> For the complete documentation index, see [llms.txt](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/activities-assignments/activity-3.1-dns-enumeration.md).

# Activity 3.1: DNS Enumeration

### Summary

### Deliverable 1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.

Code:

```bash
#!/bin/bash

network=$1
port=$2

echo "host,port"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   timeout .1 bash -c "echo >/dev/tcp/$ipaddr/$port" 2>/dev/null && echo "$ipaddr,$port"
done
```

Output:

<figure><img src="https://lh6.googleusercontent.com/dVEe0WmJ2l3Wn9IeYyygIiz9tif_g1h4x_YeUlwXTPQpzSk-8Nq2TyuFFQdjIvY-CCIFynLkwKQGaBbX7NUMLlRTr6tB3PSfHvQ-BEYkh5b7WUpa49w4Wk65MPmrh8pOjAlMCOZiizdzYtRArLjeWqM" alt=""><figcaption><p>Output</p></figcaption></figure>

### Deliverable 3. Write a script that takes a network prefix and a specific dns server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.

Code:

```bash
#!/bin/bash

network=$1
name_serv=$2

echo "dns resolution for $network"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   nslookup $ipaddr $name_serv | grep name
done
```

Output:

<figure><img src="https://lh3.googleusercontent.com/BUbRgTyqREncezCIpTe4E-ioR0jbfMtLWdrZBD1E46i-RwRioAVdwcqm5YQw2jdPr3OIiU5QIw3aiO44gPtcqQLy8noa94ekYwsA_dTY4NP5VZce9coyfxwYUPFFX3jPUAF8YWq5ZTVloxKQXZH9lW4" alt=""><figcaption></figcaption></figure>

### Deliverable 5. Use nmap to find your DNS servers. Figure out how to: skip host discovery, use a grepable output to send results to dns-servers2.txt, only scan for a single tcp port across 10.0.5.0/24, only report "open" ports, see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to DNS lookups.

nmap:

```
sudo nmap -Pn --open 10.0.5.0/24 -p T:53 -oG dns-server2.txt
```

ouput:

```
cat dns-server2.txt | grep -v Nmap | grep -v / | awk '{print  $2}'
```

<figure><img src="https://lh6.googleusercontent.com/lIm6gz0wYNadMxqUy5vu-VmQLOddL2_iRR1kvuPV1mOOB4TX5j5bquHWMG1rZfTDMwrEXuExU5ekdr2tERrVrFYHvdebVcuBIpFvpmZVALH5TgU299kZN-bR9sK-GAIkvH16Tek9pDotzgMhNffE7X8" alt=""><figcaption><p>Output</p></figcaption></figure>

### Deliverable 6. The following nmap command will use -sL (list targets) while specifying a dns server. See if you can do some magic with grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run. Note, you may have different hosts listed as our target environment changes and grows over time.

nmap:

```
sudo nmap -sL -R 10.0.5.1-124 --dns-server 10.0.5.22 | awk '{print $5 $6}' | grep "(" | grep -v addresses
```

Ouput:

<figure><img src="https://lh3.googleusercontent.com/88vK434BVqLEytdZf0ugJdR5hIii4zte66b6XadwixkI9kMydLPrKAGaqmK40FWVjK5kh7-vC4n7suKe1bW0-UhUkQSOvHzRaLCdDreqnAO5jRBc7QwI0Yco6XcSpCLAYlv4vfSJeIrtNU6C44RFC-s" alt=""><figcaption></figcaption></figure>

### Deliverable 7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.

Zone Transfer:

<figure><img src="https://lh5.googleusercontent.com/zWDIP-dyLd6iYx_OlZ2VYs-8-i9h16V6TIapazui8vtoiz-MG59KOqdivcUMlQ3FV7zscaePlY6s02IlUyRnwiYdcipIMvcKyyner3rVEnUKL7n3Jk2-S3DjIIneUMYzM1DmlyKAeqfb7X_xJ--VYg" alt=""><figcaption><p>Find Name Servers</p></figcaption></figure>

<figure><img src="https://lh5.googleusercontent.com/QSa_bka58sZUYyZTU7P-j6PBoxjMOq04xGJSsa0SSlqz1iJz0GOve2lE5VwPAOv4FUY0GCtS7WK3LHfQfSPNyCfcHtTFR6EKqWJ29ijSrUytxtZ1ROYQ4oAX6azqanPPN1VWCRK8gzuevIax5gjJHA" alt=""><figcaption><p>Attempt the Zone Transfer</p></figcaption></figure>

Note:

documentation: <https://digi.ninja/projects/zonetransferme.php>

Output:

```
cat zt.txt | grep -E ",*." | awk {'print $1","$5'} | grep -v ";"
```

<figure><img src="https://lh6.googleusercontent.com/sZxcEA1a0bo7q_5JjEBxK-yVZ-FUwDy7MytwRdMkKAdRM3r6l07WlJe3tUWFFP0STCLArTylKqANGU-MzgmuZBVHOpbh7uhNDtcF8vYOITc7CrTaUpvfboO8zAREM_94CP_qKnVQyXysIhFSGykUG7M" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/activities-assignments/activity-3.1-dns-enumeration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
