4.7 DNS Enumeration

Summary

The video on DNS Enumeration by GNK Projects delves into various methods and tools available for gathering information about DNS records and servers. It highlights how DNS can reveal computers' identity and functionalities through querying its records, such as IPv4, IPv6, MX, and PTR records. The video also discusses zone transfers, potential security vulnerabilities, and demonstrates the use of command-line tools like dig, NSlookup, and DNS Recon, along with online resources for DNS enumeration.

Highlights

• DNS enumeration involves querying DNS records to discover networked devices and their functions 🌐.
• Misconfigured DNS servers might allow unauthorized zone transfers, revealing sensitive data "to anyone who asks" 🛠️.
• Command-line tools like dig and NSlookup, along with scripts and online resources, simplify DNS enumeration tasks 📜.

Key Takeaways

• DNS Enumeration is a powerful way to discover computers and their roles by querying DNS records like A, MX, and PTR 🍴.
• Zone transfers can expose entire DNS databases if servers are misconfigured, an oversight by administrators 🛡️.
• A variety of DNS tools such as dig, NSlookup, and online platforms aid in the enumeration process 🔧.

Overview

DNS Enumeration is like detective work for the internet. In this video, viewers learn how DNS records can be queried to reveal not just basic information like IP addresses but also the functions of various systems in a network. By specifying record types such as A, MX, or PTR, one can uncover details about domains and subdomains, gaining insights into the structure of a network.

A significant aspect of DNS enumeration is the zone transfer, a process that could expose entire DNS databases if left unguarded. The video highlights potential misconfigurations within DNS servers that might allow unauthorized zone transfers, thus shedding light on a major security loophole. This serves as a reminder of the importance of proper DNS server configuration to avoid data leaks.

The video is a handy guide to tools available for DNS enumeration, such as 'dig' and 'NSlookup'. It visits both command-line tools and online resources, providing a detailed explanation on how they function. The demonstration of these tools makes it clear that with the right knowledge and technique, anyone can dive into the depths of DNS data, though it must be done ethically and legally.

Chapters

• 00:00 - 00:30: Introduction and Overview of DNS The chapter provides an introduction to DNS and its various record types. It emphasizes the importance of DNS in discovering computers and understanding their functions. It explains that DNS servers can be queried for records, which can either be IPv4 address records or IPv6 quad address records. It also highlights the role of name servers, which are the DNS servers themselves, in this process.
• 00:30 - 02:00: Types of DNS Records This chapter covers the various types of DNS records that are crucial for domain management. The discussion includes MX records, which are used to identify email servers for a domain, and CNAMEs (Canonical Names), which act as aliases to other DNS names for user convenience. It also touches upon PTR (Pointer) records, which facilitate reverse DNS lookups by mapping an IP address to a domain name. Each of these records serves a unique purpose in managing how domain names are translated and identified on the internet.
• 02:00 - 03:30: Zone Transfers and Their Vulnerabilities Chapter Title: Zone Transfers and Their Vulnerabilities. This chapter discusses the concept of DNS Zone Transfers, which are used to replicate DNS databases across multiple servers. Zone Transfers can be a security risk if exploited by unauthorized users. The chapter explains how attackers might leverage DNS AXFR requests to gain access to entire DNS zones without needing to query individual records.
• 03:30 - 05:00: DNS Enumeration Tools The chapter discusses DNS Enumeration Tools, focusing on the intrinsic vulnerability associated with AXFR (zone transfer) requests. It highlights that some DNS servers, often due to misconfiguration or oversight by administrators, might inadvertently allow zone transfers without proper authentication. This lapse presents a significant security risk as attackers can exploit these server misconfigurations to obtain the entire zone data easily. The importance of securing DNS servers against such unauthorized transfers is emphasized.
• 05:00 - 09:00: NS Lookup Tool The chapter discusses various tools and methods for DNS enumeration. It talks about the manual method of requesting different DNS record types and highlights several DNS tools such as 'dig' and 'fierce' for Linux, 'NS lookup' for Microsoft, 'host', along with Python and Perl scripts. It also mentions metasite modules, nmap scripts, and the availability of online tools for DNS enumeration.
• 09:00 - 12:00: DIG Tool The chapter discusses various online resources, such as NS list and IP list, which are used to cross-reference domain names, host names, and IP addresses. It illustrates how these resources can reveal relationships between different web entities.
• 12:00 - 15:00: Conclusion The chapter "Conclusion" summarizes the technical aspects related to DNS and email server configuration. It outlines the start of authority, various DNS server roles, and highlights the importance of email server records including A records, Quad A records, and TXT records for sender policy frameworks. Additionally, it touches upon SRV records used for Active Directory, emphasizing that these records should not typically be accessible on a public network.

