1. site:microsoft.com -> To view specific results that only contain the target domain name.
  2. Imagine that you are looking for search results that contain a keyword but only from the target domain. Here, you can use the keyword site:domain.com dns_1
  3. If you want to filter your search results so that they include two specific keywords, you can use the keyword1 AND keyword2 site:domain.com syntax dns_2
  4. We can also use the OR syntax.
  5. To filter the search results to display a specific file type from a target domain, use the site:domain.com filetype:file type syntax dns_3
  6. To discover specific URLs that contain a specific keyword within their page title, use the site:domain.com intitle:keyword syntax dns_4
  7. To remove the display results of URLs for a target domain that does not include a specific keyword, use the site:domain.com –keyword syntax dns_5
Tip

You can use the intext: syntax with a keyword to search for a specific web page that contains the keyword within its text/body. Using inurl: with a keyword allows you to filter URLs that contain the specific keywords within its URL, which may lead to a potentially sensitive directory in a company’s domain.

  1. We can also head over to the home page of google by typing google.com , on the right lower corner click on settings > advanced search dns_6 After filling the necessary details and clicking on advanced search button, google will automatically search for you.
  2. While there are so many possibilities when using Google search operators, it can be a bit overwhelming. Google Hacking Database (GHDB) is maintained by the creators of Kali Linux, Offensive Security (https://www.offensive-security.com), and can be found at https://www.exploit-db.com/google-hacking-database. This website contains a list of various Google dorks (search operators), which are used to find very sensitive information on the internet using Google Search.

DNS reconnaissance:

A DNS server is like a traditional telephone directory, with a list of people and their telephone numbers. On a DNS server, you can find records of the hostnames of people, as well as their associated IP addresses, which are similar to telephone numbers. dns_7 dns_8 dns_9

There are many public DNS servers on the internet; some are created by threat actors with malicious intentions, such as redirecting unaware users to malicious websites. As a result, I recommend using a trusted DNS provider on all of your networking devices and computers to improve your online safety. The following are some popular DNS servers on the internet: • Cloudflare DNS: https://1.1.1.1/ • Quad 9 DNS: https://www.quad9.net/ • Cisco OpenDNS: https://www.opendns.com/ • Google Public DNS: https://developers.google.com/speed/public-dns

DNS record types:

A: Resolves a hostname to an IPv4 address.

AAAA: Resolves a hostname to an IPv6 address.

NS: Contains the name servers’ information.

MX: Contains the mail exchange (email) servers.

PTR: Resolves an IP address to a hostname.

CNAME: Provides a canonical name or an alias.

RP: Specifies the person that’s responsible for the domain.

SOA: Contains information about the administrator of the domain.

SRV: Contains a service port number for a specific service of the domain.

As an aspiring penetration tester, DNS enumeration is the technique of probing specific DNS records for a specific organization’s domain. In other words, you ask a DNS server about the IP addresses and server names for a target organization. Simply put, you can retrieve both the hostname and the IP addresses of a target’s public servers, such as their email servers. We can also perform DNS zone trasnfer to see misconfigurations on the DNS server or whether it leaks sensitive information.


DNS enumeration:

dnsrecon

dns_10

  1. dnsrecon -d microsoft.com : -d option will take the Domain name. dns_11

DNS zone transfer misconfigurations

  1. using zonetransfer.me dns_12 dns_13

Dnsenum:

dns_14 dns_15


OSINT automation:

Spiderfoot is a very popular OSINT tool that can help penetration testers automate their processes and workloads when gathering intelligence about their targets. This tool provides excellent visualization of the all data it has gathered in the form of graphs and tables, which helps you easily read and intercept the data that’s been collected.

Using spiderfoot:

  1. Identify your IP address.
  2. Then run this command: sudo spiderfoot -l your_ip:80 , if any service is running on port 80 already in your system, just change the port number on the spiderfoot command as your choice. dns_16 dns_17
  3. Now click on settings button dns_18 Spiderfoot can gather information from a wide range of online sources. However, some of these sources will require an Application Programming Interface (API) key to allow Spiderfoot to perform queries on some sources. The sources that require an API key are indicated with a lock icon next to their names dns_19 Keep in mind that Spiderfoot works better when the API keys have been configured within its Settings menu. Many of these OSINT sources provide an API key if you register for a free account on their website. Do take the time to register on a couple of these online sources/websites and simply insert your unique API key into the Spiderfoot Settings menu.
  4. Now let’s start scanning, follow the options -> new scan -> give name and target and then select footprint -> Run scan now dns_20
  5. Now as the scan is running click on graph dns_21 This will show all the connections.
  6. Next, to view the data that was collected based on categories, click on Browse dns_22
  7. Click on any data dns_23
  8. RAW DNS records: Browse -> Raw dns records dns_24