Day 5/60. DNS enumeration is the first thing I do on every penetration test.
Quick Wins with Record Analysis
Before running any tools, query specific record types:
# SRV records reveal services like LDAP/Kerberos
dig _ldap._tcp.target.com SRV +short
dig _kerberos._tcp.target.com SRV +short
# AAAA records -- often less firewalled than IPv4
dig target.com AAAA +short
SRV records confirm Active Directory environments and reveal domain controller hostnames. AAAA records expose IPv6 services that may lack the firewall rules applied to IPv4.
Amass for Full Enumeration
# Passive -- zero contact with target
amass enum -passive -d target.com -o results.txt
# Find related domains by organization name
amass intel -org "Target Corp"
The intel module discovers domains via WHOIS and ASN data. On one engagement it found three domains the client forgot to include in scope.
Pro Tips
- Test for wildcard DNS before brute forcing (query a random subdomain)
- NSEC zone walking works on DNSSEC zones without NSEC3
- CT logs reveal wildcard certs that confirm environment existence
- Always try IXFR if AXFR fails -- some servers block one but not the other
Top comments (0)