DNS ENUMERATION AND ZONE TRANSFER WITH NSLOOKUP, HOST, DNSRECON, DNSENUM, FIERCE AND NSE
- Layout for this exercise:
1 - Introduction
- DNS servers are some of the best sources for gathering information about a domain or an organization.
- DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.
- Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.
- DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.
- DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
- A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.
- The portion of the database containing the list of all DNS names is the zone file.
- The data contained in a DNS zone may be sensitive from an operational security aspect.
- This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
https://en.wikipedia.org/wiki/DNS_zone_transfer
2 - nslookup
- nslookup is a popular tool that queries name and email servers in the Internet given the domain:
- Applying the NS query option for name servers:
- Applying the MX query option for mail servers:
- Applying the ANY query option for both name and mail servers:
3 - host
- host is a Linux command that performs powerful DNS lookups given a domain name:
- Without any other parameter host provides help:
- Looking for name servers (-t type ns):
- Looking for email servers (-t type mx):
- Looking for web servers :(-t type www):
4 - DNS Zone Transfer with host
- Now, let's use host for a little more complicated task like a DNS Zone Transfer.
- First, let's try with the previously enumerated ns1 name server. The zone transfer fails:
- However, the zone transfer with ns2 is successful:
- Finally the zone transfer with ns3 also fails:
- The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.
- Let's try entering into a browser some of the IPs obtained from the DNS Zone Transfer:
5 - dnsrecon
- dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.
https://tools.kali.org/information-gathering/dnsrecon
- Let's see that information provided by dnsrecon is the same as obtained before.
- First, dnsrecon detects the DNS servers ns1, ns2 and ns3:
- Then, dnsrecon tries a successful DNS zone transfer with ns2:
- Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:
6 - dnsenum
- dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.
https://tools.kali.org/information-gathering/dnsenum
- The output obtained with dnsenum is the same as before:
7 - fierce
- fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:
8 - Nmap Scripting Engine (NSE)
- Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:
https://nmap.org/book/nse.html
- The NSE dns-zone-transfer script provides same output than before:
- A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:
9 - whois
- whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
- Looking for the domain megacorpone.com:
