# DNS {% hint style="success" %} Hack Responsibly. Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. {% endhint %} ## Hosts File Description here {% tabs %} {% tab title="Linux" %} `/etc/hosts` ``` example here ``` {% endtab %} {% tab title="Windows" %} `C:\Windows\System32\drivers\etc\hosts` ``` example here ``` {% endtab %} {% endtabs %} ## DNS Enumeration DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functionality. ### zonetransfer.me zonetransfer.me () A public training site for testing and learning about DNS. Uses the following two name servers: * nsztm1.digi.ninja * nsztm2.digi.ninja You can test everything from simple `dig` queries to DNS zone transfers. ### Interacting with a DNS Server ``` host -t ns zonetransfer.me # -t : type , ns: dns host -t mx zonetransfer.me # mx : mail server ``` * Also you can use `nslookup` ``` nslookup zonetransfer.me ``` * `dig` also can be used ``` dig zonetransfer.me ``` ### Automating lookups we have some initial data from the zonetransfer.me domain, we can continue to use additional DNS queries to discover more host names and IP addresses belonging to megacorpone.com. ``` host zonetransfer.me # we will found that it has an IP host idontexist.zonetransfer.me # this is not found ``` ### Forward Lookup Brute Force Taking the previous concept a step further, we can automate the Forward DNS Lookup of common host names using the host command and a Bash script. ``` echo www > list.txt echo ftp >> list.txt echo mail >> list.txt echo owa >> list.txt echo proxy >> list.txt echo router >> list.txt echo api >> list.txt for ip in $(cat list.txt);do host $ip.$domain;done ``` ### Reverse Lookup Brute Force If the DNS administrator of megacorpone.com configured PTR records for the domain, we might find out some more domain names that were missed during the forward lookup brute-force phase. ``` for ip in $(seq 155 190);do host 50.7.67.$ip;done | grep -v "not found" # grep -v :: --invert-match ``` ### **DNS Zone Transfers** * A zone transfer is similar to a database replication act between related DNS servers. * This process includes the copying of the zone file from a master DNS server to a slave server. * The zone file contains a list of all the DNS names configured for that zone. Zone transfers should usually be limited to authorized slave DNS servers. ``` host -l megacorpone.com ns1.megacorpone.com # ns1 refused us our zone transfer request # -l :: list all hosts in a domain host -l megacorpone.com ns2.megacorpone.com # The result is a full dump of the zone file for the megacorpone.com domain, # providing us a convenient list of IPs and DNS names for the megacorpone.com domain. ``` ``` host -t axfr zonetransfer.me nsztm1.digi.ninja ``` ``` dig axfr nsztm1.digi.ninja zonetransfer.me ``` * Now Lets automate the process: * To get the name servers for a given domain in a clean format, we can issue the following command. ``` host -t ns zonetransfer.me | cut -d " " -f 4 # -d :: --delimiter=DELIM ; # -f :: --fields=LIST select only these fields on each line; ``` * Taking this a step further, we could write the following simple Bash script to automate the procedure of discovering and attempting a zone transfer on each DNS server found. ``` # /bin/bash # Simple Zone Transfer Bash Script # $1 is the first argument given after the bash script # Check if argument was given, if not, print usage if [-z "$1" ]; then echo "[-] Simple Zone transfer script" echo "[-] Usage : $0 $domain_name " exit 0 fi # if argument was given, identify the DNS servers for the domain for server in $(host ­-t ns $1 | cut ­-d" " ­-f4);do # For each of these servers, attempt a zone transfer host -l $1 $server | grep "has address" done ``` Running this script on zonetransfer.me should automatically identify both name servers and attempt a zone transfer on each of them ``` > chmod 755 dns-­-axfr.sh > ./dns-­-axfr.sh zonetransfer.me ``` ## Tools ### **DNSRecon** ``` dnsrecon -d zonetransfer.me -t axfr # -d :: domain # -t :: type of Enumeration to perform # axfr :: test all ns servers for zone transfer ``` ### **DNSEnum** ``` dnsenum zonetransfer.me ``` ### **fierce** {% hint style="info" %} **NOTE:** the one included in Kali is outdated and may not work, so try using the new version from [fierce](https://github.com/mschwager/fierce) {% endhint %} ``` pip3 install fierce fierce --domain zonetransfer.me # To scan a domain and output to a file fierce -dns -file # To scan a domain and specify which dnsserver to use fierce -dns -dnsserver # To scan an internal ip range for a given server fierce -range -dnsserver # To scan a domain using a given wordlist fierce -dns -wordlist # To scan a domain using a specified timeout and number of ip addresses to branch from all found addresses fierce -dns -tcptimeout <# seconds> -traverse <# addresses> # To scan domains from a list and search the entire class C for each found fierce -dnsfile -wide ``` ### DIG ```bash dig zonetransfer.me + short dig zonetransfer.me MX dig zonetransfer.me NS dig zonetransfer.me SOA dig zonetransfer.me ANY +noall +answer dig -x zonetransfer.me dig zonetransfer.me mx +noall +answer zonetransfer.me ns +noall +answer # DNS Zone Transfer dig -t AXFR zonetransfer.me dig axfr @10.11.1.111 zonetransfer.me # For Ipv4 dig -4 zonetransfer.me # For IPv6 dig -6 zonetransfer.me #To just get the ip address dig [domain] +nocomments +noauthority +noadditional +nostats OR dig [domain] +noall +answer OR dig [domain] +short #To use a specific query type dig -t [query type] [domain] [options] OR dig [domain] [query type] [options] #To view ALL DNS record types use query ANY dig -t ANY [domain] [options] OR dig [domain] ANY [options] #To do a DNS reverse look up dig -x [ip address] +short #To use a specific DNS server dig @[specific DNS] [domain] #To do a bulk DNS query (where file.txt has all the domains, one to a line) dig [domain1] [options] [domain2] [options] OR dig -f file.txt [options] ``` ### DNSEnum ```bash # dnsenum dnsenum 10.11.1.111 ``` ### DNS reverse lookup #### Using powershell ``` $ComputerIPAddress = "10.10.10.10" ``` #### Using dnsrecon: ``` dnsrecon -r $ip/$subnet -n $ip_to_check ``` ## Misc DNS zone transfer: `dig axfr @` or `host -l ` add DNS server - Linux: `/etc/resolv.conf {nameserver }` Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques: * NMAP DNS Hostnames Lookup ``` nmap -F --dns-server ``` * Host Lookup ``` host -t ns zonetransfer.me ``` * Reverse Lookup Brute Force - find domains in the same range ``` for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found" ``` * Perform DNS IP Lookup ``` dig a domain-name-here.com @nameserver ``` * Perform MX Record Lookup ``` dig mx domain-name-here.com @nameserver ``` * Perform Zone Transfer with DIG ``` dig axfr domain-name-here.com @nameserver ``` ### DNS Zone Transfers * Windows DNS zone transfer ``` nslookup -> set type=any -> ls -d zonetransfer.me ``` * Linux DNS zone transfer ``` dig axfr zonetransfer.me @ns1.zonetransfer.me ``` * Dnsrecon DNS Brute Force ``` dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml ``` * Dnsrecon DNS List of megacorp ``` dnsrecon -d zonetransfer.me -t axfr ``` * DNSEnum ``` dnsenum zonetransfer.me ``` If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)!