| Title | Author | Created | Published | Tags | | -------------------------------- | ---------------------------- | ------------ | ------------ | ---------------------------------------------------------------------------------------------------------------------------------- | | Module 4 - SE Pentesting Toolkit | <ul><li>Jon Marien</li></ul> | May 25, 2025 | May 25, 2025 | [[#skillsontario\|#skillsontario]], [[#competitions\|#competitions]], [[#certifications\|#certifications]], [[#classes\|#classes]] | # Exercise 1: Conducting a Phishing Campaign Using Social Engineering Toolkit ## Scenario Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies every day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-phishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to many people using the spear-phishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once. Though numerous sorts of attacks can be performed using this toolkit, this is also a must-have tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily within the security community. As an Information Security Auditor, penetration tester, or security administrator, you should be well versant with the Social Engineering Toolkit to perform phishing attacks; and then identify the employees in your organization who fall prey for such attacks. --- # **(A) Platform CyberQ Module 4 Lab** 1) Complete the following exercise(s): - Exercise 1: Conducting a Phishing Campaign Using Social Engineering Toolkit. For steps 11 to 19, use your discretion.  2) Output/Report: Screenshots of the following steps from the CyberQ Lab Instructions document. - Exercise 1: Steps: 10, 21, 22, 23, 25 - Quiz answers in all exercises --- # Part A ![[image-319.png]] ![[image-320.png]] ![[image-321.png]] ![[image-322.png]] ![[image-326.png]] ![[image-324.png]] ![[image-325.png]] ![[image-327.png]] ![[image-328.png]] ![[image-329.png]] After login redirected to legit site: ![[image-330.png]] ![[image-331.png]] ![[image-333.png]] > [!answer]- > ![[image-332.png]] --- ![[image-318.png]] --- # Lab Setup I have a Kali installation on my home desktop, but it is through WSL2. If I need a desktop, I can start a VNC Viewer and login. For now, I have just kept this with the command line. Here is proof: ![[image-334.png]] I put this within my school folder, and created a new subdirectory for this class and lab. ![[Directory-Making.png|700x385]] ![[image-336.png]] I used **Perplexity AI** with the model **Claude Sonnet 4**. --- ## Part B.1 ### (B.1) Script: WHOIS via Nmap & DNS Records via dnsrecon #### **Tree of Thoughts:** - Prompt user for target domain. - Create output directory. - Run Nmap WHOIS script on the domain's IP. - Run `dnsrecon` for DNS records. - Save outputs in separate files. ```bash #!/bin/bash # DNS Interrogation Script - Part B.1 # Performs WHOIS lookup using Nmap and DNS enumeration using dnsrecon echo "=== DNS Interrogation Tool ===" echo "This script performs WHOIS lookup and DNS enumeration" echo # Check if target domain is provided as argument if [ $# -eq 0 ]; then read -p "Enter the target domain (e.g., example.com): " TARGET_DOMAIN else TARGET_DOMAIN=$1 fi # Validate domain input if [ -z "$TARGET_DOMAIN" ]; then echo "Error: No domain specified" exit 1 fi echo "Target domain: $TARGET_DOMAIN" echo # Create results directory RESULTS_DIR="DNS_Interrogation_Results" mkdir -p "$RESULTS_DIR" echo "Creating directory: $RESULTS_DIR" echo "Starting reconnaissance..." echo # Perform WHOIS lookup using Nmap echo "=== Performing WHOIS lookup using Nmap ===" WHOIS_FILE="$RESULTS_DIR/whois_${TARGET_DOMAIN}.txt" echo "Saving WHOIS results to: $WHOIS_FILE" nmap --script whois-ip $TARGET_DOMAIN > "$WHOIS_FILE" 2>&1 if [ $? -eq 0 ]; then echo "✓ WHOIS lookup completed successfully" echo "Preview of WHOIS results:" head -20 "$WHOIS_FILE" else echo "✗ WHOIS lookup failed or incomplete" fi echo # Perform DNS enumeration using dnsrecon echo "=== Performing DNS enumeration using dnsrecon ===" DNS_FILE="$RESULTS_DIR/dns_records_${TARGET_DOMAIN}.txt" echo "Saving DNS enumeration results to: $DNS_FILE" dnsrecon -d $TARGET_DOMAIN > "$DNS_FILE" 2>&1 if [ $? -eq 0 ]; then echo "✓ DNS enumeration completed successfully" echo "Preview of DNS results:" head -20 "$DNS_FILE" else echo "✗ DNS enumeration failed or incomplete" fi echo # Additional DNS record collection using dnsrecon with different options echo "=== Performing comprehensive DNS record collection ===" COMPREHENSIVE_DNS_FILE="$RESULTS_DIR/comprehensive_dns_${TARGET_DOMAIN}.txt" echo "Saving comprehensive DNS results to: $COMPREHENSIVE_DNS_FILE" # Standard enumeration + zone transfer attempt + brute force dnsrecon -d $TARGET_DOMAIN -a -t std,axfr > "$COMPREHENSIVE_DNS_FILE" 2>&1 echo "✓ Comprehensive DNS enumeration completed" echo # Summary echo "=== Summary ===" echo "Results saved in directory: $RESULTS_DIR" echo "Files created:" echo " - $WHOIS_FILE" echo " - $DNS_FILE" echo " - $COMPREHENSIVE_DNS_FILE" echo echo "Reconnaissance completed for domain: $TARGET_DOMAIN" ``` ##### **Explanation:** - The script asks for a domain, resolves its IP, runs Nmap's `whois-ip` NSE script, and collects DNS info with dnsrecon, saving each to separate files in `DNS_Interrogation_Results`. #### Script Output: ```output === DNS Interrogation Tool === This script performs WHOIS lookup and DNS enumeration Enter the target domain (e.g., example.com): sheridancollege.ca Target domain: sheridancollege.ca Creating directory: DNS_Interrogation_Results Starting reconnaissance... === Performing WHOIS lookup using Nmap === Saving WHOIS results to: DNS_Interrogation_Results/whois_sheridancollege.ca.txt ✓ WHOIS lookup completed successfully Preview of WHOIS results: Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 22:30 EDT Nmap scan report for sheridancollege.ca (142.55.7.49) Host is up (0.0051s latency). rDNS record for 142.55.7.49: sso-url-traf-prod.sheridanc.on.ca Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | whois-ip: Record found at whois.arin.net | netrange: 142.55.0.0 - 142.55.255.255 | netname: SHERIDANNET | orgname: The Sheridan College Institute of Technology and Advanced Learning | orgid: SHERID-8-Z | country: CA stateprov: ON | orgtechname: Sheridan College Information Technology |_orgtechemail: [email protected] Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds === Performing DNS enumeration using dnsrecon === Saving DNS enumeration results to: DNS_Interrogation_Results/dns_records_sheridancollege.ca.txt ✓ DNS enumeration completed successfully Preview of DNS results: [*] std: Performing General Enumeration against: sheridancollege.ca... [-] DNSSEC is not configured for sheridancollege.ca [*] SOA ns.sheridanc.on.ca 142.55.15.46 [*] NS ns3.sheridanc.on.ca 142.55.35.60 [*] Bind Version for 142.55.35.60 "nameserver" [*] NS ns1.sheridanc.on.ca 142.55.2.60 [*] Bind Version for 142.55.2.60 "nameserver" [*] NS ns2.sheridanc.on.ca 142.55.2.61 [*] Bind Version for 142.55.2.61 "nameserver" [*] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Bind Version for 142.55.35.61 "nameserver" [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.1 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.2 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::1 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::3 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c944:: [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c944::1 [*] A sheridancollege.ca 142.55.7.49 === Performing comprehensive DNS record collection === Saving comprehensive DNS results to: DNS_Interrogation_Results/comprehensive_dns_sheridancollege.ca.txt ✓ Comprehensive DNS enumeration completed === Summary === Results saved in directory: DNS_Interrogation_Results Files created: - DNS_Interrogation_Results/whois_sheridancollege.ca.txt - DNS_Interrogation_Results/dns_records_sheridancollege.ca.txt - DNS_Interrogation_Results/comprehensive_dns_sheridancollege.ca.txt Reconnaissance completed for domain: sheridancollege.ca ``` ##### Script File Outputs: ![[image-335.png]] ```output > cat whois_sheridancollege.ca.txt Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 22:30 EDT Nmap scan report for sheridancollege.ca (142.55.7.49) Host is up (0.0051s latency). rDNS record for 142.55.7.49: sso-url-traf-prod.sheridanc.on.ca Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | whois-ip: Record found at whois.arin.net | netrange: 142.55.0.0 - 142.55.255.255 | netname: SHERIDANNET | orgname: The Sheridan College Institute of Technology and Advanced Learning | orgid: SHERID-8-Z | country: CA stateprov: ON | orgtechname: Sheridan College Information Technology |_orgtechemail: [email protected] Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds ``` ```output > cat dns_records_sheridancollege.ca.txt [*] std: Performing General Enumeration against: sheridancollege.ca... [-] DNSSEC is not configured for sheridancollege.ca [*] SOA ns.sheridanc.on.ca 142.55.15.46 [*] NS ns3.sheridanc.on.ca 142.55.35.60 [*] Bind Version for 142.55.35.60 "nameserver" [*] NS ns1.sheridanc.on.ca 142.55.2.60 [*] Bind Version for 142.55.2.60 "nameserver" [*] NS ns2.sheridanc.on.ca 142.55.2.61 [*] Bind Version for 142.55.2.61 "nameserver" [*] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Bind Version for 142.55.35.61 "nameserver" [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.1 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.2 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::1 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::3 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c944:: [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c944::1 [*] A sheridancollege.ca 142.55.7.49 [*] TXT sheridancollege.ca e2ma-verification=fywbb [*] TXT sheridancollege.ca e2ma-verification=jzzcb [*] TXT sheridancollege.ca v=spf1 ip4:142.55.2.0/24 ip4:142.55.5.0/24 ip4:142.55.45.0/24 ip4:149.72.146.149 ip4:67.210.216.7 ip4:65.39.192.50 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:176.31.145.254 ip4:72.0.210.56 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 ip4:3.93.92.113 ip4:3.95.92.33 include:spf1.sheridancollege.ca ~all [*] TXT sheridancollege.ca ecostruxure-it-verification=8a7c3ebd-07d2-47ce-8eb7-166e475095e4 [*] TXT sheridancollege.ca e2ma-verification=axwcb [*] TXT sheridancollege.ca apple-domain-verification=45CvQSshYcjK4uc0 [*] TXT sheridancollege.ca identrust_validation=zHyyPUcte4m3nVYeMavXEKQ3LKR4D1O7U+41N/F+7y7Q [*] TXT sheridancollege.ca facebook-domain-verification=exj1tu0vn6xyxfoek9cddx52zd5mcu [*] TXT sheridancollege.ca e2ma-verification=4qobb [*] TXT sheridancollege.ca google-site-verification=j2geEyCJ5f6mU7N8B5OPV0K1Ghp0rQLwmAC3qRx74Z4 [*] TXT sheridancollege.ca adobe-idp-site-verification=40cadffa-cefa-46cd-be47-a0b942ced03d [*] TXT sheridancollege.ca e2ma-verification=95lgb [*] TXT sheridancollege.ca sUgpyCqIjQ3eVG8P4M68Cwe1hbj9cOEHAuzRqnIZkZMuiX7WM4nA4kPFAwK7ToCXE0mIYOM37Dk9XTpeZ6bHNA== [*] TXT sheridancollege.ca e2ma-verification=euobb [*] TXT sheridancollege.ca e2ma-verification=pmybb [*] TXT sheridancollege.ca e2ma-verification=enybb [*] TXT sheridancollege.ca facebook-domain-verification=vfmoajv8i8gnytv56kfp20jncepzdo [*] TXT sheridancollege.ca e2ma-verification=1n2eb [*] TXT sheridancollege.ca google-site-verification=MP_q3Squ81wIteMQLC0ji0kuJNJ-2DG2y3FDwb4Xoak [*] TXT sheridancollege.ca e2ma-verification=qawbb [*] TXT sheridancollege.ca e2ma-verification=f2ifb [*] TXT sheridancollege.ca ZOOM_verify_y327IoFTGfExkcYkHQiTCb [*] TXT sheridancollege.ca e2ma-verification=6yogb [*] TXT sheridancollege.ca identrust_validate=QQg0M1pJ7U6KAv+w+uCNOcp0gPIknvX+gCvjhpqcfXk5 [*] TXT sheridancollege.ca e2ma-verification=04veb [*] TXT sheridancollege.ca e2ma-verification=2z2cb [*] TXT sheridancollege.ca e2ma-verification=6vubb [*] TXT sheridancollege.ca e2ma-verification=9wwcb [*] TXT sheridancollege.ca e2ma-verification=guobb [*] TXT sheridancollege.ca e2ma-verification=kurcb [*] TXT _dmarc.sheridancollege.ca v=DMARC1; p=quarantine; pct=1; rua=mailto:[email protected]; ruf=mailto:[email protected]; [*] Enumerating SRV Records [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.164.184 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.248 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.170.72 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.136 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:83d::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:284c::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:2858::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:340a::8 443 [+] 8 Records Found ``` ```output > cat comprehensive_dns_sheridancollege.ca.txt [*] std: Performing General Enumeration against: sheridancollege.ca... [*] Checking for Zone Transfer for sheridancollege.ca name servers [*] Resolving SOA Record [+] SOA ns.sheridanc.on.ca 142.55.15.46 [*] Resolving NS Records [*] NS Servers found: [+] NS ns3.sheridanc.on.ca 142.55.35.60 [+] NS ns1.sheridanc.on.ca 142.55.2.60 [+] NS ns2.sheridanc.on.ca 142.55.2.61 [+] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Removing any duplicate NS server IP Addresses... [*] [*] Trying NS server 142.55.35.60 [+] 142.55.35.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.15.46 [-] Zone Transfer Failed for 142.55.15.46! [-] Port 53 TCP is being filtered [*] [*] Trying NS server 142.55.2.61 [+] 142.55.2.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.35.61 [+] 142.55.35.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.2.60 [+] 142.55.2.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] Checking for Zone Transfer for sheridancollege.ca name servers [*] Resolving SOA Record [+] SOA ns.sheridanc.on.ca 142.55.15.46 [*] Resolving NS Records [*] NS Servers found: [+] NS ns3.sheridanc.on.ca 142.55.35.60 [+] NS ns1.sheridanc.on.ca 142.55.2.60 [+] NS ns2.sheridanc.on.ca 142.55.2.61 [+] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Removing any duplicate NS server IP Addresses... [*] [*] Trying NS server 142.55.35.60 [+] 142.55.35.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.15.46 [-] Zone Transfer Failed for 142.55.15.46! [-] Port 53 TCP is being filtered [*] [*] Trying NS server 142.55.2.61 [+] 142.55.2.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.35.61 [+] 142.55.35.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.2.60 [+] 142.55.2.