mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-03 00:38:52 +00:00
316 lines
13 KiB
Markdown
316 lines
13 KiB
Markdown
|
# 53 - Pentesting DNS
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
<figure><img src="../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
||
|
|
||
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
||
|
|
||
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
||
|
|
||
|
## **Basic Information**
|
||
|
|
||
|
The **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.
|
||
|
|
||
|
**Default port:** 53
|
||
|
|
||
|
```
|
||
|
PORT STATE SERVICE REASON
|
||
|
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
|
||
|
5353/udp open zeroconf udp-response
|
||
|
53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
|
||
|
```
|
||
|
|
||
|
### Different DNS Servers
|
||
|
|
||
|
* **DNS Root Servers**: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (**ICANN**) oversees their operation, with a global count of 13.
|
||
|
* **Authoritative Nameservers**: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.
|
||
|
* **Non-authoritative Nameservers**: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.
|
||
|
* **Caching DNS Server**: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.
|
||
|
* **Forwarding Server**: Serving a straightforward role, forwarding servers simply relay queries to another server.
|
||
|
* **Resolver**: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative.
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### **Banner Grabbing**
|
||
|
|
||
|
There aren't banners in DNS but you can gran the magic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\
|
||
|
You can perform this query using `dig`:
|
||
|
|
||
|
```bash
|
||
|
dig version.bind CHAOS TXT @DNS
|
||
|
```
|
||
|
|
||
|
Moreover, the tool [`fpdns`](https://github.com/kirei/fpdns) can also fingerprint the server.
|
||
|
|
||
|
It's also possible to grab the banner also with a **nmap** script:
|
||
|
|
||
|
```
|
||
|
--script dns-nsid
|
||
|
```
|
||
|
|
||
|
### **Any record**
|
||
|
|
||
|
The record **ANY** will ask the DNS server to **return** all the available **entries** that **it is willing to disclose**.
|
||
|
|
||
|
```bash
|
||
|
dig any victim.com @<DNS_IP>
|
||
|
```
|
||
|
|
||
|
### **Zone Transfer**
|
||
|
|
||
|
This procedure is abbreviated `Asynchronous Full Transfer Zone` (`AXFR`).
|
||
|
|
||
|
```bash
|
||
|
dig axfr @<DNS_IP> #Try zone transfer without domain
|
||
|
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
|
||
|
fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack
|
||
|
```
|
||
|
|
||
|
### More info
|
||
|
|
||
|
```bash
|
||
|
dig ANY @<DNS_IP> <DOMAIN> #Any information
|
||
|
dig A @<DNS_IP> <DOMAIN> #Regular DNS request
|
||
|
dig AAAA @<DNS_IP> <DOMAIN> #IPv6 DNS request
|
||
|
dig TXT @<DNS_IP> <DOMAIN> #Information
|
||
|
dig MX @<DNS_IP> <DOMAIN> #Emails related
|
||
|
dig NS @<DNS_IP> <DOMAIN> #DNS that resolves that name
|
||
|
dig -x 192.168.0.2 @<DNS_IP> #Reverse lookup
|
||
|
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup
|
||
|
|
||
|
#Use [-p PORT] or -6 (to use ivp6 address of dns)
|
||
|
```
|
||
|
|
||
|
#### Automation
|
||
|
|
||
|
```bash
|
||
|
for sub in $(cat <WORDLIST>);do dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
|
||
|
|
||
|
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>
|
||
|
```
|
||
|
|
||
|
#### Using nslookup
|
||
|
|
||
|
```bash
|
||
|
nslookup
|
||
|
> SERVER <IP_DNS> #Select dns server
|
||
|
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
|
||
|
> <IP_MACHINE> #Reverse lookup of a machine, maybe...
|
||
|
```
|
||
|
|
||
|
### Useful metasploit modules
|
||
|
|
||
|
```bash
|
||
|
auxiliary/gather/enum_dns #Perform enumeration actions
|
||
|
```
|
||
|
|
||
|
### Useful nmap scripts
|
||
|
|
||
|
```bash
|
||
|
#Perform enumeration actions
|
||
|
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>
|
||
|
```
|
||
|
|
||
|
### DNS - Reverse BF
|
||
|
|
||
|
```bash
|
||
|
dnsrecon -r 127.0.0.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
||
|
dnsrecon -r 127.0.1.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
||
|
dnsrecon -r <IP_DNS>/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
||
|
dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer
|
||
|
```
|
||
|
|
||
|
{% hint style="info" %}
|
||
|
If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range.
|
||
|
{% endhint %}
|
||
|
|
||
|
Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan)
|
||
|
|
||
|
You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#_dns) (this tool is also helpful with BGP).
