[[sec/OSCP Notes/01 Information Gathering/overview]] [[DNS 53]] ```bash host www.example.com # A records host -t mx example.com # MX records host -t txt example.com # TXT records ``` - `host`는 기본적으로 A 레코드를 탐색한다 ### Brute force DNS name lookups ```bash cat list.txt www ftp mail owa proxy router ``` ```bash for ip in $(cat list.txt); do host $ip.example.com; done www.example.com has address 149.56.244.87 Host ftp.example.com not found: 3(NXDOMAIN) mail.example.com has address 51.222.169.212 Host owa.example.com not found: 3(NXDOMAIN) Host proxy.example.com not found: 3(NXDOMAIN) router.example.com has address 51.222.169.214 ``` ### Reverse lookups - If the DNS administrator of the domain configured *PTR records* for the domain, we could scan the approximate range with *reverse lookups* to request the hostname for each IP. ```bash for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" 208.169.222.51.in-addr.arpa domain name pointer admin.example.com. 209.169.222.51.in-addr.arpa domain name pointer beta.example.com. 210.169.222.51.in-addr.arpa domain name pointer fs1.example.com. 211.169.222.51.in-addr.arpa domain name pointer intranet.example.com. 212.169.222.51.in-addr.arpa domain name pointer mail.example.com. 213.169.222.51.in-addr.arpa domain name pointer mail2.example.com. ```