DNS enumeration is discovering all the DNS (Domain Name System) records for a particular domain name. We can use DNS enumeration to gather information about a target network. This can allow us to expand the attack surface.
The DNS system is responsible for resolving domain names to IP addresses. When a user types a domain name in their browser, the DNS system translates that domain name into an IP address, which is used to locate the web server hosting the website. DNS enumeration is querying the DNS system for information about a particular domain.
Several types of DNS records can be queried during DNS enumeration, including A, MX, NS, and SOA records.
A records are used to map domain names to IP addresses, while
MX records are used for email routing.
NS records specify the authoritative name servers for the domain, while
SOA records provide information about the start of authority for the domain.
DNS Enumeration with NMAP
Nmap allows us to perform a DNS Enumeration using its built-in NMAP Scripting Engine, or NSE.
The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to automate various tasks, including network discovery, vulnerability scanning, and exploitation. The NSE consists of a collection of scripts that can be run on top of Nmap to perform various tasks.
The NSE scripts are written in Lua, a lightweight scripting language that is easy to learn and use. The scripts are designed to be modular and can be easily modified or customized to fit specific needs. NSE scripts can be used for various purposes, such as fingerprinting operating systems, identifying services and applications, detecting vulnerabilities, and exploiting security weaknesses.
We can use the
--script option to define what script we wish to use.
Nmap DNS Enumeration Using Broadcast DNS Discovery.
In Nmap, we can use the
broadcast-dns-service-discovery script to perform a DNS Enumeration on a target host.
This script attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.
The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a follow-up query for each one to get more information.
The command syntax is as shown below:
sudo nmap --script=broadcast-dns-service-discovery <target>
target refers to the target host.
An example command is as shown below:
sudo nmap --script=broadcast-dns-service-discovery geekbits.io
An example output is as shown:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:00 EST Nmap scan report for geekbits.io (220.127.116.11) Host is up (0.019s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 99.81 seconds
Nmap DNS Enumeration Using DNS-BRUTE
We can also use the
dns-brute script to perform a DNS Enumeration using Nmap. This script attempts to enumerate DNS hostnames by brute force guessing common subdomains. With the
dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.
Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6, respectively.
The command syntax is as shown:
nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>
sudo nmap -T4 -p 53 --script dns-brute www.geekbits.io
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:13 EST Nmap scan report for www.geekbits.io (18.104.22.168) Host is up (0.082s latency). Other addresses for www.geekbits.io (not scanned): 22.214.171.124 126.96.36.199 188.8.131.52 2a04:4e42::775 2a04:4e42:200::775 2a04:4e42:400::775 2a04:4e42:600::775 PORT STATE SERVICE 53/tcp filtered domain Host script results: | dns-brute: | DNS Brute-force hostnames: | www.geekbits.io - 184.108.40.206 | www.geekbits.io - 220.127.116.11 | www.geekbits.io - 18.104.22.168 | www.geekbits.io - 22.214.171.124 | www.geekbits.io - 2a04:4e42:200::775 | www.geekbits.io - 2a04:4e42:400::775 | www.geekbits.io - 2a04:4e42:600::775 |_ www.geekbits.io - 2a04:4e42::775 Nmap done: 1 IP address (1 host up) scanned in 18.91 seconds
Nmap DNS Enumeration Using DNS Recursion Script
Another script you can use is the
dns-recursion script. This script assumes that DNS recursion is enabled on the name servers:
It works by Checking if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your internal nameservers.
The command syntax is as shown:
nmap -sU -p 53 --script=dns-recursion <target>
Nmap DNS Enumeration All in One
If you are not sure which DNS script to use to perform the enumeration, you can use a wildcard character as shown in the example syntax below:
nmap -sS --script=dns-* <target_domain>
sudo nmap -sS --script=dns-* www.example.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:20 EST Nmap scan report for www.example.com (126.96.36.199) Host is up (0.00025s latency). Other addresses for www.example.com (not scanned): 188.8.131.52 All 1000 scanned ports on www.example.com (184.108.40.206) are in ignored states. Not shown: 1000 filtered tcp ports (no-response) Host script results: | dns-blacklist: | SPAM | l2.apews.org - FAIL |_ all.spamrats.com - FAIL | dns-brute: | DNS Brute-force hostnames: | www.example.com - 220.127.116.11 |_ www.example.com - 2606:2800:220:1:248:1893:25c8:1946 Nmap done: 1 IP address (1 host up) scanned in 66.66 seconds
In conclusion, DNS enumeration is crucial for identifying potential vulnerabilities in a target network. Nmap scripts can be a powerful tool for automating this process and saving time.
Using various Nmap scripts, we can perform different types of DNS enumeration and gather valuable information about the target network. However, using these scripts responsibly and with proper authorization is essential, as they can also be used for malicious purposes. Learning how to perform DNS enumeration using Nmap scripts is a valuable skill for you.