53 - DNS

Zone Transfer

# Port scan and trying zone transfer
nmap --script=dns-transfer-zone -p 53 domain

# DNS Zone Transfer using dig
dig axfr @IP guess_domain_name


Active Directory DNS

# Zone Transfer using dig
# Find AD-DS through DNS

# Global Catalog
dig -t SRV _gc._tcp.lab.ropnop.com

# LDAP servers
dig -t SRV _ldap._tcp.lab.ropnop.com

# Kerberos KDC
dig -t SRV _kerberos._tcp.lab.ropnop.com

# Kerberos password change server
dig -t SRV _kpasswd._tcp.lab.ropnop.com

nmap --script dns-srv-enum --script-args “dns-srv-enum.domain='lab.ropnop.com'