DNS ENUMERATION AND ZONE TRANSFER WITH NSLOOKUP, HOST, DNSRECON, DNSENUM, FIERCE AND NSE
– Layout for this exercise:
– DNS servers are some of the best sources for gathering information about a domain or an organization.
– DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.
– Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.
– DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.
– DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
– A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
– The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.
– The portion of the database containing the list of all DNS names is the zone file.
– The data contained in a DNS zone may be sensitive from an operational security aspect.
– This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
2 – nslookup
– nslookup is a popular tool that queries name and email servers in the Internet given the domain:
– Applying the NS query option for name servers:
– Applying the MX query option for mail servers:
– Applying the ANY query option for both name and mail servers:
3 – host
– host is a Linux command that performs powerful DNS lookups given a domain name:
– Without any other parameter host provides help:
– Looking for name servers (-t type ns):
– Looking for email servers (-t type mx):
– Looking for web servers :(-t type www):
4 – DNS Zone Transfer with host
– Now, let’s use host for a little more complicated task like a DNS Zone Transfer.
– First, let’s try with the previously enumerated ns1 name server. The zone transfer fails:
– However, the zone transfer with ns2 is successful:
– Finally the zone transfer with ns3 also fails:
– The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.
– Let’s try entering into a browser some of the IPs obtained from the DNS Zone Transfer:
5 – dnsrecon
– dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.
– Let’s see that information provided by dnsrecon is the same as obtained before.
– First, dnsrecon detects the DNS servers ns1, ns2 and ns3:
– Then, dnsrecon tries a successful DNS zone transfer with ns2:
– Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:
6 – dnsenum
– dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.
– The output obtained with dnsenum is the same as before:
7 – fierce
– fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:
8 – Nmap Scripting Engine (NSE)
– Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:
– The NSE dns-zone-transfer script provides same output than before:
– A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:
9 – whois
– whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
– Looking for the domain megacorpone.com: