Subdomain Enumeration
ZoneTransfers
The zone transfer is how a secondary DNS server receives information from the primary DNS server and updates it. The master-slave approach is used to organize DNS servers within a domain, with the slaves receiving updated DNS information from the master DNS. The master DNS server should be configured to enable zone transfers from secondary (slave) DNS servers, although this might be misconfigured.
Manual approach
Identifying Nameservers
neutron@kali[/kali]$ nslookup -type=NS zonetransfer.me
Server: 10.100.0.1
Address: 10.100.0.1#53
Non-authoritative answer:
zonetransfer.me nameserver = nsztm2.digi.ninja.
zonetransfer.me nameserver = nsztm1.digi.ninja.
Testing for ANY and AXFR Zone Transfer
neutron@kali[/kali]$ nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja
Server: nsztm1.digi.ninja
Address: 81.4.108.41#53
zonetransfer.me
origin = nsztm1.digi.ninja
mail addr = robin.digi.ninja
serial = 2019100801
refresh = 172800
retry = 900
expire = 1209600
minimum = 3600
zonetransfer.me hinfo = "Casio fx-700G" "Windows XP"
zonetransfer.me text = "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me mail exchanger = 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me mail exchanger = 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me mail exchanger = 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me mail exchanger = 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me mail exchanger = 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me mail exchanger = 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me mail exchanger = 20 ASPMX5.GOOGLEMAIL.COM.
<SNIP>
Name: alltcpportsopen.firewall.test.zonetransfer.me
Address: 127.0.0.1
testing.zonetransfer.me canonical name = www.zonetransfer.me.
Name: vpn.zonetransfer.me
Address: 174.36.59.154
Name: www.zonetransfer.me
Address: 5.196.105.14
xss.zonetransfer.me text = "'><script>alert('Boo')</script>"
zonetransfer.me
origin = nsztm1.digi.ninja
mail addr = robin.digi.ninja
serial = 2019100801
refresh = 172800
retry = 900
expire = 1209600
minimum = 3600