alt Hacker NewsThe PTR record enumeration trick is often fun to try on hotel and other public networks.
The problem here is that many places segment their guest network away from the internal one, but they use the same DNS server for both, so guests can still resolve internal hostnames and perform rev DNS queries.
I usually like to run a traceroute or two (to some arbitrary external IP like 1.1.1.1 or 8.8.8.8) whenever I connect to a new network. As traceroute does rev dns by default, if you see the internal hostname for your default gateway (and possibly other hosts inbetween you and the wider internet), those IPs are likely good starting points for your rev DNS shenanigans.
I also love PTR record numeration using broadcast mDNS/Bonjour. Instead of relying on a central server, you send out the same sort of DNS query but as a broadcast packet:
This gets you the .local address of a device. Of course, fewer things support mDNS. But it will often come up with interesting details. On Apple devices, you can also retrieve the model number via mDNS.