Er Amit Tripathi
Number of posts : 37
Age : 38
Location : Lucknow
Job/hobbies : Software Engeener
What U like To do ? : I Rocks With Computer System.
Registration date : 2008-01-09
 |  Subject: DNS Enumeration (SCANNING AND FOOTPRINTING) 3  2/10/2008, 2:25 am | |
| - Quote :
- The attacker has also identified the names of the DNS servers. DNS servers might be targeted for zone transfers. A zone transfer is the mechanism used by DNS servers to update each other by transferring the contents of their database. DNS is structured as a hierarchy so that when you request DNS information, your request is passed up the hierarchy until a DNS server is found that can resolve the domain name request.
What's left at this step is to try and gather additional information from the organization's DNS servers. The primary tool to query DNS servers is nslookup. Nslookup provides machine name and address information. Both Linux and Windows have nslookup clients. Nslookup is used by typing nslookup from the command line followed by an IP address or a machine name. Doing so will cause nslookup to return the name, all known IP addresses, and all known CNAMES for the identified machine. Nslookup queries DNS servers for machine name and address information.
Using nslookup is rather straightforward. Let's look at an example in which nslookup is used to find out the IP addresses of Google's web servers. By entering nslookup www.google.com, the following response is obtained:
C:\>nslookup www.google.com
Server: dnsr1.sbcglobal.net
Address: 68.94.156.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.187.99, 64.233.187.104
Aliases: www.google.com
The first two lines of output say which DNS servers are being queried. In this case, it's dnsr1.sbcglobal.net in Texas. The non-authoritative answer lists two IP addresses for the Google web servers. Responses from non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response.
Nslookup can also be used in an interactive mode by just typing nslookup at the command prompt. In interactive mode, the user will be given a prompt of >; at which point, the user can enter a variety of options, including attempts to perform a zone transfer.
DNS normally moves information from one DNS server to another through the DNS zone transfer process. If a domain contains more than one name server, only one of these servers will be the primary. Any other servers in the domain will be secondary servers. Zone transfers are much like the DHCP process in that each is a four-step process. DNS zone transfers function as follows:
1. The secondary name server starts the process by requesting the SOA record from the primary name server.
2. The primary then checks the list of authorized servers, and if the secondary server's name is on that list, the SOA record is sent
3. The secondary must then check the SOA record to see if there is a match against the SOA it already maintains.
If the SOA is a match, the process stops here; however, if the SOA has a serial number that is higher, the secondary will need an update. The serial number indicates if changes were made since the last time the secondary server synchronized with the primary server. If an update is required, the secondary name server will send an All Zone Transfer (AXFR) request to the primary server.
4. Upon receipt of the AXFR, the primary server will send the entire zone file to the secondary name server.
A zone transfer is unlike a normal lookup in that the user is attempting to retrieve a copy of the entire zone file for a domain from a DNS server. This can provide a hacker or pen tester with a wealth of information. This is not something that the target organization should be allowing. Unlike lookups that primarily occur on UDP 53, unless the response is greater than 512 bytes, zone transfers use TCP 53. To attempt a zone transfer, you must be connected to a DNS server that is the authoritative server for that zone. Remember the nslookup information we previously gathered? It's shown here again for your convenience.
Registrant:
Pearson Technology Centre
Kenneth Simmons
200 Old Tappan Rd .
Old Tappan, NJ 07675 USA
Email: billing@superlibrary.com
Phone: 001-201-7846187
Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com
DNS Servers:
usrxdns1.pearsontc.com
oldtxdns2.pearsontc.com
Review the last two entries. Both usrxdns1.pearsontc.com and oldtxdns2.pearsontc.com are the DNS authoritative servers for ExamCram.com. These are the addresses that an attacker will target to attempt a zone transfer. The steps to try and force a zone transfer are shown here:
1. nslookupEnter nslookup from the command line
2. server Enter the IP address of the authoritative server for that zone.
3. set type = anyTells nslookup to query for any record.
4. ls d Domain.com is the name of the targeted domain of the final step that performs the zone transfer.
One of two things will happen at this point; either you will receive an error message indicating that the transfer was unsuccessful, or you will be returned a wealth of information, as shown in the following:
C:\WINNT\system32>nslookup
Default Server: dnsr1.sbcglobal.net
Address: 128.112.3.12
server 172.6.1.114
set type=any
ls -d example.com
example.com. SOA hostmaster.sbc.net (950849 21600 3600 1728000 3600)
example.com. NS auth100.ns.sbc.net
example.com. NS auth110.ns.sbc.net
example.com. A 10.14.229.23
example.com. MX 10 dallassmtpr1.example.com
example.com. MX 20 dallassmtpr2.example.com
example.com. MX 30 lasmtpr1.example.com
lasmtpr1 A 192.172.243.240
dallassmtpr1 A 192.172.163.9
dallaslink2 A 192.172.161.4
spamassassin A 192.172.170.49
dallassmtpr2 A 192.172.163.7
dallasextra A 192.172.170.17
dallasgate A 192.172.163.22
lalink A 172.16.208.249
dallassmtp1 A 192.172.170.49
nygate A 192.172.3.250
www A 10.49.229.203
dallassmtp MX 10 dallassmtpr1.example.com
dallassmtp MX 20 dallassmtpr2.example.com
dallassmtp MX 30 lasmtpr1.example.com
Dig is another tool that can be used to provide this type of information. It's available for Linux and for Windows. Dig is a powerful tool that can be used to investigate the DNS system.
This type of information should not be made available to just anyone. Hackers can use this to find out what other servers are running on the network, and it can help them map the network and formulate what types of attacks to launch. Notice the first line that has example.com listed previously. Observe the final value of 3600 on that line. That is the TTL value discussed previously which would inform a hacker as to how long DNS poisoning would last. 3,600 seconds is 60 minutes. Zone transfers are intended for use by secondary DNS servers to synchronize with their primary DNS server. You should make sure that only specific IP addresses are allowed to request zone transfers. Although most Operating Systems restrict this by default, Windows 2000 did not. So, be aware of this if any 2000 servers are still in your network. All DNS servers should be tested. It is very often the case in which the primary has tight security, but the secondaries will allow zone transfers | |
|
