The host command is a DNS lookup utility which can be used to find the IP address associated with a hostname. Host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given, host prints a short summary of its command-line arguments and options.
host google.com
google.com has address 142.250.183.14
google.com has IPv6 address 2404:6800:4009:820::200e
google.com mail is handled by 10 smtp.google.com.
Using whois
WHOIS is a request and response protocol that follows the specification. A WHOIS server listens on TCP port 43 for incoming requests.
The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing. whois will query the WHOIS server to provide all saved records.
whois thmredteam.com
After a whois lookup, we might get lucky and find names, email addresses, postal addresses, and phone numbers, in addition to other technical information.
At the end of the whois query, we find the authoritative name servers for the domain in question.
Using dig command
The dig command or (domain information groper can be used to dig into the DNS records.
Basic enum with authoritative answers or Find IPs to which a domain resolves
An authoritative answer is a response we get directly from the primary DNS server holding the master copy of the zone file. To find the authoritative answer for google.com, we execute a new nslookup query in which we specify the primary name server as ns1.google.com.
nslookup ns1.google.com
Upon executing the command, we’ll get the following response, which gives us the addresses of the authoritative server for the specified domain.
nslookup
> server 169.16.207.20
> set type = any
> ls -d Yourorg.com
Using fierce for Zone transfer
Will try to perform a zone transfer against every authoritative name server and if this doesn't work, will launch a dictionary attack
fierce --domain <DOMAIN> --dns-servers <DNS_IP>
Using DNS recon
To find zone transfer
dnsrecon -t axfr -d <target domain>
dnsrecon -a -d tesla.com
Reverse DNS Brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS> #DNS reverse of all of the addresses
DNSSEC Zone Walking
Domain Name System Security Extensions (DNSSEC) zone walking is a type of DNS enumeration technique in which an attacker attempts to obtain internal records if the DNS zone is not properly configured. The enumerated zone information can assist the attacker in building a host network map
dnsrecon -d <target domain> -z
An example is as follows:
dnsrecon -d www.certifiedhacker.com -z
[*] std: Performing General Enumeration against: www.certifiedhacker.com...
[-] DNSSEC is not configured for www.certifiedhacker.com
[*] SOA ns1.bluehost.com 162.159.24.80
[*] NS ns2.bluehost.com 162.159.25.175
[*] Bind Version for 162.159.25.175 "2023.9.0"
[*] NS ns1.bluehost.com 162.159.24.80
[*] Bind Version for 162.159.24.80 "2023.9.0"
[*] MX mail.certifiedhacker.com 162.241.216.11
[*] CNAME www.certifiedhacker.com certifiedhacker.com
[*] A certifiedhacker.com 162.241.216.11
[*] TXT www.certifiedhacker.com v=spf1 a mx ptr include:bluehost.com ?all
[*] Enumerating SRV Records
[-] No SRV Records Found for www.certifiedhacker.com
[*] Performing NSEC Zone Walk for www.certifiedhacker.com
[*] Getting SOA record for www.certifiedhacker.com
[*] Name Server 162.159.24.80 will be used
[*] CNAME www.certifiedhacker.com certifiedhacker.com
[*] A certifiedhacker.com 162.241.216.11
[+] 2 records found
DNS spoofing, or DNS cache poisoning, involves using altered DNS records to redirect online traffic to a fraudulent site that impersonates the intended destination. Once users reach the fraudulent destination, they are prompted to login into their account.
Subdomain takeovers
What is a Subdomain takeover?
If the process of provisioning or deprovisioning (removing) a virtual host is not handled properly, there can be an opportunity for an attacker to take over a subdomain.
This can happen because either a virtual host hasn't been published yet or a virtual host has been removed.
An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.
How do they happen?
If the process of provisioning or deprovisioning (removing) a virtual host is not handled properly, there can be an opportunity for an attacker to take over a subdomain.
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name () in the Domain Name System (), but no host is providing content for it.