Development

How to Use Nmap to Perform DNS Enumeration

Captain Salem 4 min read

How to Use Nmap to Perform DNS Enumeration

DNS enumeration is discovering all the DNS (Domain Name System) records for a particular domain name. We can use DNS enumeration to gather information about a target network. This can allow us to expand the attack surface.

The DNS system is responsible for resolving domain names to IP addresses. When a user types a domain name in their browser, the DNS system translates that domain name into an IP address, which is used to locate the web server hosting the website. DNS enumeration is querying the DNS system for information about a particular domain.

Several types of DNS records can be queried during DNS enumeration, including A, MX, NS, and SOA records. A records are used to map domain names to IP addresses, while MXrecords are used for email routing. NS records specify the authoritative name servers for the domain, while SOA records provide information about the start of authority for the domain.

NMAP is one of the popular tools when it comes to network scanning. Hence, In this post, we will explore how we can perform a DNS Enumeration using NMAP.

DNS Enumeration with NMAP

Nmap allows us to perform a DNS Enumeration using its built-in NMAP Scripting Engine, or NSE.

The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to automate various tasks, including network discovery, vulnerability scanning, and exploitation. The NSE consists of a collection of scripts that can be run on top of Nmap to perform various tasks.

The NSE scripts are written in Lua, a lightweight scripting language that is easy to learn and use. The scripts are designed to be modular and can be easily modified or customized to fit specific needs. NSE scripts can be used for various purposes, such as fingerprinting operating systems, identifying services and applications, detecting vulnerabilities, and exploiting security weaknesses.

We can use the --script option which allows us to define what script we wish to use.

Nmap DNS Enumeration Using Broadcast DNS Discovery.

In Nmap, we can use the broadcast-dns-service-discovery script to perform a DNS Enumeration on a target host.

https://nmap.org/nsedoc/scripts/broadcast-dns-service-discovery.html

This script attempts to discover hosts’ services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a follow-up query for each one to get more information.

The command syntax is as shown below:

sudo nmap --script=broadcast-dns-service-discovery <target>

Where target refers to the target host.

An example command is as shown below:

sudo nmap --script=broadcast-dns-service-discovery geekbits.io

An example output is as shown:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:00 EST
Nmap scan report for geekbits.io (178.128.137.126)
Host is up (0.019s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 99.81 seconds

Nmap DNS Enumeration Using DNS-BRUTE

We can also use the dns-brute script to perform a DNS Enumeration using Nmap. This script attempts to enumerate DNS hostnames by brute force guessing common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

Wildcard records are listed as “A” and ”AAAA” for IPv4 and IPv6, respectively.

The command syntax is as shown:

nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>

For example:

sudo nmap -T4 -p 53 --script dns-brute www.geekbits.io

Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:13 EST
Nmap scan report for www.geekbits.io (151.101.3.7)
Host is up (0.082s latency).
Other addresses for www.geekbits.io (not scanned): 151.101.67.7 151.101.131.7 151.101.195.7 2a04:4e42::775 2a04:4e42:200::775 2a04:4e42:400::775 2a04:4e42:600::775

PORT   STATE    SERVICE
53/tcp filtered domain

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     www.geekbits.io - 151.101.131.7
|     www.geekbits.io - 151.101.195.7
|     www.geekbits.io - 151.101.3.7
|     www.geekbits.io - 151.101.67.7
|     www.geekbits.io - 2a04:4e42:200::775
|     www.geekbits.io - 2a04:4e42:400::775
|     www.geekbits.io - 2a04:4e42:600::775
|_    www.geekbits.io - 2a04:4e42::775

Nmap done: 1 IP address (1 host up) scanned in 18.91 seconds

Nmap DNS Enumeration Using DNS Recursion Script

Another script you can use is the dns-recursion script. This script assumes that DNS recursion is enabled on the name servers:

It works by Checking if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your internal nameservers.

The command syntax is as shown:

nmap -sU -p 53 --script=dns-recursion <target>

Nmap DNS Enumeration All in One

If you are not sure which DNS script to use to perform the enumeration, you can use a wildcard character as shown in the example syntax below:

nmap -sS --script=dns-* <target_domain>

Example:

sudo nmap -sS --script=dns-* www.example.com

Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 19:20 EST
Nmap scan report for www.example.com (93.184.216.34)
Host is up (0.00025s latency).
Other addresses for www.example.com (not scanned): 93.184.216.34
All 1000 scanned ports on www.example.com (93.184.216.34) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Host script results:
| dns-blacklist: 
|   SPAM
|     l2.apews.org - FAIL
|_    all.spamrats.com - FAIL
| dns-brute: 
|   DNS Brute-force hostnames: 
|     www.example.com - 93.184.216.34
|_    www.example.com - 2606:2800:220:1:248:1893:25c8:1946

Nmap done: 1 IP address (1 host up) scanned in 66.66 seconds

Conclusion

In conclusion, DNS enumeration is crucial for identifying potential vulnerabilities in a target network. Nmap scripts can be a powerful tool for automating this process and saving time.

Using various Nmap scripts, we can perform different types of DNS enumeration and gather valuable information about the target network. However, using these scripts responsibly and with proper authorization is essential, as they can also be used for malicious purposes. Learning how to perform DNS enumeration using Nmap scripts is a valuable skill for you.

Share
About the author
Captain Salem

Captain Salem

Reverse engineering all the complex functions into smaller, easy to digest components for your benefit. Basement Monkey & Nerd!
View all
Comments
More from Cloudenv

Cloudenv

Developer Tips, Tricks and Tutorials.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Cloudenv.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.