Skip to main content

Domains & DNS

Google Dorks

Search Operators

site:website1.com                 # Search only within website1.com  
intitle:website1                  # Find pages with "website1" in the title  
inurl:website1                    # Find pages with "website1" in the URL  
intext:website1                   # Find pages containing "website1" in the body text  
filetype:pdf site:website1.com     # Find PDFs on website1.com  
site:website1.com -www -support    # Exclude "www" and "support" subdomains  
site:website1.com filetype:pdf 2020..2022  # Find PDFs from 2020-2022

Social Media OSINT

LinkedIn & Employee Discovery

Find employees on LinkedIn

Apple's LinkedIn Page

Automate LinkedIn Scraping

Download: LinkedInt - GitHub

Email Address Discovery

Find corporate email formats

Website: Hunter.io

  • Example: {f}{last}@website1.comb.builder@website1.com
  • Automate email generation using scraped LinkedIn names.

DNS Attacks

Virtual Host Enumeration

Identify Invalid Vhost Response Size

curl -s -I http://<target> -H "HOST: invalid.<domain>" | grep "Content-Length:"

Brute-force Vhosts with FFUF

ffuf -w <wordlist>:FUZZ -u http://<target>/ -H 'Host: FUZZ.<domain>' -fs <invalid_response_size>

Add Discovered Hosts to /etc/hosts

sudo tee -a /etc/hosts > /dev/null <<EOT

## domain1 hosts 
10.10.10.10 domain1.com blog.domain1.com
EOT

Zone Transfer

Transfers zone data between servers: Master (Primary) and Slave (Secondary).

dig axfr <domain> @<DNS server>

DNS Tools

Nmap

A network scanner that detects open DNS services and performs enumeration.
Download: Nmap - Official Site

nmap --open -p 53 --script=dns-nsid,dns-version <target>

Dig

A DNS lookup tool for querying domain records and testing DNS servers.
Download: Dig (part of BIND) - ISC Official Site

dig soa <domain>                   # SOA record  
dig any <domain>                   # Fetch all records  
dig ns <domain> @<DNS server>       # Query nameservers  
dig axfr <domain> @<DNS server>     # Attempt zone transfer  
dig CH TXT version.bind <DNS server> # Fetch DNS server version

Subdomain Brute Force

for sub in $(cat <wordlist>); do
  dig $sub.<domain> @<DNS server> | grep $sub | tee -a subdomains.txt
done

Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

DNSEnum

Automates enumeration of DNS records and subdomains.
Download: DNSEnum - Kali Linux Tools

dnsenum --dnsserver <DNS server> --enum -p 0 -s 0 -o <output file> -f <wordlist> <domain>

Fierce

Performs DNS reconnaissance to enumerate hosts and detect zone transfers.
Download: Fierce - GitHub Repository

fierce --domain <domain>

DNSDumpster

An online passive DNS reconnaissance tool for subdomain discovery.
Website: DNSDumpster - Online Lookup

Sublist3r

Finds subdomains using multiple public sources and brute force.
Download: Sublist3r - GitHub Repository

python3 sublist3r.py -d <target_domain>

Subfinder

A fast subdomain enumeration tool leveraging passive sources.
Download: Subfinder - GitHub Repository

./subfinder -d <target_domain> -v

Subbrute

Performs recursive subdomain brute-force attacks.
Download: Subbrute - GitHub Repository

echo "<target_domain>" > ./resolvers.txt
./subbrute <target_domain> -s ./names.txt -r ./resolvers.txt

Host

A simple command-line DNS lookup utility for retrieving CNAME and other records.
Download: Host (part of BIND) - ISC Official Site

host <subdomain>

Can-I-Take-Over-XYZ

Detects subdomain takeover vulnerabilities by analyzing CNAME records.
Download: Can-I-Take-Over-XYZ - GitHub Repository

./can-i-take-over-xyz -d <target_domain>

Post-Takeover Attack Vectors

  • Phishing: Host fake login pages.
  • Cookie Theft: Capture session tokens.
  • CSRF Exploitation: Perform unauthorized actions.
  • Abusing CORS: Access restricted data.
  • Defeating CSP: Inject malicious scripts.
Back to top