4.7 DNS Enumeration Transcription

• 00:00 - 00:30 of course we can use DNS to enumerate let's see how first of all DNS has lots of record types this is how we discover computers and we get a hint of what they do we could query a DNS server for its records either the ipv4 address records or the IPv6 quad address records quad a name server that's the DNS servers themselves
• 00:30 - 01:00 those would be our targets for querying or MX records these are the email servers for that particular domain or the C names the canonical names these are aliases for these because quite honestly a DNS name is just a convenience for humans you can have all kinds of names that map to the same IP or a pointer record a PTR where I come to you with an IP and you give me back a
• 01:00 - 01:30 name we use it a lot for security or a start of authority record if you want to grab individual records you just query but if you want to grab the whole database you do what's called a Zone transfer you could exploit DNS all transfer axfr you could exploit that vulnerability and just grab the entire Zone from a DNS server that means you don't need to know what to query for you
• 01:30 - 02:00 just say I want a axfr give it all to me baby now DNS server should be configured to not replicate to things it doesn't know but you have lots of Administrators who really were not paying attention or didn't know what they were doing or something sneaked by somehow so some DNS servers are happy to transfer their entire Zone away to anybody who asks with no authentication this will save you the attacker of time or you can just
• 02:00 - 02:30 manually request all the various record types and hope that you get everything there are a ton of DNS enumeration tools if you want to just use the command line tools there's dig and fierce which are both Linux tools or there's NS lookup the Microsoft tool or host and there are also some Python and pearl scripts and metasite mod modules and end map scripts and and other kinds of tools you you can also go online to
• 02:30 - 03:00 various sites like NS list and IP list to cross reference domains host names and IP addresses so you can just see some of this stuff here and how they relate here's an example of using a command line tool from collie DNS Recon and so what I'm doing is I'm python script I'm saying DNS Recon and the domain is cisco.com and it will try to dump everything it can for me so here's
• 03:00 - 03:30 the start of authority and the two DNS servers and the let's see one two 3 four email servers and an a record a quad a record a text record which is let's see um sender policy framework that's for anti-spam uh and trying to get SRV records what SRV records those are for active directory you shouldn't be able to get those out in the public network okay whatever
• 03:30 - 04:00 of course there's the Microsoft tool NS lookup we can use it at the command line you just say NS lookup some option name or not and then the server we're targeting meaning the DNS server that we're targeting you can also install this tool on Linux you would have to install two things one after another pseudo apt install DNS Tac you tills and then after that pseudo dnf install bind Tac utils the only thing about NS lookup is it depends on the existence of a
• 04:00 - 04:30 reverse lookup Zone a PTR zone for that zone to work properly um and not all administrators will set that up but nonetheless here are some examples NS lookup example.com just give me all of it baby or NS lookup Tac type equals only the name servers I just want to know the DNS servers for example.com or I just want to know the start of authority which describes things like when the records will expire and um how
• 04:30 - 05:00 long you have to keep it for before you let it expire and who created it and that sort of thing we could also say just give me the email servers or give me anything or we could just say you know I want to know whatever I can get out of example.com but I'm only going to query this one DNS server to get it instead of just taking my chances or I could just query via IP
• 05:00 - 05:30 address or I could say you know andna look up the type is PTR and then you would have to give the formal reverse lookup name which is the IP address backwards. inch add. arpa so these are examples of using NS lookup you can see here that I'm got some examples on the uh on the command prompt and us look up type MX for EC counil org and it comes back and it says oh so the server is this name that's its mail
• 05:30 - 06:00 exchanger and it has an IPv6 address okay all right uh but you know what I want to know the ipv4 address of this oh okay well the ipv4 address is this one right here and there are two of them okay if you'd rather use the Linux tool dig Linux Unix tool you can use that and it's installed by default and you can install a very slightly older version on
• 06:00 - 06:30 Windows as well so you would say dig by name dig by domain name dig um a specific DNS server that you're quering some host name some IP address so these are ways of using dig examples dig give me the address record for www.example.com in other words give me the IP or dig and I'm giving the IP and that assumes I want the name back or dig give me the short
• 06:30 - 07:00 version of all of the email servers for example.com or all of the text uh uh files which are usually used for anti-spam for example.com or the uh DNS servers or hey give me any and all records you can also use fierce in Linux so you can try to transfer a Zone by guessing a domain that the server is a authoritative for so here's the thing if
• 07:00 - 07:30 I go to DNS server and I say hey give me everything you have on that domain if that server is not what we call authoritative meaning it doesn't actually have uh the actual Zone file the database in it if all it's doing is doing lookups and then caching the results The Zone transfer will only be useful if it hosts the Zone if it's
• 07:30 - 08:00 authoritative so I'm going hm there's a DNS server there and it's run by an ISP so you can bet that it is authoritative for a whole bunch of customers it's going to have zones for a whole bunch of domains but we got to figure out what domains This Server is actually has a copy of now whether it's the writable copy because it's the primary the master or if it's a readon copy because it's the slave the secondary doesn't matter
• 08:00 - 08:30 just give me a copy I don't care if it's writable or not so we would have to try to guess the domain the server is authoritative for so we could say dig give me EV you know Zone transfer everything all transfer at meaning to some specific DNS server the domain and if it's not authoritative it'll tell us it tell us to get lost we could try to perform a Zone transfer against every Authority ative name server if it doesn't work just
• 08:30 - 09:00 launch a dictionary attack so we could say Fierce Tac teac the domain is example.com or whatever the domain is all DNS servers and some DN or some IP address here's an example of dig I'm going to query Google's 8.8.8.8 for this particular University give me any record you can and it says I found it and here's everything I've got okay great
• 09:00 - 09:30 thank you take a look at this look at this example here look closely what do you see look really closely I'll give you a hint look at the very first line what do you think's going on here look look look look look axfr domain looks like doam but any anyway something.com to some particular DN server you see what's happening and
• 09:30 - 10:00 then we get this start of authority address records name servers whole bunch of stuff what do you think's happening if you said this is a hacker requesting manually a replication a Zone transfer you are right the hacker is using dig and you can tell it's dig it's dig version 9.7 and they are asking for for this domain against this D right here give me
• 10:00 - 10:30 all the records you can and it looks like it succeeded too because it got all this stuff back so that is how we can use DNS to enumerate when we are digging into our hacking and now for something completely different now on to our next topic