For some additional review on what can be found in DNS, take a look at some of the DNS records available, using one of these resources, or your own:
- https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
- https://support.google.com/a/answer/48090?hl=en
Based on one of the above, or another resource you find, what DNS information do you feel would be most beneficial for your reconnaissance?
Dan Bilenker says
DNS reconnaissance is an important tool in the ethical hacker’s toolkit. Because many organizations choose not to monitor traffic on their DNS servers, one can gather a large amount of intelligence while going undetected, and without alerting IDS/IPS systems.
Starting with standard record enumeration, and the “./dnsrecon.py -d ” command, where domain = the domain (ex. temple.edu) of the organization you are attempting to view, we can gather A LOT of preliminary information. We may be able to see if the organization is using DNSSec, start of authority record (which contains administrative information about, IP ranges, and mail server names. We may also be able to determine how the organization communicates, via VoiP, or other network based services.
This information can tell us a lot about the company, and gives us a variety of options regarding how we want to proceed in our penetration testing. It also identifies components of the network that may have known vulnerabilities.
If our DNS recon was successful, we may also be able to find zone transfer records which can provide important clues about the topology of the network. Given the obvious vulnerability of zone transfer, it is not widely used anymore as a means of replication DNS databases across DNS servers. However, the DNS recon command does have zone transfer commands that can be used to execute a zone transfer.
These are:
./dnsrecon.py -d -a or
./dnsrecon.py -d -t axfr
If successful, we would be able to identify critical areas of a network topology.
I think as a starting point, standard record enumeration is a great source of information. It is relatively easy to execute, can be done incognito, and has the potential to provide a lot of information about the network configuration.
Vince Kelly says
Interesting Dan. I never heard of that utility,(but I’m really not a security person), I imagine its pretty popular?
Looking at the cmd line argument options below, it does seem to be pretty flexible – I’m going to try to fire it up on my Kali VM when I get a minute.
Question though – do you think that it’s that much more useful than dnsenum? i.e., are we talking about a *substantial* difference in capabilities between the two – on the order of, say, the Philadelphia Eagles lining up against the little sisters of the poor, or the Birds lining up against the Vikings? ;);) – is dnsenum ‘enough’ to do the job or is dnsrecon simply that much better in your opinion?
dnsrecon flags:
try:
parser.add_argument(“-d”, “–domain”, type=str, dest=”domain”, help=”Target domain.”)
parser.add_argument(“-n”, “–name_server”,type=str, dest=”ns_server”, help=”Domain server to use. If none is given, the SOA of the target will be used.”)
parser.add_argument(“-r”, “–range”,type=str, dest=”range”, help=”IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).”)
parser.add_argument(“-D”, “–dictionary”,type=str, dest=”dictionary”, help=”Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.”)
parser.add_argument(“-f”, help=”Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.”, action=”store_true”)
parser.add_argument(“-t”, “–type”, type=str, dest=”type”, help=”Type of enumeration to perform.”)
parser.add_argument(“-a”, help=”Perform AXFR with standard enumeration.”, action=”store_true”)
parser.add_argument(“-s”, help=”Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.”, action=”store_true”)
parser.add_argument(“-g”, help=”Perform Google enumeration with standard enumeration.”, action=”store_true”)
parser.add_argument(“-b”, help=”Perform Bing enumeration with standard enumeration.”, action=”store_true”)
parser.add_argument(“-k”, help=”Perform crt.sh enumeration with standard enumeration.”, action=”store_true”)
parser.add_argument(“-w”, help=”Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration.”, action=”store_true”)
parser.add_argument(“-z”, help=”Performs a DNSSEC zone walk with standard enumeration.”, action=”store_true”)
parser.add_argument(“–threads”, type=int, dest=”threads”, help=”Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration.”)
parser.add_argument(“–lifetime”, type=int, dest=”lifetime”, help=”Time to wait for a server to response to a query.”)
parser.add_argument(“–tcp”, dest=”tcp”, help=”Use TCP protocol to make queries.”, action=”store_true”)
parser.add_argument(“–db”, type=str, dest=”db”, help=”SQLite 3 file to save found records.”)
parser.add_argument(“-x”, “–xml”, type=str, dest=”xml”, help=”XML file to save found records.”)
parser.add_argument(“-c”, “–csv”, type=str, dest=”csv”, help=”Comma separated value file.”)
parser.add_argument(“-j”, “–json”, type=str, dest=”json”, help=”JSON file.”)
parser.add_argument(“–iw”, help=”Continue brute forcing a domain even if a wildcard records are discovered.”, action=”store_true”)
parser.add_argument(“-v”, help=”Enable verbose”, action=”store_true”)
arguments = parser.parse_args()
Brandan Mackowsky says
Looking through the Google Support Resource, I feel that one of the most beneficial pieces of data for reconnaissance would be the Address/Host Records within the DNS sever. By having access to the data that links the domain to a physical IP address that hosts the servers, the hacker would be able to obtain information about where the physical servers are located that host a particular domain. With this information, planned attacks can be used to alter the physical specs of these data hosts by corrupting or shutting down the machines to cause domain related errors or potentially disable any ability to write and store logs. This can cause an IDS to potentially miss an attack if the IDS is hosted on that particular server with the domain. An MX record can also be useful because attacks can be generated by rerouting the company emails to other domains where attackers can gain access to PII data which can lead to many other potential issues. Ultimately, it is crucial to be aware of how DNS data is defined and where it is routed to in order to prevent attacks against the severs working with the DNS.
Vince Kelly says
Good post Brandan, I think your right about the importance of getting the A records and getting a look at the MX records. I’d also think that an attacker would also want to get a look at the SRV records during the reconnaissance phase as well, right? The SRV records might tell them what services are running – possibly uncovering and ‘hidden’ addresses/services.
Duy Nguyen says
DNS recon is part of the information gathering phase of penetration testing. With the DNS records, the tester can gain a better understanding of the organization’s network infrastructure without alerting IDS/IPS and better their penetration scope/strategy. I think the most beneficial part of the DNC recon is if possible, DNS zone transfers or DNS queries. Zone transfer comprises a preamble followed by actual data transfer. Some information that could be gathered from an exposed DNS transfer is names of servers, hostnames, Cname records, zone serials numbers, and etc.
Vince Kelly says
Duy,
Agreed. To your point, (but a bit off the DNS topic here;) about ‘quietly’ probing the target – I thought the anonymous google hack, where you can use the google cache link to anonymously make it look like a conversation came from google rather than your own IP address was pretty cool don’t you think?
Vince Kelly says
I’d agree with the previous posts – the A records and PTR would be useful sources of information but in addition, I’d think that obtaining/getting a look at any SRV records would help to identify what services where actually running within the zone and what servers were actually running those services. For example, it might be useful to find out if there are any SIP services are running within the domain and which servers were running them.
In addition, mail exchange (MX) records might be useful in understanding the identity of the servers that are responsible for servicing email for the entire domain. If SMTP is being used as the mail protocol then this information might be used perhaps to attempt to do some spoofing/email interception.
I’d also think that getting the administrator information about the domain (as part of SOA record) might be useful – especially any information that it might show regarding zone transfers would be useful as well.