CyberSec Notes
  • Bienvenida
    • CyberSec Notes
  • Network Services
    • Port 21 - FTP
    • Port 22 - SSH
    • Port 23 - Telnet
    • Port 25 - SMTP
    • Port 53 - DNS
      • Deploy DNS Server with BIND
    • Port 80/443 - HTTP/HTTPS
      • Wordpress
      • CMS Made Simple (CMSMS)
    • Port 88 - Kerberos
    • Port 386, 636, 3268, 3269 - LDAP
    • Port 445 - SMB
    • Port 1521,1522-1529 - Oracle TNS Listener
    • Port 3128 - Squid
    • Port 5985, 5986 - WinRM
  • Command && Control
    • Sliver C2 [in progress]
  • Ataques en Entornos Windows
    • MalDev
      • AV Evasion
        • Function call obfuscation
      • Code Samples
        • Shellcode Execution C#
        • Shellcode Execution C++
        • Stager HTTP C#
        • Stager HTTP C++
        • Process Inyection C++
        • Process Inyection C#
        • XOR Encrypt C++
    • Directorio Activo
      • Spriying
      • Autenticacion Net-NTLMv2 y tipos de hashes
        • Pass the Hash
        • SMB Relay
      • Autenticación Kerberos
        • Extensiones del protocolo Kerberos (SPNs & PACs)
        • AS_REP Roasting
        • Kerberoasting
        • Silver Ticket Attack
        • Golden Ticket Attack
      • DCSync
      • Mimikatz
      • BloodHound
      • Privilege Escalation
        • PS Credentials in XML format
      • Utils
    • Amsi Bypass
    • Buffer Overflow
      • Stack Based 32 bits [in progress]
        • Windows SLMail 5.5
  • Ataques en Entornos Linux
    • Privilege escalation [in progress]
    • MalDev
      • Simple Reverse Shell
    • Buffer Over Flow
      • Stack Based 32 bits
        • Linux, Vulnerable functions in C programs
    • Persistencia
  • General
    • Host Discovery
    • Reverse Shells Cheet Sheet
    • Pivoting
      • Chisel
      • Port Forwarding
      • Nmap con pivoting
    • Google Dorks [in progress]
    • Denial of Service (DoS)
      • Low and Slow
    • Docker
  • Pentesting Web
    • XML External Entity Injection(XXE)
      • Portswigger Lab #1: Retrieve Files
      • Portswigger Lab #2: Perform SSRF
      • Portswigger Lab #6: Blind XXE to retrieve data via error messages
    • Open Redirect
    • LFI
      • Log Poisoning (Apache, SSH y SMPT)
  • Wireless Pentesting
    • Pre Connection Attacks
      • WEP
      • WPA/WPA2
    • Post Connection Attacks
      • ARP Spoof
    • Fake AP for Captive Portal
Powered by GitBook
On this page
  • DNS Querys
  • Active Directory servers
  • Subdomains Enumeration
  • Active
  • Passive
  1. Network Services

Port 53 - DNS

DNS o Domain Name Systems es un protocolo encargado de convertir direcciones de dominio a direcciones IP, esto debido a que para las personas es difícil recordar cada dirección IP de cada servidor o si ocurren cambios en la dirección IP que el usuario final no se entere de esto, sino que el encargado de almacenar y actualizar estas direcciones es un servidor DNS.

DNS Querys

# BIND Version => Implementation of DNS protocols.
dig bind.version CHAOS TXT @IP-DNS

dig @DNS-IP <DOMAIN-NAME> axfr   # Zone Transfer

dig ANY @DNS-IP <DOMAIN-NAME>    # Any information
dig A @DNS-IP <DOMAIN-NAME>      # Consult a hostname and its corresponding IPv4 address.
dig AAAA @DNS-IP <DOMAIN-NAME>   # Consult a hostname and its corresponding IPv6 address.
dig CNAME @DNS-IP <DOMAIN-NAME>  # Canonical Name: record can be used to alias a hostname to another hostname
dig MX @DNS-IP <DOMAIN-NAME>     # Mail exchanger: record specifies an SMTP email server for the domain, used to route outgoing emails to an email server.
dig TXT @DNS-IP <DOMAIN-NAME>    # Text record: typically carries machine-readable data such as opportunistic encryption, sender policy framework, DKIM, DMARC, etc.
dig SRV @DNS-IP <DOMAIN-NAME>    # Service Location: a service location record, like MX but for other communication protocols.
dig SOA @DNS-IP <DOMAIN-NAME>     # Start of Authority: indicates the Authoritative Name Server for the current DNS zone, contact details for the domain administrator, domain serial number, and information on how frequently DNS information for this zone should be refreshed.

Active Directory servers

dig -t _gc._tcp.lab.domain.com <IP>
dig -t _ldap._tcp.lab.domain.com <IP>
dig -t _kerberos._tcp.lab.domain.com <IP>
dig -t _kpasswd._tcp.lab.domain.com <IP>

nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN> <IP>
nslookup -type=srv _kerberos._tcp.domain.com <IP>

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'" <IP>

Subdomains Enumeration

Active

dnsenum --nameserver <IP-TARGET> -f <PATH-WORDLIST> [--threads <n>] <DOMAIN>
dnsenum --threads 10 -f /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --dnsserver 10.10.10.161 htb.local

gobuster vhost --url <url> -w <wordlist-path> [-t <n threads>] --append-domain

wfuzz -c [-t <nthreads> --hc=<statuscode>] -w <wordslist-path> -H "Host: FUZZ.domain.com" http://domain.com

Passive

Via Web

  • https://dnsdumpster.com/

  • https://intelx.io/

Via command line

# Installation
$ git clone https://github.com/UnaPibaGeek/ctfr.git
$ cd ctfr
$ pip3 install -r requirements.txt

# Usage
$ python3 ctfr.py -d yahoo.net 

          ____ _____ _____ ____  
         / ___|_   _|  ___|  _ \ 
        | |     | | | |_  | |_) |
        | |___  | | |  _| |  _ < 
         \____| |_| |_|   |_| \_\

     Version 1.2 - Hey don't miss AXFR!
    Made by Sheila A. Berta (UnaPibaGeek)


[!] ---- TARGET: yahoo.net ---- [!] 

[-]  *.autocosmos.yahoo.net
*.especiales.autocosmos.yahoo.net
*.galerias.autocosmos.yahoo.net
*.m.e.autocosmos.yahoo.net
*.noticias.autocosmos.yahoo.net

# Installation
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
python3 setup.py install
pip3 install -r requirements.txt

# Usage

PreviousPort 25 - SMTPNextDeploy DNS Server with BIND

Last updated 9 months ago

LogoGitHub - UnaPibaGeek/ctfr: Abusing Certificate Transparency logs for getting HTTPS websites subdomains.GitHub
LogoGitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub