Information gathering using DNS Reconnaissance provides public and sometime private information about organization servers like IP address, server name and functions. DNS servers provides with mail and DNS servers information of the organisation. There are various tools that interacts with DNS servers like host, nslookup, dig, etc to retrieve information.
The above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim. In order to retreive mail server information we can use the following commands
nslookup
set type=mx
The output shows that there is only one mail server msgin.vvv.facebook.com and also there is cost associated with it “10”, this number basically shows the priority of the mail retrievals on the listed servers and also with low numbers are most preferred.
We can also get nameserver information of an organisation by typing the following commands
nslookup
set type=ns
The output shows us that there are two dns servers b.ns.facebook.com and a.ns.facebook.com.
While gathering information can divided into 3 main techniques:-
-
Forward lookup bruteforce
-
Reverse lookup bruteforce
-
Zone transfers
Forward lookup bruteforce
The main idea behind this technique is to guess correct valid server names of organisation. We can try this using the host command.
The output gave us an IP address of the server and now we would guess server name for eg.Donotexist.victim’saddress.com
In order to test various names we would create a script that would automate the guessing processing but before that we need to create a file with possible server name like:-
www
www1
www2
dns
dns1
firewall
cisco
proxy
ns1
ns2
ns3
ns4
pop3
smtp
checkpoint
……..
save the file with “.txt” extension.
Now creating an bash script that would take as file that contains possible name and try to guess the valid server names of victim’s organisation.
The following is the script
#!/bin/bash
for name in $(cat filename.txt);do
host $name.victim’saddress.com
done
In order to run the script make it executable by typing chmod 775 filename.sh.
Now running the script
As the output shown contains lot of information let us add some code in the script to filter the output.
#!/bin/bash
for name in $(cat filename.txt);do
host $name.victim’saddress.com | grep “has address”
done
The changes code would filter output in such a way that those containing phrase “has address” would only be displayed.
Now to in order to filter more and only get IP’s from the list, we need to further add code to in script.
#!/bin/bash
for name in $(cat filename.txt);do
host $name.victim’saddress.com | grep “has address” | cut -d “ “ -f4
done
The above code would only display the IP’s address of the guessed server.
As we have gathered range of IP address 173.252.133.23 and 69.171.239.12. In order to complete information gathering we would check the whois of new IP address 69.171.239.12.
Whois for 173.252.133.23 (This provides netrange and other useful information)
Whois for 69.171.239.12 (This provides netrange and other useful information)
Reverse lookup bruteforce
This is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organisation. Using the host command we can retrieve information.
The above output shows the name for the corresponding server name of the organisation.
We can create a automated script where in the script would check each host in the net range and would provide with the names of the server and some services too. The following script can use for automated process and retrieve information.
Now make the file executable and run it. chmod 775 filename.sh.
DNS Zone Transfers
It also known as querying using the type AXFR which is a type of DNS transaction. This is one of most used mechanisms that is available for administrators to replicate the DNS databases across the DNS servers. Many times, these zone transfers are not configured properly by the administrators leading to which a copy of the these transfers can be retrieve. It is important to say that a successful zone transfer does not directly result in a penetration testing. We can achieve zone transfer on an organisation by using tools like host, dig etc.
Type host -t ns victim’saddress.com
The above image shows the how to get the dns server names.
Now since we have the dns servers name, we can try performing zone transfer.Type host -l victim’saddress.com dnsnameserver
(As the response to our query is been failed thus we can say that zone transfer is configured properly.)