LabEx
Log InJoin Free

Enumerate DNS Records in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to enumerate DNS records using Nmap's dns-brute script. The goal is to discover valid hostnames and subdomains associated with a target IP address, revealing valuable information about the target network's infrastructure.

You will execute the dns-brute script against a target IP, scan the DNS port, add verbosity for detailed output, save the results to a file, review the DNS records in the Xfce terminal, and compare the results with a UDP scan. This hands-on experience will provide you with practical skills in DNS enumeration using Nmap.

Run DNS enum with nmap --script dns-brute 192.168.1.1

In this step, we will use Nmap's dns-brute script to perform DNS enumeration against a target IP address. DNS enumeration is the process of discovering valid hostnames and subdomains for a given domain by querying DNS servers. This can reveal valuable information about the target network's infrastructure.

The dns-brute script works by attempting to resolve a large list of common subdomain names against the target's DNS server. If a subdomain exists, the DNS server will return an IP address, indicating that the subdomain is valid.

First, let's understand the command we'll be using:

  • nmap: This is the network mapper tool we're using.
  • --script dns-brute: This tells Nmap to use the dns-brute script.
  • 192.168.1.1: This is the target IP address. Replace this with the actual IP address you want to scan.

Now, let's execute the command. Open your Xfce terminal and type the following command:

nmap --script dns-brute 192.168.1.1

Note: Replace 192.168.1.1 with the actual IP address of the target you want to scan. If you don't have a specific target, you can use a local IP address like 127.0.0.1 (localhost), but you might not get any interesting results.

The output will show Nmap attempting to resolve various subdomain names. If any subdomains are found, they will be displayed along with their corresponding IP addresses.

Example output (the output you see will depend on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
NSE: Starting dns-brute scan
NSE: DNS Brute-force hostnames: 216.58.216.142
google.com A 216.58.216.142
www.google.com A 216.58.216.142
mail.google.com A 216.58.216.142
NSE: Finished dns-brute scan
Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

This output shows that the dns-brute script found the subdomains google.com, www.google.com, and mail.google.com associated with the IP address 216.58.216.142.

Scan DNS port with nmap --script dns-brute -p 53 127.0.0.1

In this step, we will focus on scanning the DNS port (port 53) using Nmap and the dns-brute script. By specifying the port, we can target our DNS enumeration efforts to the standard DNS port, which is often more efficient.

Let's break down the command:

  • nmap: The network scanning tool.
  • --script dns-brute: Specifies the dns-brute script for DNS enumeration.
  • -p 53: This option tells Nmap to only scan port 53, which is the standard port for DNS.
  • 127.0.0.1: This is the target IP address. In this case, we're using 127.0.0.1, which refers to the local machine (localhost).

Now, open your Xfce terminal and execute the following command:

nmap --script dns-brute -p 53 127.0.0.1

This command will run the dns-brute script specifically against port 53 on the localhost. Since 127.0.0.1 typically doesn't host a DNS server with many records, the results might be limited. However, this demonstrates how to target a specific port for DNS enumeration.

Example output (the output you see may vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).

PORT   STATE SERVICE
53/tcp open  domain
| dns-brute:
|_  records-from-AXFR: No zone transfer allowed.

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

In this example, Nmap shows that port 53 is open and running the domain service (DNS). The dns-brute script attempts a zone transfer (AXFR) but is denied. This is a common security measure to prevent unauthorized access to DNS records.

Add verbosity with nmap -v --script dns-brute 192.168.1.1

In this step, we will add verbosity to our Nmap command. Verbosity increases the amount of information Nmap displays during the scan, which can be helpful for understanding what Nmap is doing and for troubleshooting any issues.

The -v option in Nmap enables verbose mode. Using -v once increases the verbosity level. You can use -vv for even more detailed output.

Let's look at the command we'll be using:

  • nmap: The network scanning tool.
  • -v: Enables verbose mode, providing more detailed output.
  • --script dns-brute: Specifies the dns-brute script for DNS enumeration.
  • 192.168.1.1: The target IP address. Remember to replace this with the actual IP address you want to scan.

Now, open your Xfce terminal and type the following command:

nmap -v --script dns-brute 192.168.1.1

Note: Replace 192.168.1.1 with the actual IP address of the target you want to scan.

The output will be more detailed than in the previous steps. You'll see information about the scan progress, the scripts being run, and any errors or warnings that occur.

Example output (the output you see will depend on the target and network conditions):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Starting dns-brute scan
NSE: Loaded 1795 records from /usr/share/nmap/nselib/data/dns-brute.lst
massdns: warning: id 4255 (inbound): query timed out
massdns: warning: id 4256 (inbound): query timed out
massdns: warning: id 4257 (inbound): query timed out
massdns: warning: id 4258 (inbound): query timed out
massdns: warning: id 4259 (inbound): query timed out
NSE: DNS Brute-force hostnames: 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

NSE: Finished dns-brute scan
Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds

The verbose output shows more details about the dns-brute script's operation, including the number of records loaded and any warnings encountered during the scan. This can be helpful for diagnosing issues or understanding the script's behavior.

