HomeTech JournalsPersonal ProjectsSysadmin Wiki

Activity 3.1: DNS Enumeration

Summary

Deliverable 1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.

Code:

#!/bin/bash

network=$1
port=$2

echo "host,port"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   timeout .1 bash -c "echo >/dev/tcp/$ipaddr/$port" 2>/dev/null && echo "$ipaddr,$port"
done

Output:

Output

Deliverable 3. Write a script that takes a network prefix and a specific dns server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.

Code:

#!/bin/bash

network=$1
name_serv=$2

echo "dns resolution for $network"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   nslookup $ipaddr $name_serv | grep name
done

Output:

Deliverable 5. Use nmap to find your DNS servers. Figure out how to: skip host discovery, use a grepable output to send results to dns-servers2.txt, only scan for a single tcp port across 10.0.5.0/24, only report "open" ports, see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to DNS lookups.

nmap:

sudo nmap -Pn --open 10.0.5.0/24 -p T:53 -oG dns-server2.txt

ouput:

cat dns-server2.txt | grep -v Nmap | grep -v / | awk '{print  $2}'
Output

Deliverable 6. The following nmap command will use -sL (list targets) while specifying a dns server. See if you can do some magic with grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run. Note, you may have different hosts listed as our target environment changes and grows over time.

nmap:

sudo nmap -sL -R 10.0.5.1-124 --dns-server 10.0.5.22 | awk '{print $5 $6}' | grep "(" | grep -v addresses

Ouput:

Deliverable 7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.

Zone Transfer:

Find Name Servers
Attempt the Zone Transfer

Note:

documentation: https://digi.ninja/projects/zonetransferme.php

Output:

cat zt.txt | grep -E ",*." | awk {'print $1","$5'} | grep -v ";"
PreviousActivity 2.1: Host DiscoveryNextActivity 4.1: Exploiting Cupcake

Last updated