Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-dns.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

49 KiB
Raw Permalink Blame History

53 - Pentesting DNS

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Basic Information

The Domain Name System (DNS) serves as the internet's directory, allowing users to access websites through easy-to-remember domain names like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.

Default port: 53

PORT     STATE SERVICE  REASON
53/tcp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
5353/udp open  zeroconf udp-response
53/udp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

Different DNS Servers

  • DNS Root Servers: tlhIngan Hol: DNS Root Servers: Qa'Hom DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (ICANN) oversees their operation, with a global count of 13.

  • Authoritative Nameservers: tlhIngan Hol: Authoritative Nameservers: Qa'Hom servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.

  • Non-authoritative Nameservers: tlhIngan Hol: Non-authoritative Nameservers: Qa'Hom Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.

  • Caching DNS Server: tlhIngan Hol: Caching DNS Server: Qa'Hom type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.

  • Forwarding Server: tlhIngan Hol: Forwarding Server: Qa'Hom Serving a straightforward role, forwarding servers simply relay queries to another server.

  • Resolver: tlhIngan Hol: Resolver: Qa'Hom Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative.

Enumeration

Banner Grabbing

There aren't banners in DNS but you can gran the macgic query for version.bind. CHAOS TXT which will work on most BIND nameservers.
You can perform this query using dig:

dig version.bind CHAOS TXT @DNS

DaH jImej fpdns tool vItlhutlh.

nmap script vItlhutlh banner grab qatlh:

--script dns-nsid

tlhIngan Hol

QaStaHvIS ghItlh DNS server puq vItlhutlh ghItlh entries ghItlh vItlhutlh ghItlh qar vItlhutlh entries ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh ghItlh vItlhutlh

dig any victim.com @<DNS_IP>

Zone Transfer

This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR).

QIn

QIn is a DNS query tool that can be used to perform zone transfers. It is a command-line tool that allows you to specify the target DNS server and the domain name for which you want to perform the zone transfer.

To perform a zone transfer using QIn, you can use the following command:

qin -s <dns_server> -d <domain_name>

Replace <dns_server> with the IP address or hostname of the target DNS server, and <domain_name> with the name of the domain for which you want to perform the zone transfer.

QIn will attempt to perform a zone transfer and display the results on the command line. If the zone transfer is successful, you will see a list of DNS records for the specified domain.

Dig

Dig is another DNS query tool that can be used to perform zone transfers. It is a command-line tool that is available on most Unix-like operating systems.

To perform a zone transfer using Dig, you can use the following command:

dig axfr @<dns_server> <domain_name>

Replace <dns_server> with the IP address or hostname of the target DNS server, and <domain_name> with the name of the domain for which you want to perform the zone transfer.

Dig will attempt to perform a zone transfer and display the results on the command line. If the zone transfer is successful, you will see a list of DNS records for the specified domain.

Nmap

Nmap is a powerful network scanning tool that can also be used to perform zone transfers. It is available for multiple platforms and has a wide range of features.

To perform a zone transfer using Nmap, you can use the following command:

nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=<domain_name> <dns_server>

Replace <domain_name> with the name of the domain for which you want to perform the zone transfer, and <dns_server> with the IP address or hostname of the target DNS server.

Nmap will attempt to perform a zone transfer and display the results on the command line. If the zone transfer is successful, you will see a list of DNS records for the specified domain.

dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack

DNS Enumeration

DNS enumeration is the process of gathering information about a target's DNS infrastructure. This information can be used to identify potential vulnerabilities and misconfigurations that can be exploited during a penetration test.

DNS Zone Transfers

DNS zone transfers allow a secondary DNS server to request a complete copy of a zone's DNS records from a primary DNS server. This can be useful for an attacker as it provides a wealth of information about the target's DNS infrastructure, including hostnames, IP addresses, and other DNS records.

To perform a DNS zone transfer, you can use tools like dig or nslookup. Here is an example using dig:

dig axfr <domain> @<dns-server>

Replace <domain> with the target domain and <dns-server> with the IP address of the DNS server you want to perform the zone transfer against.

DNS Brute-Forcing

DNS brute-forcing involves systematically guessing subdomains of a target domain in order to discover hidden or forgotten subdomains. This can be done using tools like dnsrecon, fierce, or sublist3r.

Here is an example using dnsrecon:

dnsrecon -d <domain>

Replace <domain> with the target domain you want to brute-force.

DNS Cache Poisoning

DNS cache poisoning is an attack that involves injecting malicious DNS records into a DNS resolver's cache. This can lead to the redirection of traffic to malicious websites or the interception of sensitive information.

To perform DNS cache poisoning, you can use tools like dnsspoof or mitmproxy. These tools allow you to intercept DNS requests and inject your own DNS responses.

DNSSEC Zone Walking

DNSSEC zone walking is a technique used to enumerate DNS records in a zone that is protected by DNSSEC. It involves querying for non-existent subdomains and analyzing the responses to gather information about the existing subdomains.

To perform DNSSEC zone walking, you can use tools like dnsenum or dnsrecon. These tools automate the process of querying for non-existent subdomains and analyzing the responses.

DNS Enumeration Tools

There are several tools available for DNS enumeration, including:

  • dig: A command-line tool for querying DNS servers.
  • nslookup: A command-line tool for querying DNS servers.
  • dnsrecon: A powerful DNS enumeration tool.
  • fierce: A DNS reconnaissance tool.
  • sublist3r: A subdomain enumeration tool.
  • dnsspoof: A tool for DNS cache poisoning.
  • mitmproxy: A tool for intercepting and modifying network traffic.

These tools can be used to gather information about a target's DNS infrastructure and identify potential vulnerabilities and misconfigurations.

dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup

#Use [-p PORT]  or  -6 (to use ivp6 address of dns)

Qap

Introduction

Automation is a key aspect of modern technology and can greatly enhance efficiency and productivity. In the context of network services pentesting, automation can be a valuable tool for performing repetitive tasks, such as scanning and enumeration, in a faster and more accurate manner.

Benefits of Automation

There are several benefits to using automation in network services pentesting:

  1. Time-saving: Automation allows for the execution of tasks at a much faster pace compared to manual methods. This can significantly reduce the time required to perform pentesting activities.

  2. Consistency: Automated tools can perform tasks consistently, eliminating the possibility of human error. This ensures that tests are conducted in a standardized and reliable manner.

  3. Scalability: Automation enables the testing of large-scale networks and services, which would be impractical to perform manually. It allows for the efficient scanning and enumeration of multiple targets simultaneously.

  4. Accuracy: Automated tools can provide more accurate results compared to manual methods. They can detect vulnerabilities and misconfigurations that may be overlooked by human testers.

  5. Repeatability: Automation allows for the repetition of tests, ensuring that the same steps are followed consistently. This is particularly useful when conducting periodic assessments or retesting after applying security patches.

Automation Tools

There are various automation tools available for network services pentesting. Some popular examples include:

  • Nmap: A powerful network scanning tool that can be used for host discovery, port scanning, and service enumeration.

  • Metasploit: A framework that provides a wide range of automated exploits and payloads for testing the security of network services.

  • Burp Suite: A web application security testing tool that includes automated scanning capabilities for identifying vulnerabilities in web services.

  • SQLMap: A tool specifically designed for automated SQL injection and database takeover.

  • OWASP ZAP: An open-source web application security scanner that can be used for automated vulnerability scanning and testing.

Conclusion

Automation plays a crucial role in network services pentesting, offering numerous benefits such as time-saving, consistency, scalability, accuracy, and repeatability. By leveraging automation tools, pentesters can streamline their workflows and enhance the effectiveness of their testing activities.

for sub in $(cat <WORDLIST>);do dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>

Using nslookup

nslookup-ghItlh

nslookup is a command-line tool used to query DNS (Domain Name System) servers to obtain information about domain names, IP addresses, and other DNS records. It is commonly used in network troubleshooting and DNS-related tasks during penetration testing.

nslookup is available on most operating systems, including Windows, Linux, and macOS. To use nslookup, open a terminal or command prompt and type nslookup followed by the domain name or IP address you want to query.

Here are some examples of how to use nslookup:

  1. Querying a Domain Name

To obtain the IP address of a domain name, simply type the domain name after the nslookup command. For example:

nslookup example.com

This will return the IP address associated with the domain name example.com.

  1. Reverse DNS Lookup

To perform a reverse DNS lookup, where you obtain the domain name associated with an IP address, type the IP address after the nslookup command. For example:

nslookup 192.168.1.1

This will return the domain name associated with the IP address 192.168.1.1.

  1. Querying Specific DNS Servers

By default, nslookup uses the DNS servers configured on your system. However, you can specify a different DNS server to query by typing the server's IP address after the nslookup command. For example:

nslookup example.com 8.8.8.8

This will query the DNS server at IP address 8.8.8.8 for information about the domain name example.com.

  1. Changing Query Type

By default, nslookup performs a standard query for the IP address associated with a domain name. However, you can change the query type to obtain different types of DNS records. To do this, type the query type followed by the domain name after the nslookup command. For example:

nslookup -type=mx example.com

This will return the mail exchange (MX) records for the domain name example.com.

  1. Interactive Mode

nslookup also supports an interactive mode, where you can enter multiple queries without exiting the tool. To enter interactive mode, simply type nslookup without any arguments. Once in interactive mode, you can enter domain names or IP addresses to query, change the query type, and specify DNS servers.

nslookup
> example.com
> 192.168.1.1
> set type=mx
> example.com
> server 8.8.8.8
> example.com
> exit

This will perform a series of queries in interactive mode, including querying a domain name, an IP address, changing the query type, specifying a DNS server, and querying the domain name again.

nslookup is a versatile tool that can provide valuable information during network reconnaissance and penetration testing. By understanding how to use nslookup, you can gather information about DNS records, troubleshoot DNS-related issues, and identify potential vulnerabilities in DNS configurations.

nslookup
> SERVER <IP_DNS> #Select dns server
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
> <IP_MACHINE> #Reverse lookup of a machine, maybe...

Qapla' metasploit modules

DNS Enumeration

dns_brute

This module performs a brute force DNS enumeration by attempting to resolve all possible subdomains for a given domain. It uses a wordlist to generate the subdomains and then sends DNS queries to resolve each one. The module can be configured to use different DNS servers and can also perform reverse DNS lookups.

dns_cache_snoop

This module exploits a vulnerability in DNS caching servers to retrieve information about the DNS cache. It sends a specially crafted DNS query to the server and analyzes the response to extract information such as cached domain names and IP addresses.

dns_client

This module is a DNS client that can be used to send DNS queries to a DNS server. It supports various types of DNS queries, including A, AAAA, MX, NS, and TXT. The module can be used to test the functionality and security of DNS servers.

dns_enum

This module performs a DNS enumeration by querying a DNS server for information about a domain. It can retrieve various types of DNS records, including A, AAAA, MX, NS, and TXT. The module can also perform zone transfers to obtain a list of all subdomains for a given domain.

dns_nsec3

This module exploits a vulnerability in DNS servers that use NSEC3 to protect zone data. It performs a zone walking attack to retrieve information about the DNS zone, including subdomains and their corresponding IP addresses.

dns_recon

This module performs a DNS reconnaissance by querying a DNS server for information about a domain. It can retrieve various types of DNS records, including A, AAAA, MX, NS, and TXT. The module can also perform zone transfers to obtain a list of all subdomains for a given domain.

dns_reverse_lookup

This module performs a reverse DNS lookup by querying a DNS server for the PTR record corresponding to a given IP address. It can be used to obtain information about the domain associated with an IP address.

dns_spoofer

This module spoofs DNS responses to redirect DNS queries to a malicious DNS server. It can be used to perform DNS cache poisoning attacks or to redirect traffic to a malicious website.

dns_srv_enum

This module performs a DNS enumeration by querying a DNS server for information about a domain. It specifically focuses on retrieving SRV records, which are used to locate services on a network.

dns_tld_enum

This module performs a DNS enumeration by querying a DNS server for information about top-level domains (TLDs). It can retrieve a list of all TLDs supported by the DNS server.

dns_transfer

This module performs a DNS zone transfer to obtain a list of all subdomains for a given domain. It queries a DNS server for the SOA record of the domain and then performs a zone transfer to retrieve the list of subdomains.

dns_update

This module exploits a vulnerability in DNS servers that allow dynamic updates to DNS records. It can be used to add, modify, or delete DNS records on a target DNS server.

dns_wildcard

This module detects wildcard DNS records by sending DNS queries for non-existent subdomains. It analyzes the responses to determine if wildcard DNS records are in use.

dns_zone_transfer

This module performs a DNS zone transfer to obtain a list of all subdomains for a given domain. It queries a DNS server for the SOA record of the domain and then performs a zone transfer to retrieve the list of subdomains.

