Navigation :
53 - DNS
Zone Transfer
# Port scan and trying zone transfer
nmap --script=dns-transfer-zone -p 53 domain
# DNS Zone Transfer using dig
dig axfr @IP guess_domain_name
Active Directory DNS
# Zone Transfer using dig
# Find AD-DS through DNS
# Global Catalog
dig -t SRV _gc._tcp.lab.ropnop.com
# LDAP servers
dig -t SRV _ldap._tcp.lab.ropnop.com
# Kerberos KDC
dig -t SRV _kerberos._tcp.lab.ropnop.com
# Kerberos password change server
dig -t SRV _kpasswd._tcp.lab.ropnop.com
nmap --script dns-srv-enum --script-args “dns-srv-enum.domain='lab.ropnop.com'”