Target.Recon.DNS.txt

`` DNS

    `` CNAME hijacking

        @ bin/dns_cnames.sh


    `` Zone transfer

        ~$ dig @ns.VAR_TARGET_DOMAIN VAR_TARGET_DOMAIN -t axfr
        ~$ host -t axfr -l VAR_TARGET_DOMAIN ns.VAR_TARGET_DOMAIN
        ~$ dnsrecon -d VAR_TARGET_DOMAIN -t axfr

        @ bin/dns_transfer.sh

    `` Lookup

        ~$ whois VAR_TARGET_DOMAIN
        ~$ dig +nocomments +noauthority +noadditional +nostats VAR_TARGET_DOMAIN -t any
        ~$ dig +noall +answer VAR_TARGET_DOMAIN -t any
        ~$ nslookup -type=any VAR_TARGET_DOMAIN

    `` Enumeration

        `` Active (wordlist based)

            ~$ dnsrecon -d VAR_TARGET_DOMAIN -D VAR_WORDLIST -t brt --threads 8
            ~$ fierce -dns VAR_TARGET_DOMAIN -wordlist VAR_WORDLIST

            -- Using list of root domain names
            ~$ amass enum -brute -df VAR_FILE -w ~/lib/brutas/brutas-subdomains-1-small.txt

        `` Active

            ~$ dnsrecon -d VAR_TARGET_DOMAIN -t std,rvl
            ~$ fierce -range VAR_ATTACKER_HOST-100 -dnsserver ns.VAR_TARGET_DOMAIN

        `` Active with passive sources

            ~$ amass enum -brute -d VAR_TARGET_DOMAIN -w VAR_WORDLIST
            ~$ sublist3r -d VAR_TARGET_DOMAIN -b -t 50

        `` Completely passive

            ~$ subfinder -d VAR_TARGET_DOMAIN

        `` With zone transfer

            ~$ dnsenum VAR_TARGET_DOMAIN --enum -f VAR_WORDLIST
            ~$ amass enum -src -brute -ip -min-for-recursive 2 -active -d VAR_TARGET_DOMAIN