Save DNS results with nmap --script dns-brute -oN dns.txt 127.0.0.1

In this step, we will learn how to save the results of our Nmap scan to a file. This is useful for later analysis or for reporting purposes. Nmap provides several options for saving output in different formats. Here, we'll use the normal output format (-oN).

Let's break down the command:

  • nmap: The network scanning tool.
  • --script dns-brute: Specifies the dns-brute script for DNS enumeration.
  • -oN dns.txt: This option tells Nmap to save the output in normal format to a file named dns.txt. The file will be saved in your current directory (~/project).
  • 127.0.0.1: The target IP address. In this case, we're using 127.0.0.1, which refers to the local machine (localhost).

Now, open your Xfce terminal and execute the following command:

nmap --script dns-brute -oN dns.txt 127.0.0.1

After the scan completes, a file named dns.txt will be created in your ~/project directory. This file will contain the Nmap output in a human-readable format.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat dns.txt

Example output (the output you see may vary):

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
PORT   STATE SERVICE
53/tcp open  domain
| dns-brute:
|_  records-from-AXFR: No zone transfer allowed.

## Nmap done at Fri Oct 27 10:15:02 2023 -- 1 IP address (1 host up) scanned in 2.50 seconds

This output shows the contents of the dns.txt file, which includes the Nmap scan report for localhost.

Review DNS records in Xfce terminal

In this step, we will review the DNS records that were identified in the previous steps. We'll use the cat command to view the contents of the dns.txt file we created earlier. This will allow us to examine the output of the dns-brute script and understand what information was discovered.

Open your Xfce terminal and type the following command:

cat dns.txt

This command will display the contents of the dns.txt file in your terminal.

The output will look similar to this (the exact output will depend on the target and the results of the DNS enumeration):

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
PORT   STATE SERVICE
53/tcp open  domain
| dns-brute:
|_  records-from-AXFR: No zone transfer allowed.

## Nmap done at Fri Oct 27 10:20:02 2023 -- 1 IP address (1 host up) scanned in 2.50 seconds

Let's analyze the output:

  • Nmap scan report for localhost (127.0.0.1): This indicates that the scan was performed on the local machine.
  • PORT STATE SERVICE: This section shows the open ports on the target.
  • 53/tcp open domain: This indicates that port 53 (the standard DNS port) is open and running the domain service.
  • dns-brute: This section shows the results of the dns-brute script.
  • records-from-AXFR: No zone transfer allowed.: This indicates that the target does not allow zone transfers, which is a security measure to prevent unauthorized access to DNS information.

In this example, the dns-brute script didn't find any specific DNS records because zone transfers are not allowed. However, if the target allowed zone transfers or if the dns-brute script found any other DNS records, they would be listed in this section.

By reviewing the output of the dns-brute script, you can gain valuable information about the target's DNS configuration and identify potential vulnerabilities.

Compare with UDP scan in Xfce terminal

In this step, we will perform a UDP scan on the DNS port (53) and compare the results with the TCP scan we performed earlier. Understanding the differences between TCP and UDP scans is crucial for comprehensive network reconnaissance.

DNS typically uses both TCP and UDP protocols. UDP is generally used for standard DNS queries, while TCP is used for zone transfers or when the response size exceeds the UDP limit.

To perform a UDP scan on port 53, use the following Nmap command in your Xfce terminal:

nmap -sU -p 53 127.0.0.1

Let's break down the command:

  • nmap: The network scanning tool.
  • -sU: Specifies a UDP scan.
  • -p 53: Specifies port 53 (DNS).
  • 127.0.0.1: The target IP address (localhost).

Execute the command and observe the output. It might look something like this:

Starting Nmap 7.80 ( https://nmap.org ) at Fri Oct 27 10:25:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).

PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds

Now, let's compare this output with the TCP scan we performed earlier (using --script dns-brute -p 53 127.0.0.1). You can either refer to the output you saw in step 2 or re-run the TCP scan:

nmap -sT -p 53 127.0.0.1

(Note: -sT specifies a TCP connect scan, which is the default if no scan type is specified.)

The output of the TCP scan might look like this:

Starting Nmap 7.80 ( https://nmap.org ) at Fri Oct 27 10:26:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).

PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

Key differences to observe:

  • STATE: The UDP scan might show open|filtered while the TCP scan shows open. open|filtered means that Nmap cannot determine for certain if the port is open or filtered due to the nature of UDP. UDP is connectionless, so Nmap doesn't receive a definitive "connection refused" like it does with TCP.
  • Reliability: TCP scans are generally more reliable for determining if a port is open because of the three-way handshake. UDP scans can be less reliable due to packet loss and the lack of a connection-oriented protocol.

In summary, comparing TCP and UDP scans provides a more complete picture of the target's network services. While TCP is often preferred for its reliability, UDP scans can reveal services that might not be apparent with TCP alone.

Summary

In this lab, we explored DNS enumeration using Nmap's dns-brute script. We learned how to discover valid hostnames and subdomains for a given domain by querying DNS servers. The lab demonstrated how to execute the nmap --script dns-brute <target_ip> command to identify subdomains associated with a target IP address.

Furthermore, the lab highlighted the importance of specifying the target IP address correctly and interpreting the output to identify discovered subdomains and their corresponding IP addresses. We also touched upon using verbosity and saving the output to a file for later review.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux