tools-sources
    • tar
    • network-change-ip
    • sed_and_changing_files_for_malware_evasi
    • web_discovery
    • xxd
    • droopescan
    • c#
    • proxychains-admin-network
    • de-duplicate
    • privilege-escalation-windows_-_and_empir
    • ping_sweep
    • wget
    • snmp
    • custom-payloads
    • python
    • curl-wget
    • proxychains
    • goddi_-_domain_enumeration
    • nginx-bypass
    • outlook_and_owa
    • physical_hacking--rasperry_pi
    • have_a_shell
    • xml-xxe-xpath
    • xss-iframe
    • port-forward
    • physical_hacking
    • pack
    • client-side-iframe-attack
    • waf
    • laps
    • images-with-files-in-them
    • fresh-install
    • privilege-escalation-linux
    • masscan
    • arp-spoof
    • shellshock-squid
    • merlin
    • redis
    • get-browserdata
    • lateral_movement
    • smb-netbios-rpc
    • password-cracking
    • virtual-box_guest_additions
    • host_discovery-dns
    • certificate_tls_and_ssl
    • postgresql
    • physical_hacking--bash_bunny
    • powerview--new_page
    • mail_sniper
    • searchsploit
    • crackmapexec
    • user_agent
    • lolbins
    • files-inside-of-pictures
    • random_shellcode_-_scratch-pad
    • linux
    • ports
    • block-ip-iptables
    • httpscreenshot
    • dnscat
    • wp-scan
    • gather-gpp-creds
    • group-policy-decrypt-passwords
    • buffer-overflow
    • mac_address_change
    • sql
    • compiling-code
    • shell-for-buffer-overflow
    • hex_encode_command_line
    • spawn_a_better_shell_-_break_out_of_shit
    • nikto-proxy
    • osint
    • assembly
    • sshuttle
    • nmap_and_scanning
    • root_user_add
    • pass_the_hash
    • test-for-xxe
    • payloads
    • webdav
    • cut_commands
    • unicorn_scan
    • rdesktop_and_screen_for_linux
    • spooler_exploit
    • dns-zone-transfer
    • ssh
    • password-grep
  • reverse-shell-one-liners
    • ruby
    • c-language-reverse-shell
    • reverse_shell_one_liners
    • perl-reverse-shell-cgi-format
    • java_reverse_shell
    • python_reverse_shell
  • Bypass-Applocker
    • vbs_macro
    • pubprn.vbs
    • demiguise
    • mshta
    • regsvcs
    • regasm_2
    • bypass-uac
    • installutil
  • windows
    • uninstall_patches
    • passwords
    • powerview_3.0,_harmj0y
    • port_forward
    • powerview_acl_enum-abuse
    • powerview,_enumerate_groups-ac
    • search_4_loot
    • firewall
    • laps_abuse
    • enumeration
    • Windows
    • Windows_service_abuse
    • Windows Enumeration
  • mimikatz
    • mimikatz_list_modules
    • list_commands_in_module
    • mimikatz
    • remote_control_rpc
    • applocker_bypass_and_other_sn
    • mimikatz_-_start_and_stop_processes
    • base64_all_the_things
    • rdp
    • avoid_new_events
    • mimikatz_-_tokens
  • red-team
    • privilege_escalation_across_trusts
    • file_servers_and_files
    • lateral_movement
    • Commands--red_team
    • forest_enumeration
    • persistence_techniques
    • privilege_escalation
  • Start Procedure
    • Start-Procedure
  • Tools to add to Kali Linux
  • AD-notes
    • more-ad-notes
    • bloodhound
    • ad-notes-chirag
    • enumeration
    • pam_abuse
    • laps_abuse
    • domain_privilege_escalation
    • active_directory_one_liners
  • Setting up Kali Linux
    • Tools to add to Kali Linux
    • Items to Install in Kali
      • tmux
        • tmux_config
        • Setup_-_TMUX
        • tmux_cheat_sheet
      • crontab
      • rclone
      • Items_to_install_in_Kali
    • Tools to install
  • SQL
    • abusing_sql_server_trusts--privilege_escalation
    • abusing_sql_server_trusts
    • abusing_sql_server_trusts--post_exploitation_enumeration
    • 31 SQL
  • tools to install
  • command line
  • simple note
  • Enumeration
  • Tools to install on Windows
  • temp-readme
Powered by GitBook
On this page
  • nslookup
  • dnsrecon
  • Dig - DNS Zone Transfer
  • dnsenum

Was this helpful?

