Finding every DNS server and the associated entries for an organisation is known as DNS enumeration. Both internal and external DNS servers that a business may have can provide data on possible target systems, including IP addresses, usernames, and machine names. Numerous tools are available for gathering data needed to carry out DNS enumeration.
DNS Zone Transfer
Moving a copy of the DNS zone file from the primary DNS server to the
secondary DNS server is known as DNS zone transfer. For redundancy, the
primary DNS server typically has a backup or secondary server containing all
the data kept on the original server.
To find the DNS server and gain access to the target organization's records,
an attacker uses DNS zone transfer enumeration. Attackers can use DNS zone
transfers to gain DNS server names, hostnames, machine names, usernames, IP
addresses, aliases, and other information assigned within a target domain if
the DNS server of the target organisation permits them.
To perform a DNS zone transfer, the attacker sends a zone-transfer request to
the DNS server pretending to be a client; the DNS server then sends a portion
of its database as a zone to the attacker. This zone may contain a large
amount of information about the DNS zone network.
COMMANDS
- dig command on Linux is used by the attackers to retrieve information about the target. Command: dig ns <target domain>. This command retrieves all the DNS name servers of the target domain. Next, the attacker uses the name servers from the output to test whether the target DNS allows zone transfers. Command: dig@<domain of name server> <target domain> axfr. (AXFR means domains to be tested for zone transfer NS servers)
- dnsrecon command on Linux is used by the attack to check all NS records of the target domain. Command: dnsrecon -t axfr -d <target domain>
- nslookup command on Windows is used to query the DNS name servers and retrieve information about the target. The below Figure shows the commands, red boxes are the commands that need to be entered. Replace hackhunt.in with target domain.
DNS Cache Snooping
One kind of DNS enumeration approach is DNS cache snooping, where an
attacker asks the DNS server for a certain cached DNS record. The attacker
can identify the websites the user has recently visited by using this cached
data. The attacker can carry out a social engineering assault on the
intended user by utilising this information. Attackers perform DNS cache
snooping using various tools such as dig, DNS Snoop Dogg, and DNSRecon.
Attackers use the following two DNS cache snooping methods to snoop on a
target domain:
Non-recursive Method
By changing the Recursion Desired (RD) bit in the query header to zero,
attackers can transmit a non-recursive query. Attackers utilise the DNS
cache to search for certain DNS records. If the record they are looking for
is found there, the DNS server replies with information indicating that a
system user has visited the requested domain. If not, the DNS server replies
with either the root.hints file, which contains details about all root DNS servers, or provides
information about another DNS server that can answer the query.
Command: dig @<IP of DNS Server> <target domain> A +norecurse.
Recursive Method
The length of time the DNS record is cached is ascertained by looking at the
time-to-live (TTL) field. Here, the TTL value that was initially entered in
the TTL field is compared to the TTL value that was retrieved from the
outcome. The record is cached, indicating that someone on the system has
visited that site, if the TTL value in the result is less than the initial
TTL value. Command: dig @<IP of DNS server> <Target Domain> A +recurse.
DNSSEC Zone Walking
If the DNS zone is not set up correctly, an attacker may try to get internal
records by using the Domain Name System Security Extensions (DNSSEC) zone
walking approach. The attacker can create a map of the host network with the
help of the enumerated zone information.
TOOLS
- ldns-walk command on Linux enumerated the DNSSEC zone and obtained results on the DNS record files. Command: ldns-walk @<IP of DNS Server> <Target Domain>. IP of DNS Server can be used of Googles': 8.8.8.8.
- dnsrecon command on Linux assists users in enumerating DNS records such as A, AAA, and CNMAE. Command: dnsrecon -d <target domain> -z.
COUNTERMEASURES
- Disable DNS zone transfers to untrusted hosts.
- Ensure that the private hosts and their IP addresses are not published in the DNS zone files of the public DNS server.
- Use premium DNS registration services that hide sensitive information such as host information (HINFO) from the public.
- Use standard network admin contacts for DNS registrations to avoid social engineering attacks.
- Prune DNS zone files to prevent revealing unnecessary information.
You might be interested in,
- Phases of Hacking
- Introduction to Enumeration
- NetBIOS Enumeration
- SNMP Enumeration
- LDAP Enumeration
- NTP, NFS and SMTP Enumeration
- Telnet, SMB, FTP and TFTP Enumeration
- Other Enumeration Techniques (IPSec, VoIP, RPC, Unix/Linux, IPv6, and BGP)
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment