We will be using zonetransfer.me as our target domain name. The domain zonetransfer.me has been created by Robin Wood, from DigiNinja (https://digi.ninja/projects/zonetransferme.php), to illustrate the risks of allowing public DNS zone transfers:

1. We first use whois on the domain name to get the registration information about it. Let's try testing a domain such as zonetransfer.me:

# whois zonetransfer.me

2. Another tool used to get information about the domain name and DNS resolution is dig. We can, for example, query the nameservers for the target domain:

# dig ns zonetransfer.me

3. Once we have the information on the DNS servers, we can attempt a zone transfer attack to get all the hostnames the server resolves. For this we use dig:

# dig axfr @nsztm1.digi.ninja zonetransfer.me

Luckily for us, the server is vulnerable and gives us a complete list of subdomains and the hosts it resolves to. Sometimes we can find some low-hanging fruits to exploit on them:

4. We now use theharvester to identify email addresses, hostnames, and IP addresses related to the target domain:

# theharvester -b all -d zonetransfer.me

5. For each web server in scope, we want to know what software and which versions it uses; a way of doing this without directly querying the server is through Netcraft. Browse to https://toolbar.netcraft.com/site_report and enter the URL in the search box:

6. Also, sometimes it may be useful to know what the site looked like before the last update; maybe it had some valuable information that was later removed. To get a static copy of a previous version of our targets, we can use Wayback Machine from https://archive.org/web/web.php: