# 53 - Pentesting DNS
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. {% embed url="https://pentest-tools.com/" %} ## **Basic Information** The **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world. **Default port:** 53 ``` PORT STATE SERVICE REASON 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 5353/udp open zeroconf udp-response 53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) ``` ### Different DNS Servers * **DNS Root Servers**: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (**ICANN**) oversees their operation, with a global count of 13. * **Authoritative Nameservers**: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers. * **Non-authoritative Nameservers**: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers. * **Caching DNS Server**: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server. * **Forwarding Server**: Serving a straightforward role, forwarding servers simply relay queries to another server. * **Resolver**: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative. ## Enumeration ### **Banner Grabbing** There aren't banners in DNS but you can gran the macgic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\ You can perform this query using `dig`: ```bash dig version.bind CHAOS TXT @DNS ``` Moreover, the tool [`fpdns`](https://github.com/kirei/fpdns) can also fingerprint the server. It's also possible to grab the banner also with a **nmap** script: ``` --script dns-nsid ``` ### **Any record** The record **ANY** will ask the DNS server to **return** all the available **entries** that **it is willing to disclose**. ```bash dig any victim.com @ ``` ### **Zone Transfer** This procedure is abbreviated `Asynchronous Full Transfer Zone` (`AXFR`). ```bash dig axfr @ #Try zone transfer without domain dig axfr @ #Try zone transfer guessing the domain fierce --domain --dns-servers #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack ``` ### More info ```bash dig ANY @ #Any information dig A @ #Regular DNS request dig AAAA @ #IPv6 DNS request dig TXT @ #Information dig MX @ #Emails related dig NS @ #DNS that resolves that name dig -x 192.168.0.2 @ #Reverse lookup dig -x 2a00:1450:400c:c06::93 @ #reverse IPv6 lookup #Use [-p PORT] or -6 (to use ivp6 address of dns) ``` #### Automation ```bash for sub in $(cat );do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f ``` #### Using nslookup ```bash nslookup > SERVER #Select dns server > 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... > #Reverse lookup of a machine, maybe... ``` ### Useful metasploit modules ```bash auxiliary/gather/enum_dns #Perform enumeration actions ``` ### Useful nmap scripts ```bash #Perform enumeration actions nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" ``` ### DNS - Reverse BF ```bash dnsrecon -r 127.0.0.0/24 -n #DNS reverse of all of the addresses dnsrecon -r 127.0.1.0/24 -n #DNS reverse of all of the addresses dnsrecon -r /24 -n #DNS reverse of all of the addresses dnsrecon -d active.htb -a -n #Zone transfer ``` {% hint style="info" %} If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range. {% endhint %} Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan) You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#\_dns) (this tool is also helpful with BGP). ### DNS - Subdomains BF ```bash dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt dnsrecon -D subdomains-1000.txt -d -n dnscan -d -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan ``` ### Active Directory servers ```bash dig -t _gc._tcp.lab.domain.com dig -t _ldap._tcp.lab.domain.com dig -t _kerberos._tcp.lab.domain.com dig -t _kpasswd._tcp.lab.domain.com nslookup -type=srv _kerberos._tcp. nslookup -type=srv _kerberos._tcp.domain.com nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'" ``` ### DNSSec ```bash #Query paypal subdomains to ns3.isc-sns.info nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info ``` ### IPv6 Brute force using "AAAA" requests to gather IPv6 of the subdomains. ```bash dnsdict6 -s -t ``` Bruteforce reverse DNS in using IPv6 addresses ```bash dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net ``` ### DNS Recursion DDoS If **DNS recursion is enabled**, an attacker could **spoof** the **origin** on the UDP packet in order to make the **DNS send the response to the victim server**. An attacker could abuse **ANY** or **DNSSEC** record types as they use to have the bigger responses.\ The way to **check** if a DNS supports **recursion** is to query a domain name and **check** if the **flag "ra"** (_recursion available_) is in the response: ```bash dig google.com A @ ``` **Non available**: ![](<../.gitbook/assets/image (123).png>) **Available**: ![](<../.gitbook/assets/image (146).png>)
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. {% embed url="https://pentest-tools.com/" %} ### Mail to nonexistent account Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed. The provided nondelivery report includes information such as: * The generating server was identified as `server.example.com`. * A failure notice for `user@example.com` with the error code `#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found` was returned. * Internal IP addresses and hostnames were disclosed in the original message headers. ```markdown The original message headers were modified for anonymity and now present randomized data: Generating server: server.example.com user@example.com #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ## Original message headers: Received: from MAILSERVER01.domain.example.com (192.168.1.1) by mailserver02.domain.example.com (192.168.2.2) with Microsoft SMTP Server (TLS) id 14.3.174.1; Mon, 25 May 2015 14:52:22 -0700 Received: from filter.example.com (203.0.113.1) by MAILSERVER01.domain.example.com (192.168.1.1) with Microsoft SMTP Server (TLS) id 14.3.174.1; Mon, 25 May 2015 14:51:22 -0700 X-ASG-Debug-ID: 1432576343-0614671716190e0d0001-zOQ9WJ Received: from gateway.domainhost.com (gateway.domainhost.com [198.51.100.37]) by filter.example.com with ESMTP id xVNPkwaqGgdyH5Ag for user@example.com; Mon, 25 May 2015 14:52:13 -0700 (PDT) X-Envelope-From: sender@anotherdomain.org X-Apparent-Source-IP: 198.51.100.37 ``` ## Config files ``` host.conf /etc/resolv.conf /etc/bind/named.conf /etc/bind/named.conf.local /etc/bind/named.conf.options /etc/bind/named.conf.log /etc/bind/* ``` Dangerous settings when configuring a Bind server: | **Option** | **Description** | | ----------------- | ------------------------------------------------------------------------------ | | `allow-query` | Defines which hosts are allowed to send requests to the DNS server. | | `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. | | `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. | | `zone-statistics` | Collects statistical data of zones. | ## References * [https://www.myrasecurity.com/en/knowledge-hub/dns/](https://www.myrasecurity.com/en/knowledge-hub/dns/) * Book: **Network Security Assessment 3rd edition** ## HackTricks Automatic Commands ``` Protocol_Name: DNS #Protocol Abbreviation if there is one. Port_Number: 53 #Comma separated if there is more than one. Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for DNS Note: | #These are the commands I run every time I see an open DNS port dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name} dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name} dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name} dig axfr @{IP} dig axfr {Domain_Name} @{IP} nslookup SERVER {IP} 127.0.0.1 {IP} Domain_Name exit https://book.hacktricks.xyz/pentesting/pentesting-dns Entry_2: Name: Banner Grab Description: Grab DNS Banner Command: dig version.bind CHAOS TXT @DNS Entry_3: Name: Nmap Vuln Scan Description: Scan for Vulnerabilities with Nmap Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP} Entry_4: Name: Zone Transfer Description: Three attempts at forcing a zone transfer Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name} Entry_5: Name: Active Directory Description: Eunuerate a DC via DNS Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}" Entry_6: Name: consolesless mfs enumeration Description: DNS enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' ```
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. {% embed url="https://pentest-tools.com/" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.