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [-] DNSSEC is not configured for sheridancollege.ca [*] SOA ns.sheridanc.on.ca 142.55.15.46 [*] NS ns3.sheridanc.on.ca 142.55.35.60 [*] Bind Version for 142.55.35.60 "nameserver" [*] NS ns1.sheridanc.on.ca 142.55.2.60 [*] Bind Version for 142.55.2.60 "nameserver" [*] NS ns2.sheridanc.on.ca 142.55.2.61 [*] Bind Version for 142.55.2.61 "nameserver" [*] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Bind Version for 142.55.35.61 "nameserver" [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.1 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.3 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::3 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c944::1 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942:: [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::1 [*] A sheridancollege.ca 142.55.7.49 [*] TXT sheridancollege.ca e2ma-verification=euobb [*] TXT sheridancollege.ca e2ma-verification=4qobb [*] TXT sheridancollege.ca e2ma-verification=jzzcb [*] TXT sheridancollege.ca facebook-domain-verification=vfmoajv8i8gnytv56kfp20jncepzdo [*] TXT sheridancollege.ca e2ma-verification=04veb [*] TXT sheridancollege.ca facebook-domain-verification=exj1tu0vn6xyxfoek9cddx52zd5mcu [*] TXT sheridancollege.ca e2ma-verification=9wwcb [*] TXT sheridancollege.ca ecostruxure-it-verification=8a7c3ebd-07d2-47ce-8eb7-166e475095e4 [*] TXT sheridancollege.ca google-site-verification=MP_q3Squ81wIteMQLC0ji0kuJNJ-2DG2y3FDwb4Xoak [*] TXT sheridancollege.ca e2ma-verification=1n2eb [*] TXT sheridancollege.ca e2ma-verification=fywbb [*] TXT sheridancollege.ca ZOOM_verify_y327IoFTGfExkcYkHQiTCb [*] TXT sheridancollege.ca e2ma-verification=6vubb [*] TXT sheridancollege.ca e2ma-verification=6yogb [*] TXT sheridancollege.ca e2ma-verification=enybb [*] TXT sheridancollege.ca google-site-verification=j2geEyCJ5f6mU7N8B5OPV0K1Ghp0rQLwmAC3qRx74Z4 [*] TXT sheridancollege.ca e2ma-verification=guobb [*] TXT sheridancollege.ca e2ma-verification=axwcb [*] TXT sheridancollege.ca e2ma-verification=2z2cb [*] TXT sheridancollege.ca e2ma-verification=kurcb [*] TXT sheridancollege.ca identrust_validate=QQg0M1pJ7U6KAv+w+uCNOcp0gPIknvX+gCvjhpqcfXk5 [*] TXT sheridancollege.ca e2ma-verification=pmybb [*] TXT sheridancollege.ca adobe-idp-site-verification=40cadffa-cefa-46cd-be47-a0b942ced03d [*] TXT sheridancollege.ca apple-domain-verification=45CvQSshYcjK4uc0 [*] TXT sheridancollege.ca identrust_validation=zHyyPUcte4m3nVYeMavXEKQ3LKR4D1O7U+41N/F+7y7Q [*] TXT sheridancollege.ca e2ma-verification=f2ifb [*] TXT sheridancollege.ca sUgpyCqIjQ3eVG8P4M68Cwe1hbj9cOEHAuzRqnIZkZMuiX7WM4nA4kPFAwK7ToCXE0mIYOM37Dk9XTpeZ6bHNA== [*] TXT sheridancollege.ca v=spf1 ip4:142.55.2.0/24 ip4:142.55.5.0/24 ip4:142.55.45.0/24 ip4:149.72.146.149 ip4:67.210.216.7 ip4:65.39.192.50 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:176.31.145.254 ip4:72.0.210.56 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 ip4:3.93.92.113 ip4:3.95.92.33 include:spf1.sheridancollege.ca ~all [*] TXT sheridancollege.ca e2ma-verification=95lgb [*] TXT sheridancollege.ca e2ma-verification=qawbb [*] TXT _dmarc.sheridancollege.ca v=DMARC1; p=quarantine; pct=1; rua=mailto:[email protected]; ruf=mailto:[email protected]; [*] Enumerating SRV Records [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.157.72 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.152 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.104 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.157.56 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:805::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:2852::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:340a::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:2855::8 443 [+] 8 Records Found [*] Checking for Zone Transfer for sheridancollege.ca name servers [*] Resolving SOA Record [+] SOA ns.sheridanc.on.ca 142.55.15.46 [*] Resolving NS Records [*] NS Servers found: [+] NS ns3.sheridanc.on.ca 142.55.35.60 [+] NS ns4.sheridanc.on.ca 142.55.35.61 [+] NS ns1.sheridanc.on.ca 142.55.2.60 [+] NS ns2.sheridanc.on.ca 142.55.2.61 [*] Removing any duplicate NS server IP Addresses... [*] [*] Trying NS server 142.55.35.60 [+] 142.55.35.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.15.46 [-] Zone Transfer Failed for 142.55.15.46! [-] Port 53 TCP is being filtered [*] [*] Trying NS server 142.55.2.61 [+] 142.55.2.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.35.61 [+] 142.55.35.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.2.60 [+] 142.55.2.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) ``` --- ## Part B.2 ### (B.2) Script: Full DNS/WHOIS/Enumeration Recon #### **Tree of Thoughts:** - Prompt for target domain. - Run `dnsmap` for subdomains. - Run `urlcrazy` for parallel domains. - Run `whois` for WHOIS data. - Run `dnsrecon` for DNS records. - Use `dig` for NS servers and zone transfer attempts. - Use Cloudflare DNS where required. - Output all results into a single, clearly labeled file. ```bash #!/bin/bash # Comprehensive Domain Enumeration Script - Part B.2 # Performs multiple types of enumeration using various tools echo "=== Comprehensive Domain Enumeration Tool ===" echo "This script performs extensive domain reconnaissance" echo # Get target domain read -p "Enter the target domain (e.g., example.com): " TARGET_DOMAIN if [ -z "$TARGET_DOMAIN" ]; then echo "Error: No domain specified" exit 1 fi echo "Target domain: $TARGET_DOMAIN" echo # Output file OUTPUT_FILE="comprehensive_enumeration_${TARGET_DOMAIN}.txt" CLOUDFLARE_DNS="1.1.1.1" # Initialize output file cat > "$OUTPUT_FILE" << EOF ================================================================= COMPREHENSIVE DOMAIN ENUMERATION REPORT ================================================================= Target Domain: $TARGET_DOMAIN Date: $(date) ================================================================= EOF echo "Starting comprehensive enumeration..." echo "Results will be saved to: $OUTPUT_FILE" echo # Function to add section header add_section() { echo "" >> "$OUTPUT_FILE" echo "========================================" >> "$OUTPUT_FILE" echo "$1" >> "$OUTPUT_FILE" echo "========================================" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" } # 1. Subdomain enumeration using dnsmap echo "=== 1. Subdomain Enumeration (dnsmap) ===" add_section "1. SUBDOMAIN ENUMERATION (DNSMAP)" echo "Running dnsmap for subdomain discovery..." if command -v dnsmap &> /dev/null; then dnsmap $TARGET_DOMAIN >> "$OUTPUT_FILE" 2>&1 echo "✓ Subdomain enumeration completed" else echo "dnsmap not found, skipping..." >> "$OUTPUT_FILE" echo "✗ dnsmap not available" fi echo # 2. Parallel domains using urlcrazy echo "=== 2. Parallel Domain Discovery (urlcrazy) ===" add_section "2. PARALLEL DOMAIN DISCOVERY (URLCRAZY)" echo "Running urlcrazy for typosquatting domains..." if command -v urlcrazy &> /dev/null; then urlcrazy -p $TARGET_DOMAIN >> "$OUTPUT_FILE" 2>&1 echo "✓ Parallel domain discovery completed" else echo "urlcrazy not found, skipping..." >> "$OUTPUT_FILE" echo "✗ urlcrazy not available" fi echo # 3. WHOIS lookup echo "=== 3. WHOIS Lookup ===" add_section "3. WHOIS LOOKUP DATA" echo "Performing WHOIS lookup..." if command -v whois &> /dev/null; then whois $TARGET_DOMAIN >> "$OUTPUT_FILE" 2>&1 echo "✓ WHOIS lookup completed" else echo "whois not found, skipping..." >> "$OUTPUT_FILE" echo "✗ whois not available" fi echo # 4. DNS records using dnsrecon echo "=== 4. DNS Records Enumeration (dnsrecon) ===" add_section "4. DNS RECORDS ENUMERATION (DNSRECON)" echo "Running dnsrecon for comprehensive DNS enumeration..." if command -v dnsrecon &> /dev/null; then dnsrecon -d $TARGET_DOMAIN -t std,axfr,bing,yand >> "$OUTPUT_FILE" 2>&1 echo "✓ DNS records enumeration completed" else echo "dnsrecon not found, skipping..." >> "$OUTPUT_FILE" echo "✗ dnsrecon not available" fi echo # 5. NS servers using dig echo "=== 5. Name Server Discovery (dig) ===" add_section "5. NAME SERVER DISCOVERY (DIG)" echo "Discovering name servers..." if command -v dig &> /dev/null; then echo "NS Records:" >> "$OUTPUT_FILE" dig @$CLOUDFLARE_DNS $TARGET_DOMAIN NS +short >> "$OUTPUT_FILE" 2>&1 echo "" >> "$OUTPUT_FILE" echo "Detailed NS Records:" >> "$OUTPUT_FILE" dig @$CLOUDFLARE_DNS $TARGET_DOMAIN NS >> "$OUTPUT_FILE" 2>&1 # Store NS servers for zone transfer test NS_SERVERS=$(dig @$CLOUDFLARE_DNS $TARGET_DOMAIN NS +short) echo "✓ Name server