|
||
|
|
||
|
### DNS - Subdomains BF
|
||
|
|
||
|
```bash
|
||
|
dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt <DOMAIN>
|
||
|
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
|
||
|
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan
|
||
|
```
|
||
|
|
||
|
### Active Directory servers
|
||
|
|
||
|
```bash
|
||
|
dig -t _gc._tcp.lab.domain.com
|
||
|
dig -t _ldap._tcp.lab.domain.com
|
||
|
dig -t _kerberos._tcp.lab.domain.com
|
||
|
dig -t _kpasswd._tcp.lab.domain.com
|
||
|
|
||
|
nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
|
||
|
nslookup -type=srv _kerberos._tcp.domain.com
|
||
|
|
||
|
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
|
||
|
```
|
||
|
|
||
|
### DNSSec
|
||
|
|
||
|
```bash
|
||
|
#Query paypal subdomains to ns3.isc-sns.info
|
||
|
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info
|
||
|
```
|
||
|
|
||
|
### IPv6
|
||
|
|
||
|
Brute force using "AAAA" requests to gather IPv6 of the subdomains.
|
||
|
|
||
|
```bash
|
||
|
dnsdict6 -s -t <domain>
|
||
|
```
|
||
|
|
||
|
Bruteforce reverse DNS in using IPv6 addresses
|
||
|
|
||
|
```bash
|
||
|
dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net
|
||
|
```
|
||
|
|
||
|
### DNS Recursion DDoS
|
||
|
|
||
|
If **DNS recursion is enabled**, an attacker could **spoof** the **origin** on the UDP packet in order to make the **DNS send the response to the victim server**. An attacker could abuse **ANY** or **DNSSEC** record types as they use to have the bigger responses.\
|
||
|
The way to **check** if a DNS supports **recursion** is to query a domain name and **check** if the **flag "ra"** (_recursion available_) is in the response:
|
||
|
|
||
|
```bash
|
||
|
dig google.com A @<IP>
|
||
|
```
|
||
|
|
||
|
**Non available**:
|
||
|
|
||
|
![](<../.gitbook/assets/image (123).png>)
|
||
|
|
||
|
**Available**:
|
||
|
|
||
|
![](<../.gitbook/assets/image (146).png>)
|
||
|
|
||
|
<figure><img src="../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
||
|
|
||
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
||
|
|
||
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
||
|
|
||
|
### Mail to nonexistent account
|
||
|
|
||
|
**Sending an email to a non-existaent address** using the victims domain could trigger the victim to send a nondelivery notification (NDN) message whose **headers** could contain interesting information such as the **name of internal servers and IP addresses**.
|
||
|
|
||
|
## Post-Exploitation
|
||
|
|
||
|
* When checking the configuration of a Bind server check the configuration of the param **`allow-transfer`** as it indicates who can perform zone transfers and **`allow-recursion`** and **`allow-query`** as the indicate who can send recursive requests and requests to it.
|
||
|
* The following are the names of DNS related files that could be interesting to search inside machines:
|
||
|
|
||
|
```
|
||
|
host.conf
|
||
|
/etc/resolv.conf
|
||
|
/etc/bind/named.conf
|
||
|
/etc/bind/named.conf.local
|
||
|
/etc/bind/named.conf.options
|
||
|
/etc/bind/named.conf.log
|
||
|
/etc/bind/*
|
||
|
```
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://www.myrasecurity.com/en/knowledge-hub/dns/](https://www.myrasecurity.com/en/knowledge-hub/dns/)
|
||
|
* Book: **Network Security Assessment 3rd edition**
|
||
|
|
||
|
## HackTricks Automatic Commands
|
||
|
|
||
|
```
|
||
|
Protocol_Name: DNS #Protocol Abbreviation if there is one.
|
||
|
Port_Number: 53 #Comma separated if there is more than one.
|
||
|
Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out
|
||
|
|
||
|
Entry_1:
|
||
|
Name: Notes
|
||
|
Description: Notes for DNS
|
||
|
Note: |
|
||
|
#These are the commands I run every time I see an open DNS port
|
||
|
|
||
|
dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name}
|
||
|
dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name}
|
||
|
dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}
|
||
|
dig axfr @{IP}
|
||
|
dig axfr {Domain_Name} @{IP}
|
||
|
nslookup
|
||
|
SERVER {IP}
|
||
|
127.0.0.1
|
||
|
{IP}
|
||
|
Domain_Name
|
||
|
exit
|
||
|
|
||
|
https://book.hacktricks.xyz/pentesting/pentesting-dns
|
||
|
|
||
|
Entry_2:
|
||
|
Name: Banner Grab
|
||
|
Description: Grab DNS Banner
|
||
|
Command: dig version.bind CHAOS TXT @DNS
|
||
|
|
||
|
Entry_3:
|
||
|
Name: Nmap Vuln Scan
|
||
|
Description: Scan for Vulnerabilities with Nmap
|
||
|
Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP}
|
||
|
|
||
|
Entry_4:
|
||
|
Name: Zone Transfer
|
||
|
Description: Three attempts at forcing a zone transfer
|
||
|
Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name}
|
||
|
|
||
|
|
||
|
Entry_5:
|
||
|
Name: Active Directory
|
||
|
Description: Eunuerate a DC via DNS
|
||
|
Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}"
|
||
|
|
||
|
Entry_6:
|
||
|
Name: consolesless mfs enumeration
|
||
|
Description: DNS enumeration without the need to run msfconsole
|
||
|
Note: sourced from https://github.com/carlospolop/legion
|
||
|
Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'
|
||
|
```
|
||
|
|
||
|
<figure><img src="../.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
**Get a hacker's perspective on your web apps, network, and cloud**
|
||
|
|
||
|
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
|
||
|
|
||
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|