Quick DNS Brute Force Bash Script

I was working on an internal penetration test this week and I was not able to pull DNS records using any of the standard tools (dnsenum, dnsscan, ETC) but direct DNS queries for specific A records seem to work. So I wiped up a quick basic BASH script to read a txt file line by line for names to attempt and pipe that into bash. Here is what I came up with for anyone that ever finds them self in need.


cat dns-brute.sh

while IFS=” read -r line || [[ -n “$line” ]]; do
dig $line.DOMAIN.LOCAL +nocomments +noquestion +noauthority +noadditional +nostats @LOCALDNSSERVER.LOCAL
sleep 2

done < “$1”


root@Rebel:/root/# ./dns-brute.sh dns1.txt | grep “IN”


DIG is used for the query.
dns1.txt is a text file with names to check one per line. the sleep statement just slows it up a bit. Want to stay under cover.
the grep allows us to just see the successful ones.

Posted on July 16, 2018, 7:07 pm By
Categories: How To, Main