Another way for pen testers to learn more about their targets is through DNS servers and records. DNS servers store a lot of useful information about their related networks, and there are a handful of tools to use for extracting valuable information about a target.
What DNS does (or, why we care)
DNS is part of the TCP/IP protocol suite. It’s responsible for mapping user-friendly domain names (like “google.com”) to an IP address (like “172.217.4.46”).
A domain name server is a server with a large database of these mappings. For pen testers, accessing DNS servers provides them with a blueprint of the company’s infrastructure, via a list of internal IP addresses and host names. As Engebretson notes in his book (The Basics of Hacking and Penetration Testing), DNS servers are often poorly configured or maintained, making them easy targets.
As always, only use this for legal purposes, with authorization, etc etc.
Zone transfers
One particularly useful source of DNS information is a zone transfer (AXFR). Because networks typically have two or more DNS servers for redundancy or load balancing, they need to communicate with each other to share their host-to-IP mappings and stay in sync.
Host
If we have collected host names (for a given target) in previous reconnaissance steps, we need to translate those into IP addresses for future steps. To do so, we can use host
.
Host is built into most Linux systems (including Kali). I’m not sure what a Windows equivalent is, besides maybe nslookup
.
To use host, type host
followed by the DNS server you are trying to find an IP address for. For example:
host ns1.bluehost.com
Which returns
ns1.bluehost.com has address 162.159.24.80
NSLookup
Nslookup is a tool that queries DNS server for its host records. It’s available for Linux (including Kali) and Windows. To use it, open up a command line and run:
nslookup
It will then show a >
, and wait for you to enter in server
and the IP address of the DNS server that you want to learn about (if you only have the hostname, use host
as shown in the previous section to get the IP address).
server 8.8.8.8
Then, you’ll have to specify the type of DNS record. There are several different types:
- A Records point to a domain or subdomain of an IP address (for example, mapping “172.217.4.46” to “google.com”).
- CNAME allows a machine to be known by the hostnames specified in the CNAME record.
- MX or Mail Exchanger is for routing email to the specified email server. There are priority numbers given to specify which mail server should be contacted first.
- NS records map a domain name to their related DNS servers (i.e. google.com -> ns1.google.com, ns2.google.com, etc.)
- TXT records are for text-based info. One example might be domain ownership verification.
A full list of DNS record types can be found here, on Wikipedia.
You can either ask for all DNS record types, or specify a certain type:
set type = any
or set type = a
, set type = mx
, and so on. The additional servers that you find from nslookup can be added to the target list.
Email Servers
If we find an email server, this presents another opportunity to learn more about a target. Email servers must allow outside traffic in to be useful as email servers. In The Basics of Hacking and Penetration Testing, Engebretson says to send an email to the organization with an empty .bat or .exe file. The goal is to get rejected, and then inspect the rejection email for anti-virus vendor and version information, IP address of the server, software versions being used on the server, etc.
Zone transfers
Dig
If you want to attempt a zone transfer (Engebretson notes that your chances of success are pretty low), you can use dig
to do so:
dig @ip_address_here example.com -t AXFR
Fierce
If the zone transfer doesn’t work out for you, fierce
can be your backup option. Fierce is a Perl-script that comes pre-installed on Kali. To use:
cd /usr/bin/
./fierce -dns example.com
Fierce will lookup DNS servers for a given domain name, attempt a zone transfer, and then perform hundreds (or thousands) of automated DNS scans for you.
-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
A list of command line flags can be found here.
All together now!
Use whois
to find the DNS servers for a given website. Next, use host
to translate the hostname into an IP address. Use nslookup
to get the full set of related DNS records (for mail exchangers, etc). Use dig
or fierce
to attempt a zone transfer, and/or look for related DNS servers.