Host:
- Host -t nx hackxpert.com
-t: type (nx,mail,...)
- Host hackxpert.com
dig:
dig hackxpert.com
echo www > list.txtecho ftp >> list.txt
echo mail >> list.txt
echo owa >> list.txt
echo proxy >> list.txt
echo router >> list.txt
echo api >> list.txt
for ip in $(cat list.txt);do host $ip.megacorpone.com;done
This will create a list with www, ftp, ... on it with a new entry every line. It will then loop over the list and see if the subdomain exists on a DNS server.
host $ip.megacorpone.com will become host 50.7.67.$ip and we will scan an IP range.
for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found"
host -l megacorpone.com ns2.megacorpone.com
We are transferring the zone from ns2 on megacorpone.com, ns2 allows us however
host -l megacorpone.com ns1.megacorpone.com
ns1 Gives us an error and refuses our transfer. We can try all nameservers.
for ns in $(seq 1 10);do host -l megacorpone.com ns$ns.megacorpone.com;done