discovery completed" else echo "dig not found, skipping..." >> "$OUTPUT_FILE" echo "✗ dig not available" fi echo # 6. Zone transfer attempts echo "=== 6. Zone Transfer Attempts ===" add_section "6. ZONE TRANSFER ATTEMPTS" echo "Attempting zone transfers..." if command -v dig &> /dev/null && [ ! -z "$NS_SERVERS" ]; then for ns in $NS_SERVERS; do echo "Attempting zone transfer from: $ns" >> "$OUTPUT_FILE" echo "----------------------------------------" >> "$OUTPUT_FILE" dig @$ns $TARGET_DOMAIN AXFR >> "$OUTPUT_FILE" 2>&1 echo "" >> "$OUTPUT_FILE" done echo "✓ Zone transfer attempts completed" else echo "Cannot perform zone transfers - dig unavailable or no NS servers found" >> "$OUTPUT_FILE" echo "✗ Zone transfer attempts skipped" fi echo # Add completion timestamp echo "" >> "$OUTPUT_FILE" echo "========================================" >> "$OUTPUT_FILE" echo "ENUMERATION COMPLETED: $(date)" >> "$OUTPUT_FILE" echo "========================================" >> "$OUTPUT_FILE" echo "=== Enumeration Complete ===" echo "All results saved to: $OUTPUT_FILE" echo "Summary of sections:" echo " 1. Subdomain Enumeration (dnsmap)" echo " 2. Parallel Domain Discovery (urlcrazy)" echo " 3. WHOIS Lookup Data" echo " 4. DNS Records Enumeration (dnsrecon)" echo " 5. Name Server Discovery (dig)" echo " 6. Zone Transfer Attempts" echo echo "Review the output file for detailed results." ``` ##### **Explanation:** - Each section is labeled, tools are run sequentially, and results are appended to a single file. NS servers are extracted and used for AXFR (zone transfer) attempts #### Script Output: ```output === Comprehensive Domain Enumeration Tool === This script performs extensive domain reconnaissance Enter the target domain (e.g., example.com): sheridancollege.ca Target domain: sheridancollege.ca Starting comprehensive enumeration... Results will be saved to: comprehensive_enumeration_sheridancollege.ca.txt === 1. Subdomain Enumeration (dnsmap) === Running dnsmap for subdomain discovery... ✓ Subdomain enumeration completed === 2. Parallel Domain Discovery (urlcrazy) === Running urlcrazy for typosquatting domains... ✓ Parallel domain discovery completed === 3. WHOIS Lookup === Performing WHOIS lookup... ✓ WHOIS lookup completed === 4. DNS Records Enumeration (dnsrecon) === Running dnsrecon for comprehensive DNS enumeration... ✓ DNS records enumeration completed === 5. Name Server Discovery (dig) === Discovering name servers... ✓ Name server discovery completed === 6. Zone Transfer Attempts === Attempting zone transfers... ✓ Zone transfer attempts completed === Enumeration Complete === All results saved to: comprehensive_enumeration_sheridancollege.ca.txt Summary of sections: 1. Subdomain Enumeration (dnsmap) 2. Parallel Domain Discovery (urlcrazy) 3. WHOIS Lookup Data 4. DNS Records Enumeration (dnsrecon) 5. Name Server Discovery (dig) 6. Zone Transfer Attempts Review the output file for detailed results. ``` ##### Script File Output: ![[image-337.png]] ```output > cat comprehensive_enumeration_sheridancollege.ca.txt ================================================================= COMPREHENSIVE DOMAIN ENUMERATION REPORT ================================================================= Target Domain: sheridancollege.ca Date: Sun May 25 10:31:17 PM EDT 2025 ================================================================= ======================================== 1. SUBDOMAIN ENUMERATION (DNSMAP) ======================================== dnsmap 0.36 - DNS Network Mapper [+] searching (sub)domains for sheridancollege.ca using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests access.sheridancollege.ca IP address #1: 142.55.7.65 ad.sheridancollege.ca IP address #1: 142.55.7.27 IP address #2: 142.55.47.27 blog.sheridancollege.ca IP address #1: 142.55.2.53 cb.sheridancollege.ca IP address #1: 142.55.7.49 IP address #2: 142.55.47.49 ce.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 e.sheridancollege.ca IP address #1: 13.111.67.8 ft.sheridancollege.ca IP address #1: 142.55.7.49 IP address #2: 142.55.47.49 go.sheridancollege.ca IP address #1: 142.55.2.63 it.sheridancollege.ca IP address #1: 142.55.2.63 library.sheridancollege.ca IP address #1: 142.55.7.49 IP address #2: 142.55.47.49 mail.sheridancollege.ca IP address #1: 142.55.7.70 marketing.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 mobile.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 my.sheridancollege.ca IP address #1: 142.55.2.63 net.sheridancollege.ca IP address #1: 142.55.2.63 oh.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 online.sheridancollege.ca IPv6 address #1: 2606:4700::6812:159a IPv6 address #2: 2606:4700::6812:149a online.sheridancollege.ca IP address #1: 104.18.21.154 IP address #2: 104.18.20.154 photo.sheridancollege.ca IP address #1: 142.55.7.49 IP address #2: 142.55.47.49 portal.sheridancollege.ca IP address #1: 142.55.2.63 research.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 sc.sheridancollege.ca IP address #1: 142.55.7.49 IP address #2: 142.55.47.49 search.sheridancollege.ca IP address #1: 142.55.2.65 IP address #2: 142.55.35.65 support.sheridancollege.ca IP address #1: 20.220.13.120 tv.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 vpn.sheridancollege.ca IP address #1: 142.55.3.2 IP address #2: 142.55.0.2 web.sheridancollege.ca IP address #1: 142.55.2.57 www.sheridancollege.ca IP address #1: 52.228.84.35 xd.sheridancollege.ca IP address #1: 142.55.47.49 IP address #2: 142.55.7.49 [+] 29 (sub)domains and 46 IP address(es) found [+] completion time: 150 second(s) ======================================== 2. PARALLEL DOMAIN DISCOVERY (URLCRAZY) ======================================== /usr/share/urlcrazy/country.rb:18:in `startup': undefined method `exists?' for class File (NoMethodError) if File.exists?(country_db) ^^^^^^^^ Did you mean? exist? from ./urlcrazy:841:in `<main>' Warning. File descriptor limit may be too low. Check with `ulimit -a` and change with `ulimit -n 10000` URLCrazy Domain Report Domain : sheridancollege.ca Keyboard : qwerty At : 2025-05-25 22:33:47 -0400 ======================================== 3. WHOIS LOOKUP DATA ======================================== Domain Name: sheridancollege.ca Registry Domain ID: D151804-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: www.internic.ca Updated Date: 2025-05-14T04:02:14Z Creation Date: 2003-05-14T15:08:20Z Registry Expiry Date: 2026-05-14T04:00:00Z Registrar: Internic.ca Inc. Registrar IANA ID: not applicable Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.6132252000 Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: 62399408-CIRA Registrant Name: Sheridan College Registrant Organization: Registrant Street: 1430 Trafalgar Road Registrant City: Oakville Registrant State/Province: ON Registrant Postal Code: L6H2L1 Registrant Country: CA Registrant Phone: +1.9058459430 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: 1257801-CIRA Admin Name: James Duncan Admin Organization: The Sheridan College Institute of Technology and Advanced Learning Admin Street: 1430 Trafalgar Road Admin City: Oakville Admin State/Province: ON Admin Postal Code: L6H2L1 Admin Country: CA Admin Phone: +1.9058459430 Admin Phone Ext: 2556 Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: 62395625-CIRA Tech Name: Ian Colquhoun Tech Organization: The Sheridan College Institute of Technology and Advanced Learning Tech Street: 1430 Trafalgar Road Tech City: Oakville Tech State/Province: ON Tech Postal Code: L6H2L1 Tech Country: CA Tech Phone: +1.9058459430 Tech Phone Ext: 4130 Tech Fax: Tech Fax Ext: Tech Email: [email