书名：Mastering Kali Linux for Web Penetration Testing
作者名：Michael McPhee
本章字数：399字
更新时间：2025-02-27 22:38:42

Digging record types

Dig can be used to query for and map out the associated record types for A, MX, NS, SOA, or other records quickly and easily. The default is A records, which indicate the domain's main IPv4 addresses, but you may only want to locate the associated name servers (NS records), for instance, to attempt MITM attacks. MX records and pointers to the mail servers on a domain can be useful in crafting phishing campaigns to target users. If we want to see all of the record types associated with a domain, we could use the ANY keyword:

dig packtpub.com ANY

Basic dig output - useful, but could be more succinct.

In order to find the mail servers associated with Packt Publishing, we would merely enter the MX keyword to filter just those record types.

Each of the subsections in the basic dig output can be filtered, either by naming the specific section, such as +nocomments, +noquestion, +noauthority, +noadditional, or +nostats for instance. To turn all of these sections off, you can use the +noall shortcut and then turn on your desired section (for example +answer) to the end, as follows:

dig packtpub.com ANY +noall +answer

The dig output shortened to focus only on records of interest to us

The +short modifier can eliminate a lot of superfluous information as well and is well worth appending to your standard queries to help shorten outputs.

dig also offers the ability to do a zone transfer, which, if the target is not protected against it, allows an attacker to pull down the entire forwarding zone of a domain. Something that is only supposed to happen between legitimate nameservers on the domain, a successful zone transfer is a windfall to the attacker and is something we should always test and look for. To demonstrate a zone transfer, we'll use the wonderful training site Diji Ninja's own domain (https://digi.ninja/projects/zonetransferme.php) and type this:

dig axfr @nsztm1.digi.ninja zonetransfer.me

Conducting a zone transfer is quite a coup, when it works.

dig offers a clean and easy toolset, but often, the target environment is larger than what dig can present on well, or we are looking for more in-depth results. This is where dnsrecon comes in. I would recommend repeating the same sorts of exercises with dnsrecon to see how it compares with dig and help you determine which tool is to be your primary effort.