Show Menu
Cheatography

WHOIS and DNS Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

WHOIS Protocol

whois.a­fr­ini­c.net
Africa
whois.a­pn­ic.net
Asia Pacific, India, China and Australia
whois.a­ri­n.net
US and Canada
whois.l­ac­nic.net
Mexico and Latin America
whois.r­ip­e.net
Europe, Greenland, Russiana nd the Middle East
Provides client­/server access to inform­ation about Internet domains and IPv4 and IPv6 netblocks using TCP/43. Described by RFC3912. Above are the regional regist­rars. Will automa­tically choose a server but can manually select using -h flag.

whois Client Output

Provides name(s) and phone number(s), physical address and DNS servers, which can be interr­ogated.

DNS

Global hierar­chical database of domain names that uses UDP/53 for payloads <= 512 bytes and TCP/53 for payloads > 512 bytes (zone transf­ers). DNS zone transfers download the entire DNS zone. AXFR is a full transfer and IXFR is an increm­ental transfer.

Reverse DNS Scan

IP address ==>
Name
Perform a whois lookup for IP addresses owned by the target organi­zation, and then perform a reverse DNS (PTR) lookup for every IP.

DNS Brute Force Scan

Supply a dictionary of potential DNS names
Read each entry
Attempt to resolve $entry.ex­amp­le.com
DNSRecon comes with a number of dictio­naries. This technique is useful for virtual host discovery.
 

DNS Reconn­ais­sance Tools

nslookup
Univer­sally available but deprecated
dig
Fully featured DNS client
Nmap DNS NSE Scripts
Replicates functi­onality of dig with dns-zo­ne-­tra­nsfer.
DNSRecon
Includes wordlists for DNS brute force, advanced features include DNSSEC and mDNS support.
Metasploit
DNS functi­onality found in inform­ati­on-­gat­hering auxiliary modules, including reverse brute force.

dig Syntax and Options

-t any
Look up all records
-t mx
Look up MX records only
-t axfr
Attempt a zone transfer
-x <IP addres­s>
Simplified PTR (reverse) lookup
<IP addres­s>.i­n-­add­r.arpa PTR
PTR record search in old days
dig @192.1­68.1.8 versio­n.bind chaos txt
Query the namese­rver's version of BIND
Basic usage: $ dig @<n­ame­ser­ver> exampl­e.com options
Will use the default DNS name server of the host if none is specified.

Nmap

dns-zo­ne-­tra­nsfer
DNS zone transfer
dns-brute
DNS brute force, useful for CNAME discovery
-sL <IP range>| grep \)
Reverse DNS scan
To use an custom word list: nmap --scri­pt=­<script name> <do­mai­n> (optional) --scri­pt-­arg­s=d­ns-­bru­te.h­os­tli­st=­<path to file.t­xt>
 

DNSRecon

-h, --help
Show this help mesasge and exit
-d, --domain <do­mai­n>
Domain to Target for enumer­ation
-r, --range <IP range>
IP Range for reverse lookup brute force
-n, --name­_server <na­me>
Domain server to use
-D, --dict­ionary <fi­le>
Dictionary file to use for brute force
-t, --type <ty­pes>
Specify the type of enumer­ation to perform
-a
Perform AXFR with standard enumer­ation
-s
Reverse Look-up for IPv4 ranges in SPF Records
-g
Perform Google enumer­ation
-w
Do deep whois analysis and reverse look-up
-z
Performs a DNSSEC Zone Walk
Usage: dnsrec­on.py <op­tio­ns>

Metasploit

auxili­ary­/ga­the­r/d­ns_­bru­teforce
Performs a brute force dictionary DNS scan
auxili­ary­/ga­the­r/d­ns_­cac­he_­scraper
Queries DNS cache for previously resolved names
auxili­ary­/ga­the­r/d­ns_info
Gathers general DNS inform­ation
auxili­ary­/ga­the­r/d­ns_­rev­ers­e_l­ookup
Performs a reverse DNS (PTR) scan of a netblock, replicates DNSRecon's reverse brute force
auxili­ary­/ga­the­r/d­ns_­srv­_enum
Enumerates SRV (Server) records