protected] Registry Billing ID: Billing Name: Billing Organization: Billing Street: Billing City: Billing State/Province: Billing Postal Code: Billing Country: Billing Phone: Billing Phone Ext: Billing Fax: Billing Fax Ext: Billing Email: Name Server: ns1.sheridanc.on.ca Name Server: ns2.sheridanc.on.ca Name Server: ns3.sheridanc.on.ca Name Server: ns4.sheridanc.on.ca DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2025-05-26T02:33:48Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2025 Canadian Internet Registration Authority, (http://www.cira.ca/) ======================================== 4. DNS RECORDS ENUMERATION (DNSRECON) ======================================== [*] std: Performing General Enumeration against: sheridancollege.ca... [-] DNSSEC is not configured for sheridancollege.ca [*] SOA ns.sheridanc.on.ca 142.55.15.46 [*] NS ns3.sheridanc.on.ca 142.55.35.60 [*] Bind Version for 142.55.35.60 "nameserver" [*] NS ns1.sheridanc.on.ca 142.55.2.60 [*] Bind Version for 142.55.2.60 "nameserver" [*] NS ns2.sheridanc.on.ca 142.55.2.61 [*] Bind Version for 142.55.2.61 "nameserver" [*] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Bind Version for 142.55.35.61 "nameserver" [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.2 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.190.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.0 [*] MX sheridancollege-ca.mail.protection.outlook.com 52.101.192.1 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::2 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942:: [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::1 [*] MX sheridancollege-ca.mail.protection.outlook.com 2a01:111:f403:c942::3 [*] A sheridancollege.ca 142.55.7.49 [*] TXT sheridancollege.ca e2ma-verification=qawbb [*] TXT sheridancollege.ca e2ma-verification=9wwcb [*] TXT sheridancollege.ca identrust_validate=QQg0M1pJ7U6KAv+w+uCNOcp0gPIknvX+gCvjhpqcfXk5 [*] TXT sheridancollege.ca e2ma-verification=fywbb [*] TXT sheridancollege.ca e2ma-verification=kurcb [*] TXT sheridancollege.ca ZOOM_verify_y327IoFTGfExkcYkHQiTCb [*] TXT sheridancollege.ca e2ma-verification=04veb [*] TXT sheridancollege.ca facebook-domain-verification=exj1tu0vn6xyxfoek9cddx52zd5mcu [*] TXT sheridancollege.ca sUgpyCqIjQ3eVG8P4M68Cwe1hbj9cOEHAuzRqnIZkZMuiX7WM4nA4kPFAwK7ToCXE0mIYOM37Dk9XTpeZ6bHNA== [*] TXT sheridancollege.ca ecostruxure-it-verification=8a7c3ebd-07d2-47ce-8eb7-166e475095e4 [*] TXT sheridancollege.ca apple-domain-verification=45CvQSshYcjK4uc0 [*] TXT sheridancollege.ca e2ma-verification=1n2eb [*] TXT sheridancollege.ca google-site-verification=MP_q3Squ81wIteMQLC0ji0kuJNJ-2DG2y3FDwb4Xoak [*] TXT sheridancollege.ca e2ma-verification=enybb [*] TXT sheridancollege.ca e2ma-verification=guobb [*] TXT sheridancollege.ca google-site-verification=j2geEyCJ5f6mU7N8B5OPV0K1Ghp0rQLwmAC3qRx74Z4 [*] TXT sheridancollege.ca e2ma-verification=pmybb [*] TXT sheridancollege.ca e2ma-verification=4qobb [*] TXT sheridancollege.ca e2ma-verification=jzzcb [*] TXT sheridancollege.ca e2ma-verification=6vubb [*] TXT sheridancollege.ca e2ma-verification=6yogb [*] TXT sheridancollege.ca facebook-domain-verification=vfmoajv8i8gnytv56kfp20jncepzdo [*] TXT sheridancollege.ca adobe-idp-site-verification=40cadffa-cefa-46cd-be47-a0b942ced03d [*] TXT sheridancollege.ca e2ma-verification=95lgb [*] TXT sheridancollege.ca v=spf1 ip4:142.55.2.0/24 ip4:142.55.5.0/24 ip4:142.55.45.0/24 ip4:149.72.146.149 ip4:67.210.216.7 ip4:65.39.192.50 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:176.31.145.254 ip4:72.0.210.56 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 ip4:3.93.92.113 ip4:3.95.92.33 include:spf1.sheridancollege.ca ~all [*] TXT sheridancollege.ca e2ma-verification=euobb [*] TXT sheridancollege.ca e2ma-verification=2z2cb [*] TXT sheridancollege.ca e2ma-verification=f2ifb [*] TXT sheridancollege.ca e2ma-verification=axwcb [*] TXT sheridancollege.ca identrust_validation=zHyyPUcte4m3nVYeMavXEKQ3LKR4D1O7U+41N/F+7y7Q [*] TXT _dmarc.sheridancollege.ca v=DMARC1; p=quarantine; pct=1; rua=mailto:[email protected]; ruf=mailto:[email protected]; [*] Enumerating SRV Records [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.248 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.79.232 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.191.8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.170.88 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.191.232 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.157.152 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.157.120 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 52.96.191.200 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:2851::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:30af::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:83c::8 443 [+] SRV _autodiscover._tcp.sheridancollege.ca autodiscover.outlook.com 2603:1036:304:86e::8 443 [+] 12 Records Found [*] yand: Performing Yandex Search Enumeration against sheridancollege.ca... [*] bing: Performing Bing Search Enumeration against sheridancollege.ca... [*] CNAME open.sheridancollege.ca opensheridan.brightspace.com [*] A opensheridan.brightspace.com 3.98.93.56 [*] A opensheridan.brightspace.com 15.222.194.45 [*] CNAME myotr.sheridancollege.ca www-acad.sheridancollege.ca [*] A www-acad.sheridancollege.ca 142.55.2.90 [*] CNAME slate.sheridancollege.ca slate-sheridan.desire2learn.com [*] A slate-sheridan.desire2learn.com 15.222.194.45 [*] A slate-sheridan.desire2learn.com 3.98.93.56 [*] A aimsapp.sheridancollege.ca 52.138.35.42 [*] A support.sheridancollege.ca 20.220.13.120 [*] CNAME vpn.sheridancollege.ca vpn-external.dyn-isg.sheridancollege.ca [*] A vpn-external.dyn-isg.sheridancollege.ca 142.55.3.2 [*] A vpn-external.dyn-isg.sheridancollege.ca 142.55.0.2 [*] A jobs.sheridancollege.ca 20.175.153.133 [*] CNAME workspaces.sheridancollege.ca miscweb.dyn.sheridancollege.ca [*] A miscweb.dyn.sheridancollege.ca 142.55.35.65 [*] A miscweb.dyn.sheridancollege.ca 142.55.2.65 [*] CNAME caps.sheridancollege.ca sheridancollege.augusoft.net [*] CNAME sheridancollege.augusoft.net prod2-alb-805818565.ca-central-1.elb.amazonaws.com [*] A prod2-alb-805818565.ca-central-1.elb.amazonaws.com 15.156.191.135 [*] A prod2-alb-805818565.ca-central-1.elb.amazonaws.com 3.98.41.221 [*] CNAME www.sheridancollege.ca it-cclz-sitecore-prod-236910-cd.azurewebsites.net [*] CNAME it-cclz-sitecore-prod-236910-cd.azurewebsites.net waws-prod-yt1-031.sip.azurewebsites.windows.net [*] CNAME waws-prod-yt1-031.sip.azurewebsites.windows.net waws-prod-yt1-031-2f30.canadacentral.cloudapp.azure.com [*] A waws-prod-yt1-031-2f30.canadacentral.cloudapp.azure.com 52.228.84.35 [*] A internationalapplication.sheridancollege.ca 4.205.221.143 [*] CNAME it.sheridancollege.ca domweb.sheridancollege.ca [*] A domweb.sheridancollege.ca 142.55.2.63 [*] CNAME ltsa.sheridancollege.ca schapblb.dyn.sheridancollege.ca [*] A schapblb.dyn.sheridancollege.ca 142.55.47.199 [*] A schapblb.dyn.sheridancollege.ca 142.55.7.199 [*] CNAME sheridanworks.sheridancollege.ca sheridan.orbissites.com [*] A sheridan.orbissites.com 4.174.198.154 [*] CNAME media-www.sheridancollege.ca it-cclz-sitecore-prod-236910-cdn-endpoint.azureedge.net [*] CNAME it-cclz-sitecore-prod-236910-cdn-endpoint.azureedge.net it-cclz-sitecore-prod-236910-cdn-endpoint.afd.azureedge.net [*] CNAME it-cclz-sitecore-prod-236910-cdn-endpoint.afd.azureedge.net azureedge-t-prod.trafficmanager.net [*] CNAME azureedge-t-prod.trafficmanager.net shed.dual-low.s-part-0023.t-0009.t-msedge.net [*] CNAME shed.dual-low.s-part-0023.t-0009.t-msedge.net