dig - wook413

# DIG Query # Enumeration #### dig - Banner Grabbing DNS 서버 소프트웨어(BIND 등)의 버전을 확인하여 알려진 취약점이 있는지 찾는다. ```bash dig version.bind chaos txt @$IP ``` #### dig - NS query DNS 서버로부터 특정 도메인의 NS 레코드를 질의. ```bash dig ns <domain> @<DNS server IP> dig ns wook.com @10.10.10.6 ``` #### dig - ANY query View all available records. ```bash dig any <domain> @<DNS Server IP> dig any wook @10.10.10.6 ``` #### dig - version query Query a DNS server’s version using a class CHAOS query and type TXT. ```bash dig CH TXT version.bind <DNS server IP> ``` #### dig - AXFR Zone Transfer `Zone Transfer` refers to the transfer of zones to another server in DNS. - Since a DNS failure has severe consequences for a company, the zone file is almost invariably kept identical on several name servers. - When changes are made, it must be ensured that all servers have the same data. ```bash dig axfr <domain> @<DNS server IP> ``` #### AXFR Zone Transfer Example ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ dig axfr inlanefreight.htb @$IP ; <<>> DiG 9.20.9-1-Debian <<>> axfr inlanefreight.htb @10.129.80.154 ;; global options: +cmd inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 inlanefreight.htb. 604800 IN TXT "MS=ms97310371" inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU" inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all" inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. app.inlanefreight.htb. 604800 IN A 10.129.18.15 dev.inlanefreight.htb. 604800 IN A 10.12.0.1 internal.inlanefreight.htb. 604800 IN A 10.129.1.6 mail1.inlanefreight.htb. 604800 IN A 10.129.18.201 ns.inlanefreight.htb. 604800 IN A 127.0.0.1 inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 48 msec ;; SERVER: 10.129.80.154#53(10.129.80.154) (TCP) ;; WHEN: Sat Jan 03 23:02:19 UTC 2026 ;; XFR size: 11 records (messages 1, bytes 560) ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ dig axfr internal.inlanefreight.htb @$IP ; <<>> DiG 9.20.9-1-Debian <<>> axfr internal.inlanefreight.htb @10.129.80.154 ;; global options: +cmd internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371" internal.inlanefreight.htb. 604800 IN TXT "HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}" internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU" internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all" internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. dc1.internal.inlanefreight.htb. 604800 IN A 10.129.34.16 dc2.internal.inlanefreight.htb. 604800 IN A 10.129.34.11 mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200 ns.internal.inlanefreight.htb. 604800 IN A 127.0.0.1 vpn.internal.inlanefreight.htb. 604800 IN A 10.129.1.6 ws1.internal.inlanefreight.htb. 604800 IN A 10.129.1.34 ws2.internal.inlanefreight.htb. 604800 IN A 10.129.1.35 wsus.internal.inlanefreight.htb. 604800 IN A 10.129.18.2 internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 43 msec ;; SERVER: 10.129.80.154#53(10.129.80.154) (TCP) ;; WHEN: Sat Jan 03 23:03:41 UTC 2026 ;; XFR size: 15 records (messages 1, bytes 677) ``` ### Subdomain Brute Forcing - script ```bash for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<domain> @<DNS server IP> | grep -v ';\\|SOA' | sed -r '/^\\s*$/d' | grep $sub | tee -a subdomains.txt;done ``` ### Subdomain Brute Forcing - dnsenum ```bash dnsenum --dnsserver <DNS server IP> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt <domain> ```