DNS Pentest

DNS enumeration, subdomain recon and attacks

Enumeration

Finding addresses with host command

The host command is a DNS lookup utility which can be used to find the IP address associated with a hostname. Host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.

When no arguments or options are given, host prints a short summary of its command-line arguments and options.

host google.com

google.com has address 142.250.183.14
google.com has IPv6 address 2404:6800:4009:820::200e
google.com mail is handled by 10 smtp.google.com.

Using whois

WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests.

The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing. whois will query the WHOIS server to provide all saved records.

whois thmredteam.com

After a whois lookup, we might get lucky and find names, email addresses, postal addresses, and phone numbers, in addition to other technical information.

At the end of the whois query, we find the authoritative name servers for the domain in question.

Using dig command

The dig command or (domain information groper can be used to dig into the DNS records.

dig ns <target domain>

dig ns www.certifiedhacker.com

; <<>> DiG 9.18.16-1-Debian <<>> ns www.certifiedhacker.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19647
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 79bb2c67ba09f69ba08ea6416502fe8585264cfd9d1755ad (good)
;; QUESTION SECTION:
;www.certifiedhacker.com.       IN      NS

;; ANSWER SECTION:
www.certifiedhacker.com. 157    IN      CNAME   certifiedhacker.com.
certifiedhacker.com.    72157   IN      NS      ns1.bluehost.com.
certifiedhacker.com.    72157   IN      NS      ns2.bluehost.com.

;; ADDITIONAL SECTION:
ns2.bluehost.com.       79547   IN      A       162.159.25.175
ns1.bluehost.com.       79547   IN      A       162.159.24.80

;; Query time: 47 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Sep 14 18:11:08 IST 2023
;; MSG SIZE  rcvd: 171

DNS Enumeration with Zone Transfer Records

Using zone transfer, an attacker attempts to retrieve a copy of the entire zone file for a domain from the DNS server.

dig @<domain of name server> <target domain> axfr

Using the ANSWER section domain names we can search for Zone transfers.

dig @ns1.bluehost.com. www.certifiedhacker.com axfr

; <<>> DiG 9.18.16-1-Debian <<>> @ns1.bluehost.com. www.certifiedhacker.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

DNS Cache snooping with dig

NS cache snooping is a DNS enumeration technique whereby an attacker queries the DNS server for a specific cached DNS record.

• Non-recursive: Attackers send a non-recursive query by setting the Recursion Desired (RD) bit in the query header to zero.

dig @<IP of DNS server> <Target domain> A +norecurse

• Recursive: Attackers send a recursive query to determine the time the DNS record resides in the cache.

dig @<IP of DNS server> <Target domain> A +recurse

Finding CNAME records

 dig www.certifiedhacker.com CNAME                  

; <<>> DiG 9.18.16-1-Debian <<>> www.certifiedhacker.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.certifiedhacker.com.       IN      CNAME

;; ANSWER SECTION:
www.certifiedhacker.com. 14400  IN      CNAME   certifiedhacker.com.

;; Query time: 243 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Thu Sep 14 20:34:53 IST 2023
;; MSG SIZE  rcvd: 66

Finding TXT and SPF records

dig +short TXT example.com

"v=spf1 -all"
"wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn"

More dig commands

dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup

#Use [-p PORT]  or  -6 (to use ivp6 address of dns)

Using nslookup command

Finding SOA

We can find the SOA record of a nameserver using nslookup. Consider google.com as an example:

nslookup -type=soa google.com

We get a response specifying the primary name server and associated information:

Non-authoritative answer:
google.com
	origin = ns1.google.com
	mail addr = dns-admin.google.com
	serial = 526409246
	refresh = 900
	retry = 900
	expire = 1800
	minimum = 60

Basic enum with authoritative answers or Find IPs to which a domain resolves

An authoritative answer is a response we get directly from the primary DNS server holding the master copy of the zone file. To find the authoritative answer for google.com, we execute a new nslookup query in which we specify the primary name server as ns1.google.com.

nslookup ns1.google.com

Upon executing the command, we’ll get the following response, which gives us the addresses of the authoritative server for the specified domain.