s-part-0023.t-0009.t-msedge.net [*] A s-part-0023.t-0009.t-msedge.net 13.107.246.51 [*] CNAME media-www.sheridancollege.ca it-cclz-sitecore-prod-236910-cdn-endpoint.azureedge.net [*] CNAME it-cclz-sitecore-prod-236910-cdn-endpoint.azureedge.net it-cclz-sitecore-prod-236910-cdn-endpoint.afd.azureedge.net [*] CNAME it-cclz-sitecore-prod-236910-cdn-endpoint.afd.azureedge.net azureedge-t-prod.trafficmanager.net [*] CNAME azureedge-t-prod.trafficmanager.net shed.dual-low.s-part-0023.t-0009.t-msedge.net [*] CNAME shed.dual-low.s-part-0023.t-0009.t-msedge.net s-part-0023.t-0009.t-msedge.net [*] CNAME completebba.sheridancollege.ca webnet2.sheridancollege.ca [*] A webnet2.sheridancollege.ca 142.55.2.51 [*] CNAME source.sheridancollege.ca dcsheridan.bepress.com [*] A dcsheridan.bepress.com 50.18.241.247 [*] A dcsheridan.bepress.com 13.57.92.51 [*] CNAME campus.sheridancollege.ca shcocp1d-publbaas001.opc.oracleoutsourcing.com [*] A shcocp1d-publbaas001.opc.oracleoutsourcing.com 40.233.73.62 [*] CNAME openhouse.sheridancollege.ca 2ec56af16f78400d968e10ec3d33264a.unbouncepages.com [*] A 2ec56af16f78400d968e10ec3d33264a.unbouncepages.com 104.18.34.21 [*] A 2ec56af16f78400d968e10ec3d33264a.unbouncepages.com 172.64.153.235 [*] CNAME viewbook.sheridancollege.ca s1.foleon.com [*] A s1.foleon.com 34.111.126.37 [*] CNAME viewbook.sheridancollege.ca s1.foleon.com [*] CNAME onecardphoto.sheridancollege.ca photoconsent.sheridancollege.ca [*] A photoconsent.sheridancollege.ca 142.55.2.197 [*] CNAME www-uat.sheridancollege.ca it-cclz-sitecore-uat-314830-cd.azurewebsites.net [*] CNAME it-cclz-sitecore-uat-314830-cd.azurewebsites.net waws-prod-yt1-045.sip.azurewebsites.windows.net [*] CNAME waws-prod-yt1-045.sip.azurewebsites.windows.net waws-prod-yt1-045-8f34.canadacentral.cloudapp.azure.com [*] A waws-prod-yt1-045-8f34.canadacentral.cloudapp.azure.com 20.48.202.163 [*] CNAME media-www-uat.sheridancollege.ca it-cclz-sitecore-uat-314830-cdn-endpoint.azureedge.net [*] CNAME it-cclz-sitecore-uat-314830-cdn-endpoint.azureedge.net it-cclz-sitecore-uat-314830-cdn-endpoint.afd.azureedge.net [*] CNAME it-cclz-sitecore-uat-314830-cdn-endpoint.afd.azureedge.net azureedge-t-prod.trafficmanager.net [*] CNAME azureedge-t-prod.trafficmanager.net shed.dual-low.s-part-0023.t-0009.t-msedge.net [*] CNAME shed.dual-low.s-part-0023.t-0009.t-msedge.net s-part-0023.t-0009.t-msedge.net [*] A s-part-0023.t-0009.t-msedge.net 13.107.246.51 [*] CNAME media-www-uat.sheridancollege.ca it-cclz-sitecore-uat-314830-cdn-endpoint.azureedge.net [*] CNAME it-cclz-sitecore-uat-314830-cdn-endpoint.azureedge.net it-cclz-sitecore-uat-314830-cdn-endpoint.afd.azureedge.net [*] CNAME it-cclz-sitecore-uat-314830-cdn-endpoint.afd.azureedge.net azureedge-t-prod.trafficmanager.net [*] CNAME azureedge-t-prod.trafficmanager.net shed.dual-low.s-part-0023.t-0009.t-msedge.net [*] CNAME shed.dual-low.s-part-0023.t-0009.t-msedge.net s-part-0023.t-0009.t-msedge.net [*] CNAME ctl.sheridancollege.ca schapblb.dyn.sheridancollege.ca [*] A schapblb.dyn.sheridancollege.ca 142.55.47.199 [*] A schapblb.dyn.sheridancollege.ca 142.55.7.199 [*] CNAME epark.sheridancollege.ca aimsweb.sheridancollege.ca [*] A aimsweb.sheridancollege.ca 52.156.7.207 [*] CNAME sheridan2024.sheridancollege.ca sso-url-prod.dyn.sheridancollege.ca [*] A sso-url-prod.dyn.sheridancollege.ca 142.55.47.49 [*] A sso-url-prod.dyn.sheridancollege.ca 142.55.7.49 [*] CNAME edge.sheridancollege.ca blog2.sheridanc.on.ca [*] A blog2.sheridanc.on.ca 142.55.2.66 [+] 84 Records Found [*] Checking for Zone Transfer for sheridancollege.ca name servers [*] Resolving SOA Record [+] SOA ns.sheridanc.on.ca 142.55.15.46 [*] Resolving NS Records [*] NS Servers found: [+] NS ns3.sheridanc.on.ca 142.55.35.60 [+] NS ns1.sheridanc.on.ca 142.55.2.60 [+] NS ns2.sheridanc.on.ca 142.55.2.61 [+] NS ns4.sheridanc.on.ca 142.55.35.61 [*] Removing any duplicate NS server IP Addresses... [*] [*] Trying NS server 142.55.35.60 [+] 142.55.35.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.2.61 [+] 142.55.2.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.2.60 [+] 142.55.2.60 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) [*] [*] Trying NS server 142.55.15.46 [-] Zone Transfer Failed for 142.55.15.46! [-] Port 53 TCP is being filtered [*] [*] Trying NS server 142.55.35.61 [+] 142.55.35.61 Has port 53 TCP Open [-] Zone Transfer Failed (Zone transfer error: REFUSED) ======================================== 5. NAME SERVER DISCOVERY (DIG) ======================================== NS Records: ns3.sheridanc.on.ca. ns1.sheridanc.on.ca. ns2.sheridanc.on.ca. ns4.sheridanc.on.ca. Detailed NS Records: ; <<>> DiG 9.20.8-6-Debian <<>> @1.1.1.1 sheridancollege.ca NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35664 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 18 (Prohibited) ;; QUESTION SECTION: ;sheridancollege.ca. IN NS ;; ANSWER SECTION: sheridancollege.ca. 3600 IN NS ns2.sheridanc.on.ca. sheridancollege.ca. 3600 IN NS ns4.sheridanc.on.ca. sheridancollege.ca. 3600 IN NS ns1.sheridanc.on.ca. sheridancollege.ca. 3600 IN NS ns3.sheridanc.on.ca. ;; Query time: 0 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP) ;; WHEN: Sun May 25 22:36:50 EDT 2025 ;; MSG SIZE rcvd: 138 ======================================== 6. ZONE TRANSFER ATTEMPTS ======================================== Attempting zone transfer from: ns3.sheridanc.on.ca. ---------------------------------------- ; <<>> DiG 9.20.8-6-Debian <<>> @ns3.sheridanc.on.ca. sheridancollege.ca AXFR ; (1 server found) ;; global options: +cmd ; Transfer failed. Attempting zone transfer from: ns1.sheridanc.on.ca. ---------------------------------------- ; <<>> DiG 9.20.8-6-Debian <<>> @ns1.sheridanc.on.ca. sheridancollege.ca AXFR ; (1 server found) ;; global options: +cmd ; Transfer failed. Attempting zone transfer from: ns2.sheridanc.on.ca. ---------------------------------------- ; <<>> DiG 9.20.8-6-Debian <<>> @ns2.sheridanc.on.ca. sheridancollege.ca AXFR ; (1 server found) ;; global options: +cmd ; Transfer failed. Attempting zone transfer from: ns4.sheridanc.on.ca. ---------------------------------------- ; <<>> DiG 9.20.8-6-Debian <<>> @ns4.sheridanc.on.ca. sheridancollege.ca AXFR ; (1 server found) ;; global options: +cmd ; Transfer failed. ======================================== ENUMERATION COMPLETED: Sun May 25 10:36:50 PM EDT 2025 ======================================== ``` --- ## Part B.3 ### (B.3) Script: nslookup DNS Record Enumeration #### **Tree of Thoughts:** - Prompt for domain and DNS server. - Query for A, AAAA, MX, NS, SOA, CNAME, TXT records. - Collect IPv4 addresses, then perform reverse lookups. - Output is both displayed and saved to a file, section by section. ```bash #!/bin/bash # NSLookup DNS Enumeration Script - Part B.3 # Comprehensive DNS record enumeration using nslookup echo "=== NSLookup DNS Enumeration Tool ===" echo "This script performs detailed DNS enumeration using nslookup" echo # Get user inputs read -p "Enter the target domain (e.g., example.com): " TARGET_DOMAIN read -p "Enter DNS server to use (e.g., 8.8.8.8, or press Enter for default): " DNS_SERVER if [ -z "$TARGET_DOMAIN" ]; then echo "Error: No domain specified" exit 1 fi # Set default DNS server if none provided if [ -z "$DNS_SERVER" ]; then DNS_SERVER="8.8.8.8" fi echo "Target domain: $TARGET_DOMAIN" echo "DNS server: $DNS_SERVER" echo # Output file OUTPUT_FILE="nslookup_enumeration_${TARGET_DOMAIN}.txt" # Initialize output file with header cat > "$OUTPUT_FILE" << EOF ================================================================= NSLOOKUP DNS ENUMERATION REPORT ================================================================= Target Domain: $TARGET_DOMAIN DNS Server: $DNS_SERVER Date: $(date) ================================================================= EOF echo "Starting nslookup enumeration..." echo "Results will be displayed and saved to: $OUTPUT_FILE" echo # Function to perform nslookup and display/save results perform_lookup() { local record_type=$1 local description=$2 local nslookup_option=$3 echo "=== $description ===" | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" if [ -z "$nslookup_option" ]; then # Standard lookup nslookup $TARGET_DOMAIN $DNS_SERVER | tee -a "$OUTPUT_FILE" else # Lookup with specific record type nslookup -type=$nslookup_option $TARGET_DOMAIN $DNS_SERVER | tee -a "$OUTPUT_FILE" fi echo "" | tee -a "$OUTPUT_FILE" echo "----------------------------------------" | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" } # Array to store IPv4 addresses for reverse lookup IPV4_ADDRESSES=() # 1. IPv4 Address (A records) echo "1. Querying IPv4 addresses..." perform_lookup "A" "1. IPv4 ADDRESSES (A RECORDS)" "A" # Extract IPv4 addresses for later reverse lookup IPV4_ADDRESSES=($(nslookup -type=A $TARGET_DOMAIN $DNS_SERVER 2>/dev/null | grep "Address:" | grep -v "#53" | awk '{print $2}')) # 2. IPv6 Address (AAAA records) echo "2. Querying IPv6 addresses..." perform_lookup "AAAA" "2. IPv6 ADDRESSES (AAAA RECORDS)" "AAAA" # 3. Mail Servers (MX records) echo "3. Querying mail servers..." perform_lookup "MX" "3. MAIL SERVERS (MX RECORDS)" "MX" # 4. Name Servers (NS records) echo "4. Querying name servers..." perform_lookup "NS" "4. NAME SERVERS (NS RECORDS)" "NS" # 5. Start of Authority (SOA records) echo "5. Querying SOA records..." perform_lookup "SOA" "5. START OF AUTHORITY (SOA RECORDS)" "SOA" # 6. Canonical Name (CNAME records) echo "6. Querying CNAME records..." perform_lookup "CNAME" "6. CANONICAL NAME (CNAME RECORDS)" "CNAME" # 7. TXT records echo "7. Querying TXT records..." perform_lookup "TXT" "7. TEXT (TXT RECORDS)" "TXT" # 8. Reverse lookup of IPv4 addresses echo "8. Performing reverse lookups..." echo "=== 8. REVERSE LOOKUP OF IPv4 ADDRESSES ===" | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" if [ ${#IPV4_ADDRESSES[@]} -eq 0 ]; then echo "No IPv4 addresses found for reverse lookup" | tee -a "$OUTPUT_FILE" else for ip in "${IPV4_ADDRESSES[@]}"; do echo "Reverse lookup for: $ip" | tee -a "$OUTPUT_FILE" echo "----------------------------" | tee -a "$OUTPUT_FILE" nslookup $ip $DNS_SERVER | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" done fi echo "----------------------------------------" | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" # Additional comprehensive lookup echo "9. Performing comprehensive ANY query..." echo "=== 9. COMPREHENSIVE QUERY (ANY RECORDS) ===" | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" nslookup -type=ANY $TARGET_DOMAIN $DNS_SERVER | tee -a "$OUTPUT_FILE" echo "" | tee -a "$OUTPUT_FILE" # Add completion timestamp echo "========================================" | tee -a "$OUTPUT_FILE" echo "ENUMERATION COMPLETED: $(date)" | tee -a "$OUTPUT_FILE" echo "========================================" | tee -a "$OUTPUT_FILE" echo "" echo "=== Enumeration Summary ===" echo "Target Domain: $TARGET_DOMAIN" echo "DNS Server Used: $DNS_SERVER" echo "Output File: $OUTPUT_FILE" echo "" echo "Records Queried:" echo " 1. IPv4 Addresses (A records)" echo " 2. IPv6 Addresses (AAAA records)" echo " 3. Mail Servers (MX records)" echo " 4. Name Servers (NS records)" echo " 5. Start of Authority (SOA records)" echo " 6. Canonical Names (CNAME records)" echo " 7. Text Records (TXT records)" echo " 8. Reverse Lookups of discovered IPv4 addresses" echo " 9. Comprehensive ANY query" echo "" echo "Check the output file '$OUTPUT_FILE' for complete results." # Display file size and line count if [ -f "$OUTPUT_FILE" ]; then echo "Output file statistics:" echo " Size: $(du -h "$OUTPUT_FILE" | cut -f1)" echo " Lines: $(wc -l < "$OUTPUT_FILE")" fi ``` ##### **Explanation:** - The script queries all required DNS record types and performs reverse lookups for found IPv4 addresses, outputting results to both the terminal and a file, with clear section headers. #### Script Output: ```output === NSLookup DNS Enumeration Tool === This script performs detailed DNS enumeration using nslookup Enter the target domain (e.g., example.com): sheridancollege.ca Enter DNS server to use (e.g., 8.8.8.8, or press Enter for default): 1.1.1.1 Target domain: sheridancollege.ca DNS server: 1.1.1.1 Starting nslookup enumeration... Results will be displayed and saved to: nslookup_enumeration_sheridancollege.ca.txt 1. Querying IPv4 addresses... === 1. IPv4 ADDRESSES (A RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: sheridancollege.ca Address: 142.55.7.49 ---------------------------------------- 2. Querying IPv6 addresses... === 2. IPv6 ADDRESSES (AAAA RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: *** Can't find sheridancollege.ca: No answer ---------------------------------------- 3. Querying mail servers... === 3. MAIL SERVERS (MX RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca mail exchanger = 0 sheridancollege-ca.mail.protection.outlook.com. Authoritative answers can be found from: ---------------------------------------- 4. Querying name servers... === 4. NAME SERVERS (NS RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca nameserver = ns1.sheridanc.on.ca. sheridancollege.ca nameserver = ns2.sheridanc.on.ca. sheridancollege.ca nameserver = ns3.sheridanc.on.ca. sheridancollege.ca nameserver = ns4.sheridanc.on.ca. Authoritative answers can be found from: ---------------------------------------- 5. Querying SOA records... === 5. START OF AUTHORITY (SOA RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca origin = ns.sheridanc.on.ca mail addr = hostmaster.sheridanc.on.ca serial = 2025030520 refresh = 1200 retry = 180 expire = 1209600 minimum = 600 Authoritative answers can be found from: ---------------------------------------- 6. Querying CNAME records... === 6. CANONICAL NAME (CNAME RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: *** Can't find sheridancollege.ca: No answer Authoritative answers can be found from: sheridancollege.ca origin = ns.sheridanc.on.ca mail addr = hostmaster.sheridanc.on.ca serial = 2025030520 refresh = 1200 retry = 180 expire = 1209600 minimum = 600 ---------------------------------------- 7. Querying TXT records... === 7. TEXT (TXT RECORDS) === ;; Truncated, retrying in TCP mode. Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca text = "e2ma-verification=6vubb" sheridancollege.ca text = "google-site-verification=j2geEyCJ5f6mU7N8B5OPV0K1Ghp0rQLwmAC3qRx74Z4" sheridancollege.ca text = "e2ma-verification=04veb" sheridancollege.ca text = "identrust_validation=zHyyPUcte4m3nVYeMavXEKQ3LKR4D1O7U+41N/F+7y7Q" sheridancollege.ca text = "sUgpyCqIjQ3eVG8P4M68Cwe1hbj9cOEHAuzRqnIZkZMuiX7WM4nA4kPFAwK7ToCXE0mIYOM37Dk9XTpeZ6bHNA==" sheridancollege.ca text = "v=spf1 ip4:142.55.2.0/24 ip4:142.55.5.0/24 ip4:142.55.45.0/24 ip4:149.72.146.149 ip4:67.210.216.7 ip4:65.39.192.50 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:176.31.145.254 ip4:72.0.210.56 ip4:40.92.0.0/15 " "ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 ip4:3.93.92.113 ip4:3.95.92.33 include:spf1.sheridancollege.ca ~all" sheridancollege.ca text = "e2ma-verification=pmybb" sheridancollege.ca text = "e2ma-verification=9wwcb" sheridancollege.ca text = "e2ma-verification=euobb" sheridancollege.ca text = "e2ma-verification=4qobb" sheridancollege.ca text = "ecostruxure-it-verification=8a7c3ebd-07d2-47ce-8eb7-166e475095e4" sheridancollege.ca text = "e2ma-verification=f2ifb" sheridancollege.ca text = "e2ma-verification=95lgb" sheridancollege.ca text = "google-site-verification=MP_q3Squ81wIteMQLC0ji0kuJNJ-2DG2y3FDwb4Xoak" sheridancollege.ca text = "e2ma-verification=fywbb" sheridancollege.ca text = "apple-domain-verification=45CvQSshYcjK4uc0" sheridancollege.ca text = "ZOOM_verify_y327IoFTGfExkcYkHQiTCb" sheridancollege.ca text = "e2ma-verification=2z2cb" sheridancollege.ca text = "e2ma-verification=qawbb" sheridancollege.ca text = "facebook-domain-verification=vfmoajv8i8gnytv56kfp20jncepzdo" sheridancollege.ca text = "e2ma-verification=axwcb" sheridancollege.ca text = "e2ma-verification=enybb" sheridancollege.ca text = "facebook-domain-verification=exj1tu0vn6xyxfoek9cddx52zd5mcu" sheridancollege.ca text = "e2ma-verification=kurcb" sheridancollege.ca text = "e2ma-verification=jzzcb" sheridancollege.ca text = "e2ma-verification=6yogb" sheridancollege.ca text = "identrust_validate=QQg0M1pJ7U6KAv+w+uCNOcp0gPIknvX+gCvjhpqcfXk5" sheridancollege.ca text = "e2ma-verification=guobb" sheridancollege.ca text = "e2ma-verification=1n2eb" sheridancollege.ca text = "adobe-idp-site-verification=40cadffa-cefa-46cd-be47-a0b942ced03d" Authoritative answers can be found from: ---------------------------------------- 8. Performing reverse lookups... === 8. REVERSE LOOKUP OF IPv4 ADDRESSES === Reverse lookup for: 142.55.7.49 ---------------------------- 49.7.55.142.in-addr.arpa name = sso-url-traf-prod.sheridanc.on.ca. Authoritative answers can be found from: ---------------------------------------- 9. Performing comprehensive ANY query... === 9. COMPREHENSIVE QUERY (ANY RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 ** server can't find sheridancollege.ca: NOTIMP ======================================== ENUMERATION COMPLETED: Sun May 25 10:38:01 PM EDT 2025 ======================================== === Enumeration Summary === Target Domain: sheridancollege.ca DNS Server Used: 1.1.1.1 Output File: nslookup_enumeration_sheridancollege.ca.txt Records Queried: 1. IPv4 Addresses (A records) 2. IPv6 Addresses (AAAA records) 3. Mail Servers (MX records) 4. Name Servers (NS records) 5. Start of Authority (SOA records) 6. Canonical Names (CNAME records) 7. Text Records (TXT records) 8. Reverse Lookups of discovered IPv4 addresses 9. Comprehensive ANY query Check the output file 'nslookup_enumeration_sheridancollege.ca.txt' for complete results. Output file statistics: Size: 8.0K Lines: 166 ``` ##### Script File Output: ![[image-338.png]] ```output > cat nslookup_enumeration_sheridancollege.ca.txt ================================================================= NSLOOKUP DNS ENUMERATION REPORT ================================================================= Target Domain: sheridancollege.ca DNS Server: 1.1.1.1 Date: Sun May 25 10:38:01 PM EDT 2025 ================================================================= === 1. IPv4 ADDRESSES (A RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: sheridancollege.ca Address: 142.55.7.49 ---------------------------------------- === 2. IPv6 ADDRESSES (AAAA RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: *** Can't find sheridancollege.ca: No answer ---------------------------------------- === 3. MAIL SERVERS (MX RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca mail exchanger = 0 sheridancollege-ca.mail.protection.outlook.com. Authoritative answers can be found from: ---------------------------------------- === 4. NAME SERVERS (NS RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca nameserver = ns1.sheridanc.on.ca. sheridancollege.ca nameserver = ns2.sheridanc.on.ca. sheridancollege.ca nameserver = ns3.sheridanc.on.ca. sheridancollege.ca nameserver = ns4.sheridanc.on.ca. Authoritative answers can be found from: ---------------------------------------- === 5. START OF AUTHORITY (SOA RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca origin = ns.sheridanc.on.ca mail addr = hostmaster.sheridanc.on.ca serial = 2025030520 refresh = 1200 retry = 180 expire = 1209600 minimum = 600 Authoritative answers can be found from: ---------------------------------------- === 6. CANONICAL NAME (CNAME RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: *** Can't find sheridancollege.ca: No answer Authoritative answers can be found from: sheridancollege.ca origin = ns.sheridanc.on.ca mail addr = hostmaster.sheridanc.on.ca serial = 2025030520 refresh = 1200 retry = 180 expire = 1209600 minimum = 600 ---------------------------------------- === 7. TEXT (TXT RECORDS) === ;; Truncated, retrying in TCP mode. Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: sheridancollege.ca text = "e2ma-verification=6vubb" sheridancollege.ca text = "google-site-verification=j2geEyCJ5f6mU7N8B5OPV0K1Ghp0rQLwmAC3qRx74Z4" sheridancollege.ca text = "e2ma-verification=04veb" sheridancollege.ca text = "identrust_validation=zHyyPUcte4m3nVYeMavXEKQ3LKR4D1O7U+41N/F+7y7Q" sheridancollege.ca text = "sUgpyCqIjQ3eVG8P4M68Cwe1hbj9cOEHAuzRqnIZkZMuiX7WM4nA4kPFAwK7ToCXE0mIYOM37Dk9XTpeZ6bHNA==" sheridancollege.ca text = "v=spf1 ip4:142.55.2.0/24 ip4:142.55.5.0/24 ip4:142.55.45.0/24 ip4:149.72.146.149 ip4:67.210.216.7 ip4:65.39.192.50 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:176.31.145.254 ip4:72.0.210.56 ip4:40.92.0.0/15 " "ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 ip4:3.93.92.113 ip4:3.95.92.33 include:spf1.sheridancollege.ca ~all" sheridancollege.ca text = "e2ma-verification=pmybb" sheridancollege.ca text = "e2ma-verification=9wwcb" sheridancollege.ca text = "e2ma-verification=euobb" sheridancollege.ca text = "e2ma-verification=4qobb" sheridancollege.ca text = "ecostruxure-it-verification=8a7c3ebd-07d2-47ce-8eb7-166e475095e4" sheridancollege.ca text = "e2ma-verification=f2ifb" sheridancollege.ca text = "e2ma-verification=95lgb" sheridancollege.ca text = "google-site-verification=MP_q3Squ81wIteMQLC0ji0kuJNJ-2DG2y3FDwb4Xoak" sheridancollege.ca text = "e2ma-verification=fywbb" sheridancollege.ca text = "apple-domain-verification=45CvQSshYcjK4uc0" sheridancollege.ca text = "ZOOM_verify_y327IoFTGfExkcYkHQiTCb" sheridancollege.ca text = "e2ma-verification=2z2cb" sheridancollege.ca text = "e2ma-verification=qawbb" sheridancollege.ca text = "facebook-domain-verification=vfmoajv8i8gnytv56kfp20jncepzdo" sheridancollege.ca text = "e2ma-verification=axwcb" sheridancollege.ca text = "e2ma-verification=enybb" sheridancollege.ca text = "facebook-domain-verification=exj1tu0vn6xyxfoek9cddx52zd5mcu" sheridancollege.ca text = "e2ma-verification=kurcb" sheridancollege.ca text = "e2ma-verification=jzzcb" sheridancollege.ca text = "e2ma-verification=6yogb" sheridancollege.ca text = "identrust_validate=QQg0M1pJ7U6KAv+w+uCNOcp0gPIknvX+gCvjhpqcfXk5" sheridancollege.ca text = "e2ma-verification=guobb" sheridancollege.ca text = "e2ma-verification=1n2eb" sheridancollege.ca text = "adobe-idp-site-verification=40cadffa-cefa-46cd-be47-a0b942ced03d" Authoritative answers can be found from: ---------------------------------------- === 8. REVERSE LOOKUP OF IPv4 ADDRESSES === Reverse lookup for: 142.55.7.49 ---------------------------- 49.7.55.142.in-addr.arpa name = sso-url-traf-prod.sheridanc.on.ca. Authoritative answers can be found from: ---------------------------------------- === 9. COMPREHENSIVE QUERY (ANY RECORDS) === Server: 1.1.1.1 Address: 1.1.1.1#53 ** server can't find sheridancollege.ca: NOTIMP ======================================== ENUMERATION COMPLETED: Sun May 25 10:38:01 PM EDT 2025 ======================================== ```