Open in app

Sign in

Write

Sign in

Decoding the Web: DNS Analysis Techniques with dnsdict6

RED TEAM | Malforge Group
8 min readJan 9, 2024

--

Hello everyone,

In today article I’m going to show you how you will increase the power of “dnsdict6” Tool and get the max result from it by using some techniques.

Introduction

This tool is used for enumerating a domain for DNS entries and can be useful in various cybersecurity contexts, including penetration testing and security assessments. Here are some key purposes and use cases for this tool:

  1. DNS Enumeration
  2. Dictionary-Based Attack
  3. Information Gathering
  4. IPV6 Analysis
  5. IPV4 Analysis
  6. Service Name Guessing
  7. Threaded Operation

Official GitHub Repository of dnsdict6:

GitHub - vanhauser-thc/thc-ipv6: IPv6 attack toolkit

IPv6 attack toolkit. Contribute to vanhauser-thc/thc-ipv6 development by creating an account on GitHub.

github.com

Let’s start it…..

That’s all you will see when execute it.

Below is an explanation of the options provided by this tool:

  1. -4: This option instructs the tool to also dump IPv4 addresses along with IPv6 addresses.
  2. -t NO: Specifies the number of threads to use. The default is 8, and the maximum allowed is 32.
  3. -D: If this option is used, the tool will dump the selected built-in wordlist without performing any scanning.
  4. -d: Enables the display of IPv6 information on NS (Name Server) and MX (Mail Exchange) DNS domain information.
  5. -e: Ignores “no NS for domain” errors, allowing the tool to proceed even if there are no Name Servers for the specified domain.
  6. -S: Performs SRV (Service) name guessing. SRV records are used to specify the location of services such as LDAP or SIP.
  7. -[smlxu]: These options allow you to choose the dictionary size. The available options are:
  • -s (small=100)
  • -m (medium=1419) - DEFAULT
  • -l (large=2601)
  • -x (extreme=5886)
  • -u (uber=16724)

Depending on your requirements and the size of the dictionary, you can choose the appropriate option.

Basic’s to Most Advanced Commands of dnsdict6 :

Note : Replace “example.com” , with your actual Domain and avoid using “http , https , www” with the your actual domain otherwise you may face error.

1. Basic DNS Enumeration

atk6-dnsdict6 example.com

example = atk6-dnsdict6 bankofmaldives.com.mv

2. DNS Enumeration with IPv4 Address Dumping

atk6-dnsdict6 -4 example.com

3. DNS Enumeration with Larger Dictionary

atk6-dnsdict6 -l example.com

4. DNS Enumeration with SRV Service Name Guessing

atk6-dnsdict6 -S example.com

5. DNS Enumeration with Custom Threads

atk6-dnsdict6 -t 12 example.com

max-thread we specify is 32

6. DNS Enumeration with IPv6 Information Display

atk6-dnsdict6 -d example.com

7. DNS Enumeration with a Custom Dictionary File

atk6-dnsdict6 example.com custom_dictionary.txt

Intermediate Level

Note : Replace “example.com” , with your actual Domain and avoid using “http , https , www” with the your actual domain otherwise you may face error.

1. DNS Enumeration with IPv4 and IPv6 Address Dumping

atk6-dnsdict6 -4 -d example.com

2. DNS Enumeration with Larger Dictionary, SRV Service Name Guessing, and IPv4 Address Dumping

atk6-dnsdict6 -l -S -4 example.com

3. DNS Enumeration with Extreme Dictionary, Custom Threads, and IPv6 Information Display

atk6-dnsdict6 -x -t 16 -d example.com

4. DNS Enumeration with Extreme Dictionary, SRV Service Name Guessing, IPv4 and IPv6 Address Dumping

atk6-dnsdict6 -x -S -4 -d example.com

5. DNS Enumeration with Large Dictionary, SRV Service Name Guessing, Custom Threads, and IPv6 Information Display

atk6-dnsdict6 -l -S -t 24 -d example.com

Most Advanced Commands

Note: Replace “example.com” with your actual domain and avoid using “http,” “https,” or “www” with your actual domain; otherwise, you may face errors, and you may have to install additional tools for the below commands like amass , Sublist3r etc….

1. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and HTTP Analysis

atk6-dnsdict6 -m example.com && amass enum -d example.com | httprobe -c 50

This command combines atk6-dnsdict6 for DNS enumeration with amass for subdomain discovery and httprobe to identify live HTTP hosts.

2. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Nmap Scan

atk6-dnsdict6 -m example.com && amass enum -d example.com | nmap -p 80,443 -iL -

This command integrates atk6-dnsdict6 with amass for subdomain discovery and uses nmap to perform a quick scan on identified hosts.

3. DNS Enumeration with atk6-dnsdict6 and Network Scanning with Masscan

atk6-dnsdict6 -m example.com && masscan -p1-65535 $(dig +short example.com) --rate=10000

This command uses atk6-dnsdict6 for DNS enumeration and masscan for fast network scanning on identified hosts.

4. DNS Enumeration with atk6-dnsdict6 and Subdomain Brute-Force with Sublist3r

atk6-dnsdict6 -m example.com && sublist3r -d example.com

This command combines atk6-dnsdict6 for DNS enumeration with sublist3r for subdomain brute-forcing.

5. DNS Enumeration with atk6-dnsdict6 and SSL Certificate Enumeration

atk6-dnsdict6 -m example.com && certspotter -d example.com

6 . DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, HTTP Analysis, and Nikto Scanning

atk6-dnsdict6 -x -t 32 -d example.com && amass enum -d example.com | httprobe -c 50 | nikto -h -

This command utilizes atk6-dnsdict6 for DNS enumeration with an extreme dictionary, incorporates amass for subdomain discovery, httprobe to identify live HTTP hosts, and then runs nikto to scan the identified hosts for vulnerabilities.

7. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Network Scanning with Nmap

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | nmap -p 1-65535 -iL -

This command combines atk6-dnsdict6 for DNS enumeration with an extreme dictionary, integrates amass for subdomain discovery, and uses nmap for a comprehensive port scan on identified hosts.

8 . DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, SSL Certificate Enumeration, and EyeWitness for Screenshots

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | certspotter -d example.com | eyewitness -f -

This command uses atk6-dnsdict6 for DNS enumeration with an extreme dictionary, combines amass for subdomain discovery, certspotter for SSL certificate information, and eyewitness for taking screenshots of identified web applications.

9. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Vulnerability Scanning with OpenVAS

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | openvas-scapdata-sync && openvas --version && openvasmd --rebuild

This command integrates atk6-dnsdict6 for DNS enumeration with an extreme dictionary, includes amass for subdomain discovery, and performs vulnerability scanning using OpenVAS. Note that OpenVAS setup and synchronization steps are included.

10. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Directory Brute-Forcing with Dirb

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | dirb https://www.example.com/ /usr/share/dirb/wordlists/big.txt

This command utilizes atk6-dnsdict6 for DNS enumeration with an extreme dictionary, incorporates amass for subdomain discovery, and performs directory brute-forcing using dirb on identified web applications.

11. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and CVE Scanning with Nmap

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | nmap -p 80,443 --script vulners --script-args mincvss=7.0

This command combines atk6-dnsdict6 for DNS enumeration with an extreme dictionary, uses amass for subdomain discovery, and performs CVE scanning using Nmap's vulners script on identified web applications.

Complex Most Advanced Commands

Note: Replace “example.com” with your actual domain and avoid using “http,” “https,” or “www” with your actual domain; otherwise, you may face errors, and you may have to install additional tools for the below commands.

1. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Automated Vulnerability Scanning with Nessus

Here are the steps to set up and configure Nessus:

1. Install Nessus:

Download the Nessus installation package from the official website: Tenable Nessus Downloads.

Follow the installation instructions for your operating system.

2. Activation:

After installation, open a web browser and go to https://localhost:8834.

  • Follow the on-screen instructions to complete the activation process.
  • You will need to create a Nessus account or log in with an existing one.

3. Configuration:

  • Log in to the Nessus web interface.
  • Configure the necessary settings, including any network settings and scanner configurations.
  • Set up the scan policies based on your testing requirements.

