#!/bin/bash TARGET=$1 echo "[+] Starting Simple DNS Plus Enum on $TARGET" dnsrecon -d $TARGET -t axfr > axfr.txt dnsrecon -d $TARGET -t brt -D subdomains.txt > brute.txt curl -s "https://crt.sh/?q=%25.$TARGET&output=json" | jq -r '.[].name_value' > crt.txt cat brute.txt crt.txt | sort -u | dnsrecon -f - -t std > final_ips.txt echo "[+] Enumeration complete. Check final_ips.txt"
nsec3map -d example.com
A lightweight Perl script specifically designed to find non-contiguous IP space and hostnames. fierce --domain target.com 5. Summary Checklist Get IP, NS, and MX records dig / nslookup 2. Vulnerability Check Attempt Zone Transfer (AXFR) dig axfr 3. Brute Force Guess subdomains using a wordlist dnsrecon / dnsenum 4. Reverse Lookup Find names for a range of IP addresses dnsrecon -r Quick Tip for Success simple dns plus enumeration
Always start with enumeration (like using Virustotal or SecurityTrails) before using "active" tools like dnsenum . Passive methods leave no trace on the target's logs! Summary Checklist Get IP, NS, and MX records
This is the "holy grail" of DNS enumeration. If a server is misconfigured, it may allow an attacker to request a full copy of the zone file, revealing every record and subdomain. Professionals use the dig axfr @ Brute Forcing Subdomains: Tools like use wordlists to guess common subdomains (e.g., dev.example.com vpn.example.com Reverse Lookup Find names for a range of
Used for reverse lookups, mapping an IP address back to a hostname. Primary Enumeration Techniques Zone Transfers (AXFR):
If this returns "Microsoft DNS 6.0," you know you are dealing with legacy Windows Server 2003.