Skip to content

15. Nmap DNS Enumeration

1. DNS Zone Transfer

Command:

nmap --script dns-zone-transfer --script-args dns-zone-transfer.server=<server>,dns-zone-transfer.port=<port>,dns-zone-transfer.domain=<domain>

Explanation:

  • --script dns-zone-transfer: Runs the dns-zone-transfer NSE script, which attempts to perform a DNS zone transfer.
  • dns-zone-transfer.server=<server>: Specifies the DNS server to query.
  • dns-zone-transfer.port=<port>: Specifies the port (default is 53 for DNS).
  • dns-zone-transfer.domain=<domain>: Specifies the domain name for which the zone transfer is attempted.

Purpose:

  • A DNS zone transfer retrieves a copy of all the DNS records in a domain’s zone file.
  • Zone transfers are often misconfigured and allow unauthorized access to sensitive information like subdomains, mail servers, and IP addresses.

Example:

nmap --script dns-zone-transfer --script-args dns-zone-transfer.server=192.168.1.1,dns-zone-transfer.domain=example.com

Example Output:

Host script results:
| dns-zone-transfer:
|   example.com. 3600 IN SOA ns1.example.com admin.example.com 2024010101 7200 3600 1209600 3600
|   example.com. 3600 IN NS ns1.example.com
|   example.com. 3600 IN NS ns2.example.com
|   www.example.com. 3600 IN A 192.168.1.10
|_  mail.example.com. 3600 IN MX 10 mail.example.com

Interpretation:

  • The output lists DNS records such as:
    • SOA: Start of Authority record.
    • NS: Name Server records.
    • A: IPv4 addresses for hosts.
    • MX: Mail server records.

Use Case:

  • Useful in penetration testing to identify subdomains, hosts, and mail servers if zone transfer is misconfigured.

2. DNS Brute Force

Command:

nmap -Pn --script dns-brute --script-args dns-brute.threads=5,dns-brute.hostlist=/path/to/wordlist <Domainname>

Explanation:

  • -Pn: Disables host discovery to avoid ping-based detection.
  • --script dns-brute: Runs the dns-brute NSE script to brute-force subdomain names.
  • dns-brute.threads=5: Specifies the number of threads for the brute force operation.
  • dns-brute.hostlist=/path/to/wordlist: Provides a custom wordlist for subdomain brute forcing.
  • <Domainname>: Specifies the target domain or IP address.

Purpose:

  • Enumerates subdomains of a target domain by brute-forcing commonly used names (e.g., www, mail, ftp, etc.).
  • Identifies potentially hidden subdomains.

Example:

nmap -Pn --script dns-brute --script-args dns-brute.threads=5,dns-brute.hostlist=/usr/share/wordlists/dns.txt example.com

Example Output:

Host script results:
| dns-brute:
|   www.example.com
|   mail.example.com
|   ftp.example.com
|_  admin.example.com

Interpretation:

  • The output lists discovered subdomains such as www, mail, ftp, and admin.

Summary of Commands

Command Purpose Key Findings
dns-zone-transfer Attempts a DNS zone transfer to retrieve all records in the zone. Subdomains, host records, mail servers, and more.
dns-brute Brute forces subdomain names to find hidden entries. Uncovered subdomains that might not be publicly listed.

Usage Notes

  1. Zone Transfer:

    • Ensure you have authorization before attempting a DNS zone transfer.
    • Misconfigured zone transfers can leak sensitive information.

    • Brute Forcing:

    • Use a good wordlist for better results (e.g., /usr/share/wordlists in Kali).

    • Be mindful of rate limits and anti-brute force measures on DNS servers.

These commands are powerful tools in DNS enumeration and reconnaissance tasks during penetration testing.