Given the volume of data I'm uncovering related to enumeration, I wanted to spend a bit more time talking about it. In this post we'll focus on enumerating DNS.
DNS or Domain Name System, is really in place for us humans. Computers work much better on numbers and us humans do much better with words, so we need a translator.
With that said there is a wealth of knowledge to be gleamed from DNS. Here are a few techniques and tools I've been playing with, and I thought you would enjoy too.
Although not a very relevant attack today, one easy vector was to do a DNS zone transfer. A zone transfer is legitimately used to replicate DNS records from one DNS server to another. However legitimate, if miss configured it can be abused.
You can test to see if anonymous zone transfers are allowed by using the following command in BackTrack 5R2: host -al domain_name.com (where domain_name.com is the target domain you are trying to transfer).
One tool I've used to enumerate DNS information is dnsmap. Dnsmap allows you to automate the mining process by searching for a pre defined list of sub domains (of course you are free to add your own).
To do this on BackTrack5R2 execute :
/pentest/enumeration/dns/dnsmap/dnsmap domain_name.com (where domain_name is the target you are trying to mine). The output is clean and well organized for viewing on a screen (a bit clunky for scripting against I would think).
Another great tool I've been looking at is a python script called dnsrecon.py. Dnsrecon has many more options then dnsmap, however with more options comes more configuration. Like nmap, we need to sit down and figure out what we want before you start sending queries. Here's an example I've been playing with: dnsrecon.py -w -d domain_name.com (this will do a deep whois search and get you IP ranges for your target domain name).
Finally I want to take a quick look at a perl script named dnsenum.pl. Dnsenum.pl has multiple options, much like dnsrecon.py, but it has one interesting option the other two tools lack; and that's Google scraping. This allows you to automatically search Google for the domain name and gather those results too.
So in short, don't forget about DNS. There are a lot of good tools to mine DNS and gain you valuable insight into that domain name.
Michael
No comments:
Post a Comment