Day 5/60. DNS enumeration is the first thing I do on every penetration test. Quick Wins with Record Analysis Before running any tools, query specific record types: # SRV records reveal services like LDAP/Kerberos dig _ldap._tcp.target.com SRV +short dig _kerberos._tcp.target.com SRV +short # AAAA records -- often less firewalled than IPv4 dig target.com AAAA +short Enter fullscreen mode Exit fullscreen mode SRV records confirm Active Directory environments and reveal domain controller hostnames. AAAA records expose IPv6 services that may lack the firewall rules applied to IPv4. Amass for Full Enumeration # Passive -- zero contact with target amass enum -passive -d target.com -o results.txt # Find related domains by organization name amass intel -org "Target Corp" Enter fullscreen mode Exit fullscreen mode The intel module discovers domains via WHOIS and ASN data. On one engagement it found three domains the client forgot to include in scope.…