finding

DNS zone transfer

Dig

dig axfr @<dns_server_ip>  <domain>

Fierce

fierce --domain zontransfer.me

Domain takeover

• CNAME record is used to map different domains to parent domain

• can-i-take-over-xyz

Subdomain enumeration

• Subfinder

• DNSdumpster

• Gobuster (subdomain brute force)

gobuster dns -d "$domain" --resolver 10.129.201.127 -w tools/subbrute/names.txt -t 320

• Sublist3r

• Amass

• Subbrute (DNS brute-forcing)

• Puredns, altdns (DNS brute-forcing)

Enumerate CNAME record

host "$domain"

DNS spoofing/cache poisoning (MITM attack)

Local DNS cache poisoning

Ettercap

• cat /etc/ettercap/etter.dns (add the DNS entry - inlanefreight.com A IP)

• Next, start the Ettercap tool and scan for live hosts within the network by navigating to Hosts > Scan for Hosts. Once completed, add the target IP address (e.g., 192.168.152.129) to Target1 and add a default gateway IP (e.g., 192.168.152.2) to Target2.

• Activate dns_spoof attack by navigating to Plugins > Manage Plugins. This sends the target machine with fake DNS responses that will resolve inlanefreight.com to IP address 192.168.225.110