Finding IP addresses in a Network
1 min readApr 26, 2022
When you land on a huge big network with several VLAN’s and are unsure of where to look or start!
# installgit clone https://github.com/dirkjanm/adidnsdump
sudo pip3 install . # NOTE: HOSTNAME is the domain controller which is running the DNS service
adidnsdump -u domain\\username -p <password> --print-zones <HOSTNAME> # getting all DNS records
adidnsdump -u domain\\username -p <password> <HOSTNAME> # if the following command ran successfully it'll create records.csv file in current directory
# getting LEGACY zone records
# if zones inclue a lagacy zone you can run the following command to get LEGACY records adidnsdump -u domain\\username -p <password> --legacy <HOSTNAME> # getting FOREST zone records
adidnsdump -u domain\\username -p <password> --forest <HOSTNAME>
Once you have the DNS records it becomes easier to look through important hostnames and identify the IP subnet’s they are on.
# once you have the list of hosts save them and runcat hosts.txt | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w /root/SecLists/Discovery/Web-Content/big.txt -u @/FUZZ -mc 200 -H "Content-Type: application/json" -t 150 -H "X-Forwarded-For:127.0.0.1"'
# You need to add X-Forwarded-For to bypass 401 and 403, but these work for old hosts. Try HTTP Smuggling if you want to bypass 401,403 for new hosts# change the -mc 200 to -mc all if you want to listen all responses
