Using Bash for DNS enumeration
As a pentester, you will typically be provided with a defined scope. The scope is what you’re allowed to test. It will usually be provided as a list of IP addresses, network addresses, domain names, URLs, or a combination of these. On the other hand, you may also be tasked with discovering assets owned by the company.
In my earlier years as a pentester before I got into consulting, I spent a lot of time enumerating DNS to discover new assets for a company that was global and acquired a lot of smaller companies. I spent months discovering IP addresses, applications, and domain names owned by our acquisitions.
First, it’s essential to make sure we’re on the same page regarding terminology for domain names. We need to quickly cover the difference between top-level domains, root domains, and subdomains. I’ll use www.example.com for this example:
com: This is the top-level domain (TLD)example: This is the root...