  1. Information Gathering Enumeration

60 DNS Enumeration

nslookup

SERVER 127.0.0.1

root@kali:/assessments/htb/cronos# nslookup

server 10.10.10.13 Default server: 10.10.10.13 Address: 10.10.10.13#53 10.10.10.13 13.10.10.10.in-addr.arpa name = ns1.cronos.htb. cronos.htb Server: 10.10.10.13 Address: 10.10.10.13#53

Name: cronos.htb Address: 10.10.10.13

dnsrecon

dnsrecon -r 127.0.0.0/24 -n dnsrecon -r 127.0.1.0/24 -n A lot of DNS servers also use 127.0.1.x addresses Dnsrecon -r 10.10.10.0/24 -n Also try the name server's subnet; 10.10.10.x in this case

---DNS Zone Transfers--- dnsrecon -d -t axfr e.g. dnsrecon -d megacorpone.com -t axfr

Dig - DNS Zone Transfer

Zone transfers can give you information on additional sub domains that you can then enumerate. After a successful zone transfer, add the name server to your /etc/resolv.conf file

dig axfr @ Zone transfer on the root zone dig axfr bank.htb @10.10.10.29 Zone transfer on a specific zone; bank.htb in this case dig axfr foocampus.com @10.50.96.5 +nocookie If the previous xfers don't work, try running with the +nocookie option

host host - DNS lookup utility

host -t ns megacorpone.com megacorpone.com name server ns1.megacorpone.com. megacorpone.com name server ns3.megacorpone.com. megacorpone.com name server ns2.megacorpone.com.

types: CNAME, NS, SOA, TXT, DNSKEY, AXFR, MX, etc.

By default, every configured domain should provide at least the DNS and mail servers responsible for the domain.

Does it have a corresponding webserver? host www.megacorpone.com

---Forward Lookup Brute Force--- create a wordlist of common subdomains that you can prepend to megacorpone.com e.g. www, ftp, mail, owa, proxy, router, etc. for ip in $(<wordlist.txt); do host $ip.megacorpone.com; done |grep -v "not found"

---Reverse Lookup Brute Force--- e.g. for ip in $(seq 155 190); do host 50.7.67.$ip; done |grep -v "not found"

---DNS Zone Transfers--- host -l e.g. host -l megacorpone.com ns1.megacorpone.com

Unsuccessful zone xfr ; <<>> DiG 9.11.3-1-Debian <<>> axfr @10.10.10.29 │+ Target IP: 10.10.10.29 ; (1 server found) │+ Target Hostname: 10.10.10.29 ;; global options: +cmd │+ Target Port: 80 ;; Query time: 60 msec │+ Start Time: 2018-08-21 08:00:07 (GMT-5) ;; SERVER: 10.10.10.29#53(10.10.10.29) │--------------------------------------------------------------------------- ;; WHEN: Tue Aug 21 08:14:58 CDT 2018 │+ Server: Apache/2.4.7 (Ubuntu) ;; MSG SIZE rcvd: 28

Successful zone xfr ; <<>> DiG 9.11.3-1-Debian <<>> axfr bank.htb @10.10.10.29 │+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content ;; global options: +cmd │of the site in a different fashion to the MIME type bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 │+ No CGI Directories found (use '-C all' to force check all possible dirs) bank.htb. 604800 IN NS ns.bank.htb. │+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final releas bank.htb. 604800 IN A 10.10.10.29 │e) and 2.2.29 are also current. ns.bank.htb. 604800 IN A 10.10.10.29 │+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS www.bank.htb. 604800 IN CNAME bank.htb. │+ OSVDB-3233: /icons/README: Apache default file found. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 2 604800 86400 2419200 604800 │+ 7499 requests: 0 error(s) and 7 item(s) reported on remote host ;; Query time: 59 msec │+ End Time: 2018-08-21 08:08:24 (GMT-5) (497 seconds) ;; SERVER: 10.10.10.29#53(10.10.10.29) │--------------------------------------------------------------------------- ;; WHEN: Tue Aug 21 08:15:07 CDT 2018 │+ 1 host(s) tested ;; XFR size: 6 records (messages 1, bytes 171)

dnsenum

---DNS Zone Transfers--- dnsenum e.g. dnsenum megacorpone.com

PreviousbruteforcingNext15 Firefox

Last updated 3 years ago

Was this helpful?