Non-authoritative answer:
Name:	ns1.google.com
Address: 216.239.32.10
Name:	ns1.google.com
Address: 2001:4860:4802:32::a

Reverse DNS lookup

You can also do the reverse DNS look-up by providing the IP Address as an argument to nslookup.

$ nslookup 209.132.183.181
Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
181.183.132.209.in-addr.arpa    name = origin-www2.redhat.com

DNS Zone Transfer with nslookup

nslookup
> server 169.16.207.20
> set type = any
> ls -d Yourorg.com

Using fierce for Zone transfer

Will try to perform a zone transfer against every authoritative name server and if this doesn't work, will launch a dictionary attack

fierce --domain <DOMAIN> --dns-servers <DNS_IP> 

Using DNS recon

To find zone transfer

dnsrecon -t axfr -d <target domain>

dnsrecon -a -d tesla.com

Reverse DNS Brute Force

dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses

DNSSEC Zone Walking

Domain Name System Security Extensions (DNSSEC) zone walking is a type of DNS enumeration technique in which an attacker attempts to obtain internal records if the DNS zone is not properly configured. The enumerated zone information can assist the attacker in building a host network map

dnsrecon -d <target domain> -z

An example is as follows:

dnsrecon -d www.certifiedhacker.com -z
[*] std: Performing General Enumeration against: www.certifiedhacker.com...
[-] DNSSEC is not configured for www.certifiedhacker.com
[*]      SOA ns1.bluehost.com 162.159.24.80
[*]      NS ns2.bluehost.com 162.159.25.175
[*]      Bind Version for 162.159.25.175 "2023.9.0"
[*]      NS ns1.bluehost.com 162.159.24.80
[*]      Bind Version for 162.159.24.80 "2023.9.0"
[*]      MX mail.certifiedhacker.com 162.241.216.11
[*]      CNAME www.certifiedhacker.com certifiedhacker.com
[*]      A certifiedhacker.com 162.241.216.11
[*]      TXT www.certifiedhacker.com v=spf1 a mx ptr include:bluehost.com ?all
[*] Enumerating SRV Records
[-] No SRV Records Found for www.certifiedhacker.com
[*] Performing NSEC Zone Walk for www.certifiedhacker.com
[*] Getting SOA record for www.certifiedhacker.com
[*] Name Server 162.159.24.80 will be used
[*]      CNAME www.certifiedhacker.com certifiedhacker.com
[*]      A certifiedhacker.com 162.241.216.11
[+] 2 records found

Using nmap

Basic Service Discovery with DNS details

nmap --script=broadcast-dns-service-discovery <Target Domain>

Retrieve all the subdomains associated with the target host

nmap -T4 -p 53 --script dns-brute <Target Domain>

Check whether DNS recursion is enabled on the target server

nmap -Pn -sU -p 53 --script=dns-recursion 192.168.1.150

DNS Security Extensions (DNSSEC) Enumeration Using Nmap

Enumerate DNSSEC using dns-nsec-enum.nse or dns-nsec3-enum.nse NSE scripts to obtain information related to domains and their subdomains.

nmap -sU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains= eccouncil.org <target>

Passive Subdomain Enumeration

Exploitation

DNS Exfiltration

DNS Infiltration

DNS tunnelling

DNS Spoofing

DNS spoofing, or DNS cache poisoning, involves using altered DNS records to redirect online traffic to a fraudulent site that impersonates the intended destination. Once users reach the fraudulent destination, they are prompted to login into their account.

Subdomain takeovers

What is a Subdomain takeover?

If the process of provisioning or deprovisioning (removing) a virtual host is not handled properly, there can be an opportunity for an attacker to take over a subdomain.

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.

This can happen because either a virtual host hasn't been published yet or a virtual host has been removed.

An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.

How do they happen?

If the process of provisioning or deprovisioning (removing) a virtual host is not handled properly, there can be an opportunity for an attacker to take over a subdomain.