Another way for pen testers to learn more about their targets is through DNS servers and records. DNS servers store a lot of useful information about their related networks, and there are a handful of tools to use for extracting valuable information about a target.
What DNS does (or, why we care)
DNS is part of the TCP/IP protocol suite. It’s responsible for mapping user-friendly domain names (like “google.com”) to an IP address (like “126.96.36.199”).
A domain name server is a server with a large database of these mappings. For pen testers, accessing DNS servers provides them with a blueprint of the company’s infrastructure, via a list of internal IP addresses and host names. As Engebretson notes in his book (The Basics of Hacking and Penetration Testing), DNS servers are often poorly configured or maintained, making them easy targets.
As always, only use this for legal purposes, with authorization, etc etc.
One particularly useful source of DNS information is a zone transfer (AXFR). Because networks typically have two or more DNS servers for redundancy or load balancing, they need to communicate with each other to share their host-to-IP mappings and stay in sync.
If we have collected host names (for a given target) in previous reconnaissance steps, we need to translate those into IP addresses for future steps. To do so, we can use
Host is built into most Linux systems (including Kali). I’m not sure what a Windows equivalent is, besides maybe
To use host, type
host followed by the DNS server you are trying to find an IP address for. For example:
ns1.bluehost.com has address 188.8.131.52
Nslookup is a tool that queries DNS server for its host records. It’s available for Linux (including Kali) and Windows. To use it, open up a command line and run:
It will then show a
>, and wait for you to enter in
server and the IP address of the DNS server that you want to learn about (if you only have the hostname, use
host as shown in the previous section to get the IP address).
Then, you’ll have to specify the type of DNS record. There are several different types:
- A Records point to a domain or subdomain of an IP address (for example, mapping “184.108.40.206” to “google.com”).
- CNAME allows a machine to be known by the hostnames specified in the CNAME record.
- MX or Mail Exchanger is for routing email to the specified email server. There are priority numbers given to specify which mail server should be contacted first.
- NS records map a domain name to their related DNS servers (i.e. google.com -> ns1.google.com, ns2.google.com, etc.)
- TXT records are for text-based info. One example might be domain ownership verification.
A full list of DNS record types can be found here, on Wikipedia.
You can either ask for all DNS record types, or specify a certain type:
set type = any
set type = a,
set type = mx, and so on. The additional servers that you find from nslookup can be added to the target list.
If we find an email server, this presents another opportunity to learn more about a target. Email servers must allow outside traffic in to be useful as email servers. In The Basics of Hacking and Penetration Testing, Engebretson says to send an email to the organization with an empty .bat or .exe file. The goal is to get rejected, and then inspect the rejection email for anti-virus vendor and version information, IP address of the server, software versions being used on the server, etc.
If you want to attempt a zone transfer (Engebretson notes that your chances of success are pretty low), you can use
dig to do so:
dig @ip_address_here example.com -t AXFR
If the zone transfer doesn’t work out for you,
fierce can be your backup option. Fierce is a Perl-script that comes pre-installed on Kali. To use:
cd /usr/bin/ ./fierce -dns example.com
Fierce will lookup DNS servers for a given domain name, attempt a zone transfer, and then perform hundreds (or thousands) of automated DNS scans for you.
-delay The number of seconds to wait between lookups. -dns The domain you would like scanned. -dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force). -dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target's DNS server for all additional queries by default. -file A file you would like to output to be logged to. -fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers.
A list of command line flags can be found here.
All together now!
whois to find the DNS servers for a given website. Next, use
host to translate the hostname into an IP address. Use
nslookup to get the full set of related DNS records (for mail exchangers, etc). Use
fierce to attempt a zone transfer, and/or look for related DNS servers.