Enumeration

  1. DNS
    1. host command
    2. dig command
    3. DNS Zone Transfers
    4. DNS Recon
    5. DNS Enum
  2. SNMP
    1. OneSixtyOne
    2. snmpwalk
    3. snmpcheck

DNS

NMAP DNS Hostnames Lookup

nmap -F --dns-server <dns server ip> <target ip range>

Using Host

Host Lookup

host -t ns example.com

Host - Finding DNS / MX / AAAA / A

host <domain> <optional_name_server>
host -t ns <domain>           -- Name Servers
host -t a <domain>            -- Address
host -t aaaa <domain>         -- AAAA record points a domain or subdomain to an IPv6 address
host -t mx <domain>           -- Mail Servers
host -t soa <domain>          -- Start of Authority
host <IP>                     -- Reverse Lookup

Reverse Lookup Brute Force - find domains in the same range

for ip in $(seq 1 255);do host 10.0.0.$ip;done | grep -v "not found"

Using DIG

Perform DNS IP Lookup

dig a example.com @nameserver

Perform MX Record Lookup

dig mx example.com @nameserver

Perform Zone Transfer with DIG

dig axfr example.com @nameserver

DNS Zone Transfers

Windows DNS zone transfer

nslookup -> set type=any -> ls -d example.com

Linux DNS zone transfer

dig axfr example.com @ns1.example.com

nslookup

nslookup - <optional_name_server>
set type=mx
set type=ns

DNSRecon

Dnsrecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Dnsrecon DNS List of example

dnsrecon -d example.com -t axfr

DNSEnum

dnsenum example.com

SNMP

NOTE: The target must have port UDP 161 open for SNMP enumeration.

OneSixtyOne

OneSixtyOne is a good tool to use when you don't know the Community names, it has bruteforce capability.

onesixtyone -c communityDict.txt -i hosts.txt -o result.log -w 150

-c           -- File with community names to try
-i           -- File with target hosts
-o           -- Output log
-w           -- Wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-d           -- Debug mode, use twice for more information
-q           -- Quiet mode, do not print log to stdout, use with -l

SNMPWalk

snmpwalk -­c public ­‐v1 <IP Address>  : Enumerates the Entire MIB Tree
snmpwalk -­c public ­‐v1 <IP Address>  <MIB Tree Number> : Enumerates a particular node

-v 1|2c|3           -- Specifies SNMP version to use
-c COMMUNITY        -- Set the community string

SNMPCheck

snmpcheck -t <IP>

-c           -- SNMP community; default is public
-v           -- SNMP version (1,2); default is 1
-w           -- Detect write access (separate action by enumeration)

results matching ""

    No results matching ""