Penetrating "Secure" Websites By Increasing Attack Vectors - Part II: DNS Enumeration
This is part two of the tutorial series. If you have not yet read part one, use the following link:
SOLDIERX.COM Tutorials -> Penetrating "Secure" Websites By Increasing Attack Vectors - Part I
// Introduction
Part one was an introductory into information gathering and network mapping. As this is the follow-up, part two, I will be discussing additional techniques to increase awareness of available attack vectors. As there are many techniques, I will only briefly cover DNS enumeration in this particular tutorial. If you are already familiar, you may have no interest in reading beyond this line. Otherwise, enjoy.
// DNS Enumeration
Brute-Force Subdomains and Hostnames - Brute-force domains to check if they resolve to the IP address of our intended target. Watch out for wildcard resolution when automating this technique.
Reverse DNS Lookup/Resolution (rDNS) - Determine domain names associated with the IP address of our target via a reverse in-addr entry which queries the ARPA (Address and Routing Paramater Area) database.
Name Server (NS) Record Lookup - Retrieve the authoritative name server of our target. On *nix based operating systems there is a tool named "NSLookup" used for exactly this. Example:
[email protected]:~$ nslookup
> shadow.net
Server: 111.222.333.444
Address: 111.222.333.444#53
Non-authoritative answer:
Name: shadow.net
Address: 111.222.333.444
Mail Exchange (MX) Record Lookup - Stored as part of a domain's DNS records and used in e-mail by the sending server to determine corresponding IP address of the recipients delivery server.
DNS AXFR Zone Transfer - If the name server which hosts the target's domain zone is vulnerable to a zone transfer attack. A simple AXFR query will display all saved DNS records. Example:
[email protected]:~$ dig shadow.net axfr
// DNS Enumeration Software and Services
In this section, I'd like to cover some of the tools and web-based services currently available that are capable of acquiring information through DNS enumeration.
MSF Auxiliary DNS Enumeration Module - For those familiar with MSF (MetaSploit Framework), there is a very handy auxiliary module called "DNS Enumeration." From the MSF console, use the following command to access the module:
msf > use auxiliary/gather/dns_enum
Hostmap - Hostmap is the "automatic hostnames and virtual hosts discovery tools" which incorporates not only DNS enumeration by a number of additional techniques that have not been covered in this tutorial. As far as I am aware at this time, the official website for hostmap is located at http://hostmap.lonerunners.net. Your typical scan would be run with the following command:
[email protected]:~$ ruby hostmap.rb -t 111.222.333.444
// The End
Look for part three of this tutorial series as it will cover techniques that were not so much as mentioned in this tutorial.