4. Obtain API Key:

In Nessus, go to Settings > My Account > API Keys.

Generate an API key that will be used for command-line interaction.

5. Update Plugins:

Regularly update Nessus plugins to ensure the latest vulnerability checks are available.

6. Configure Access Controls (Optional)

  • Depending on your environment, configure access controls, users, and groups to manage permissions.

Now, with Nessus set up and configured, you can use it in your command:

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d www.example.com | nessus -iL - -T nessus_scan_name

Replace nessus_scan_name with an appropriate name for your Nessus scan.

2.DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Exploitation with Metasploit:

Here are the steps to set up and configure Metasploit:

1. Install Metasploit

  • You can install it by following the instructions on the official Metasploit website.

2. Start Metasploit Framework

  • Once installed, start the Metasploit Framework by running:
msfconsole

3. Update Metasploit

  • It’s essential to keep Metasploit up-to-date. Run the following commands within the Metasploit console:
msfupdate

4. Configure Database (Optional but recommended)

  • Metasploit uses a database to store scan results, loot, and other data. Configure the database by running:
db_rebuild_cache

5. Explore and Test Modules

  • Familiarize yourself with Metasploit modules using the show command. For example:
msfconsole -x "show auxiliary/scanner/http/dir_scanner"

6. Configure Additional Settings (Optional)

  • Depending on your testing environment, you may need to configure additional settings such as auxiliary module options, payloads, etc.

Now, with Metasploit set up and configured, you can use it in our command:

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | msfconsole -x "use auxiliary/scanner/http/dir_scanner; set RHOSTS %TARGET%"

Replace %TARGET% with the appropriate Metasploit variable for the target. Customize the Metasploit module and options based on your objectives.

3. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Web Application Vulnerability Scanning with OWASP ZAP

1. Install OWASP ZAP

  • Download the OWASP ZAP installation package from the official website: OWASP ZAP Downloads.

2. Start OWASP ZAP

  • Once installed, start OWASP ZAP. The exact command may vary based on your operating system, but it is generally launched with a command like:
zap.sh -daemon -config api.disablekey=true

or

zap.bat -daemon -config api.disablekey=true

This starts ZAP in daemon mode, allowing command-line interactions.

3.Configure ZAP Proxy Settings (Optional)

  • If your environment requires proxy settings, configure them through the OWASP ZAP UI.

4. Explore and Test Features

Now, with OWASP ZAP set up and configured, you can use it in your command:

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | zap-full-scan -t https://www.example.com

Replace https://www.example.com with the actual target URL. Customize ZAP options based on your objectives.

4. DNS Enumeration with atk6-dnsdict6, Subdomain Enumeration, and Exploitation with ExploitDB:

1. Install Exploit Database (exploitdb)

  • On many Linux distributions, you can install exploitdb using package managers such as apt or yum. For example, on Debian-based systems:
sudo apt-get update
sudo apt-get install exploitdb

2. Update Exploit Database

  • Regularly update the Exploit Database to ensure you have the latest exploits:
searchsploit -u

3. Configure searchsploit

  • searchsploit doesn't require additional configuration. However, you may customize its behavior using the -w option to open exploits directly in your preferred text editor.

4. Execute the Command

Now, you can use the command:

atk6-dnsdict6 -x -t 32 -m example.com && amass enum -d example.com | searchsploit --color -t php --exclude="/dos/" | xargs -I % exploitdb -x % -p

This command combines atk6-dnsdict6 for DNS enumeration with an extreme dictionary, integrates amass for subdomain discovery, and searches for PHP-related exploits using searchsploit. The exploits are then executed using exploitdb.

Make sure to replace “example.com” with the actual target domain and customize the command based on your objectives.

I hope you like this : )

RED TEAM-001

Ethical Hacking
Penetration Testing
Cybersecurity
Red Team
Black Hat Hacker

--

--

RED TEAM | Malforge Group
RED TEAM | Malforge Group

Written by RED TEAM | Malforge Group

1.1K Followers
3 Following

I'm a 21-year-old malware developer with 1 year of experience. Passionate about learning new techniques, sharing knowledge, and creating malware tools.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams