Monday, May 6, 2019

Enumerating DNS with Examples

DNS Enumeration with host

The host utility translates IP addresses to their named equivalent and vice versa.

Perform a DNS Query for ANY Resource Record type

The '-a' option returns a resource record of type ANY to the screen.

host -a [domain] [nameserver]
sam@asus:~/unix% host -a acme.com 127.0.0.1
Trying "acme.com"
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51858
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;acme.com.   IN ANY

;; ANSWER SECTION:
acme.com.  86400 IN SOA pri.acme.com. root.acme.com. 2011071001 3600 1800 604800 86400
acme.com.  86400 IN NS pri.acme.com.
acme.com.  86400 IN NS sec.acme.com.
acme.com.  86400 IN A 192.168.1.201
acme.com.  86400 IN A 192.168.1.200
acme.com.  86400 IN A 192.168.1.202

;; ADDITIONAL SECTION:
pri.acme.com.  86400 IN A 192.168.1.200
sec.acme.com.  86400 IN A 192.168.1.201

Received 183 bytes from 127.0.0.1#53 in 1 ms
sam@asus:~/unix% 

Perfrom a DNS Query by Type

The '-t' option allows you to specfiy the resource record type to return. These records can be a CNAME, NS, SOA, A, AAAA, AXFR, MX, etc.

host -t [rr-type] [domain]
sam@asus:~/unix% host -t ns acme.com
acme.com name server ns1.indra.com.
acme.com name server ns2.indra.com.
acme.com name server dns.bitway.com.
sam@asus:~/unix%
sam@asus:~/unix% host -t SOA acme.com
acme.com has SOA record localhost.acme.com. jef.acme.com. 2018111112 10800 1200 86400 3600
sam@asus:~/unix%
sam@asus:~/unix% host -t MX acme.com
acme.com mail is handled by 10 mail2b.smtproutes.org.
acme.com mail is handled by 10 smtp-c.acme.com.
acme.com mail is handled by 10 mail2a.smtproutes.org.
acme.com mail is handled by 10 oslo.cs.princeton.edu.
acme.com mail is handled by 10 mail.pc-utils.com.
acme.com mail is handled by 10 smtp-b.acme.com.
sam@asus:~/unix% 

Perform a Zone Transfer

To perform a Zone Transfer against a host use the '-l' option followed by the domain and nameserver to use for the query.

host -l [domain] [nameserver]
sam@asus:~/unix% host -l acme.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

acme.com name server pri.acme.com.
acme.com name server sec.acme.com.
acme.com has address 192.168.1.200
acme.com has address 192.168.1.201
acme.com has address 192.168.1.202
client.acme.com has address 192.168.1.202
pri.acme.com has address 192.168.1.200
sec.acme.com has address 192.168.1.201
sam@asus:~/unix% 

Brute Force Foward Lookup Domains

You can brute-force possible domain names with a defined word list to uncover any hidden servers you might not have come across during your preliminary DNS enumeration with a simple perl script.

#!/usr/bin/env perl
use strict;
use warnings;
use Net::DNS;
use Data::Dumper;

my $reply;
my $tld = "microsoft.com";
my $file = "domains.txt";
my $nameserver = "127.0.0.1";

open(my $fh, '<', $file);

my @subdomains;
push(@subdomains, $_) while ();

my $res = Net::DNS::Resolver->new;

$res->nameservers($nameserver);

foreach my $domain (@subdomains) {

    $reply = $res->search($domain.$tld, "A");
    if ($reply) {
        foreach my $rr ($reply->answer) {
            print "$domain.$tld has address ".$rr->address, "\n" if $rr->can("address");
        }
    }
}

The output of the script should look something like this:

sam@asus:~/unix% ./dns-brute-host.pl 
www.microsoft.com has address 104.215.95.187
www.microsoft.com has address 52.164.206.56
support.microsoft.com has address 40.113.200.201
support.microsoft.com has address 40.112.72.205
support.microsoft.com has address 104.215.148.63
support.microsoft.com has address 13.77.161.179
support.microsoft.com has address 40.76.4.15
ftp.microsoft.com has address 209.239.116.136
download.microsoft.com has address 185.53.178.24
sam@asus:~/unix% 

Brute Force PTR records

Just as you can do Forward Lookups to get the IP Address for a domain, the reverse lookup is also available. Just search for a 'PTR' resource record of the IP Address. The IP Addresses must be converted in to a special format for this to work. To convert an IP Address to the correct format simply reverse the octets and append a "in-addr.arpa" to the end of the string. For instance for the IP "1.2.3.4" to reverse of this would be "4.3.2.1.in-addr.arpa". We can show how this works with the 'host' command.

sam@asus:~/unix% host 192.168.1.202 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

202.1.168.192.in-addr.arpa domain name pointer client.acme.com.
sam@asus:~/unix% 

Here we successfully performed a rDNS query against the host 192.168.1.202 which points to the domain 'client.acme.org'. We can automate this task with perl again to get the results we need in a timely manner.

#!/usr/bin/env perl
use strict;
use warnings;
use Net::DNS;
use Data::Dumper;

my @hosts;
my $ptr_rr;
my $nameserver="127.0.0.1";
open(my $fh, '<', 'ipts.txt');

while (<$fh>) {
    chomp($_);
    push(@hosts, $_);
}

my $res = Net::DNS::Resolver->new;
$res->nameservers($nameserver);

foreach my $host (@hosts) {
    if ($host =~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/) {
        $ptr_rr = "$4.$3.$2.$1.in-addr.arpa";
    }
    
    my $query = $res->query($ptr_rr, "PTR");   
    if ($query) {
        foreach my $rr ($query->answer) {
            next unless $rr->type eq "PTR";
            print "$ptr_rr has address ".$rr->rdatastr, "\n";
        }
    } else {
        #print $res->errorstring." for $ptr_rr", "\n";
    }
}

Here the script has mapped the IP's to a known domain on the remote network through rDNS lookups.

sam@asus:~/unix% ./dns-brute-ptr.pl 
200.1.168.192.in-addr.arpa has address pri.acme.com.
201.1.168.192.in-addr.arpa has address sec.acme.com.
202.1.168.192.in-addr.arpa has address client.acme.com.
sam@asus:~/unix% 

No comments:

Post a Comment

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...