Information gathering using DNS Reconnaissance!!

Information gathering using DNS Reconnaissance | Information Security | Sanket R Jain

Information gathering using DNS Reconnaissance provides public and sometime private information about organization servers like IP address, server name and functions. DNS servers provides with mail and DNS servers information of the organisation. There are various tools that interacts with DNS servers like host, nslookup, dig, etc to retrieve information.

Inforamtion gathering using DNS Reconnaissance | Information security

The above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim. In order to retreive mail server information we can use the following commands

nslookup

set type=mx

www.victimaddress.com

Inforamtion gathering using DNS Reconnaissance | Information security

The output shows that there is only one mail server msgin.vvv.facebook.com and also there is cost associated with it “10”, this number basically shows the priority of the mail retrievals on the listed servers and also with low numbers are most preferred.

We can also get nameserver information of an organisation by typing the following commands

nslookup

set type=ns

www.victimaddress.com

Inforamtion gathering using DNS Reconnaissance | Information security

The output shows us that there are two dns servers b.ns.facebook.com and a.ns.facebook.com.

While gathering information can divided into 3 main techniques:-

  1. Forward lookup bruteforce

  2. Reverse lookup bruteforce

  3. Zone transfers

Forward lookup bruteforce

The main idea behind this technique is to guess correct valid server names of organisation. We can try this using the host command.

Inforamtion gathering using DNS Reconnaissance | Information security

The output gave us an IP address of the server and now we would guess server name for eg.Donotexist.victim’saddress.com

In order to test various names we would create a script that would automate the guessing processing but before that we need to create a file with possible server name like:-

www

www1

www2

dns

dns1

firewall

cisco

proxy

ns1

ns2

ns3

ns4

pop3

smtp

checkpoint

……..

Inforamtion gathering using DNS Reconnaissance | Information security

save the file with “.txt” extension.

Inforamtion gathering using DNS Reconnaissance | Information security

Now creating an bash script that would take as file that contains possible name and try to guess the valid server names of victim’s organisation.

Inforamtion gathering using DNS Reconnaissance | Information security

The following is the script

Inforamtion gathering using DNS Reconnaissance | Information security

#!/bin/bash

for name in $(cat filename.txt);do

host $name.victim’saddress.com

done

In order to run the script make it executable by typing chmod 775 filename.sh.

Inforamtion gathering using DNS Reconnaissance | Information security

Now running the script

Inforamtion gathering using DNS Reconnaissance | Information security

As the output shown contains lot of information let us add some code in the script to filter the output.

Inforamtion gathering using DNS Reconnaissance | Information security

#!/bin/bash

for name in $(cat filename.txt);do

host $name.victim’saddress.com | grep “has address”

done

The changes code would filter output in such a way that those containing phrase “has address” would only be displayed.

Inforamtion gathering using DNS Reconnaissance | Information security

Now to in order to filter more and only get IP’s from the list, we need to further add code to in script.

#!/bin/bash

for name in $(cat filename.txt);do

host $name.victim’saddress.com | grep “has address” | cut -d “ “ -f4

done

Inforamtion gathering using DNS Reconnaissance | Information security

The above code would only display the IP’s address of the guessed server.

Inforamtion gathering using DNS Reconnaissance | Information security


As we have gathered range of IP address 173.252.133.23 and 69.171.239.12. In order to complete information gathering we would check the whois of new IP address 69.171.239.12.

Whois for 173.252.133.23 (This provides netrange and other useful information)

Inforamtion gathering using DNS Reconnaissance | Information security

Inforamtion gathering using DNS Reconnaissance | Information security

Whois for  69.171.239.12 (This provides netrange and other useful information)

Inforamtion gathering using DNS Reconnaissance | Information security

Inforamtion gathering using DNS Reconnaissance | Information security


Reverse lookup bruteforce

This is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organisation. Using the host command we can retrieve information.

Inforamtion gathering using DNS Reconnaissance | Information security

The above output shows the name for the corresponding server name of the organisation.

We can create a automated script where in the script would check each host in the net range and would provide with the names of the server and some services too. The following script can use for automated process and retrieve information.

Inforamtion gathering using DNS Reconnaissance | Information security

Inforamtion gathering using DNS Reconnaissance | Information security

Now make the file executable and run it. chmod 775 filename.sh.


DNS Zone Transfers

It also known as querying using the type AXFR which is a type of DNS transaction. This is one of most used mechanisms that is available for administrators to replicate the DNS databases across the DNS servers. Many times, these zone transfers are not configured properly by the administrators leading to which a copy of the these transfers can be retrieve. It is important to say that a successful zone transfer does not directly result in a penetration testing. We can achieve zone transfer on an organisation by using tools like host, dig etc.

Type host -t ns victim’saddress.com

Inforamtion gathering using DNS Reconnaissance | Information security

The above image shows the how to get the dns server names.

Now since we have the dns servers name, we can try performing zone transfer.Type host -l victim’saddress.com dnsnameserver

Inforamtion gathering using DNS Reconnaissance | Information security

(As the response to our query is been failed thus we can say that zone transfer is configured properly.)

Leave a Comment

Your email address will not be published. Required fields are marked *