DNS Exploitation

dns_amp

This module exploits DNS amplification attacks to generate a large volume of DNS traffic directed at a target IP address. It uses open DNS resolvers to amplify the DNS traffic and overwhelm the target's network resources.

dns_cache_poisoning

This module exploits a vulnerability in DNS caching servers to poison the DNS cache. It sends specially crafted DNS responses to the server, causing it to cache incorrect information. This can be used to redirect traffic to a malicious website or to perform other types of DNS-based attacks.

dns_command_injection

This module exploits a vulnerability in DNS servers that allows arbitrary command execution. It sends a specially crafted DNS query to the server, causing it to execute a command specified in the query. This can be used to gain remote code execution on the target server.

dns_data_exfiltration

This module exploits a vulnerability in DNS servers to exfiltrate data from a target network. It encodes the data into DNS queries and sends them to a DNS server controlled by the attacker. The attacker can then decode the data from the DNS responses.

dns_domain_hijacking

This module exploits a vulnerability in DNS servers to hijack a domain. It sends specially crafted DNS responses to the server, causing it to associate the attacker's IP address with the target domain. This can be used to redirect traffic intended for the target domain to the attacker's server.

dns_domain_transfer

This module exploits a vulnerability in DNS servers that allows unauthorized zone transfers. It queries a DNS server for the SOA record of a domain and then performs a zone transfer to obtain the entire DNS zone. This can be used to obtain sensitive information about the target network.

dns_dos

This module performs a denial-of-service (DoS) attack against a DNS server. It sends a large volume of DNS queries to the server, overwhelming its resources and causing it to become unresponsive.

dns_information_leak

This module exploits a vulnerability in DNS servers to leak information about the target network. It sends specially crafted DNS queries to the server, causing it to disclose sensitive information such as internal IP addresses and domain names.

dns_query_flooding

This module performs a query flooding attack against a DNS server. It sends a large number of DNS queries to the server, overwhelming its resources and causing it to become unresponsive.

dns_spoofing

This module spoofs DNS responses to redirect DNS queries to a malicious DNS server. It can be used to perform DNS cache poisoning attacks or to redirect traffic to a malicious website.

dns_tunnelling

This module uses DNS to establish a covert communication channel between a client and a server. It encodes data into DNS queries and responses, allowing it to bypass network security controls.

dns_zone_transfer

This module performs a DNS zone transfer to obtain a list of all subdomains for a given domain. It queries a DNS server for the SOA record of the domain and then performs a zone transfer to retrieve the list of subdomains.

auxiliary/gather/enum_dns #Perform enumeration actions

Qapla' nmap scripts

Introduction

Nmap is a powerful network scanning tool that allows you to discover hosts and services on a network. It comes with a variety of scripts that can be used to perform specific tasks during a network scan. In this section, we will explore some useful Nmap scripts that can be used for network services pentesting.

DNS Enumeration

dns-brute

The dns-brute script can be used to perform DNS brute force enumeration. It attempts to enumerate subdomains by guessing their names based on a wordlist. This can be useful for discovering hidden subdomains that may be vulnerable to attacks.

To use the dns-brute script, you can run the following command:

nmap --script dns-brute <target>
dns-zone-transfer

The dns-zone-transfer script can be used to perform DNS zone transfer. It attempts to transfer the entire DNS zone from a primary DNS server to a secondary DNS server. This can be useful for discovering additional information about the target network.

To use the dns-zone-transfer script, you can run the following command:

nmap --script dns-zone-transfer <target>

Conclusion

These are just a few examples of useful Nmap scripts that can be used for network services pentesting. Nmap provides a wide range of scripts that can be used to perform various tasks during a network scan. It is important to understand how to use these scripts effectively in order to gather valuable information about the target network.

#Perform enumeration actions
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

DNS - Reverse BF

Description

Reverse BF (Brute Force) is a technique used to discover subdomains by systematically guessing and querying DNS records. This technique involves iterating through a list of possible subdomains and sending DNS queries to check if they resolve to valid IP addresses.

Methodology

  1. Gather Information: Collect as much information as possible about the target domain, such as the main domain name, known subdomains, and any other relevant details.

  2. Generate Subdomain List: Create a list of potential subdomains based on common naming conventions, such as www, mail, ftp, admin, etc. Additionally, consider using tools like dnsrecon, sublist3r, or amass to generate an extensive list of subdomains.

  3. Perform Reverse BF: Iterate through the subdomain list and send DNS queries for each subdomain. Check if the DNS query resolves to a valid IP address. Tools like dig, nslookup, or host can be used for this purpose.

  4. Analyze Results: Analyze the DNS query results to identify any subdomains that resolve to valid IP addresses. These subdomains can be potential targets for further investigation or exploitation.

  5. Verify Subdomains: Once potential subdomains are identified, verify their existence by accessing them through a web browser or using tools like curl or wget. This step helps confirm if the subdomains are active and accessible.

  6. Exploit: If any subdomains are found to be active and accessible, further exploit them using appropriate techniques, such as subdomain takeover, vulnerability scanning, or other attack vectors.

Mitigation

To mitigate the risk of reverse BF attacks, consider implementing the following measures:

  • Implement strong and complex subdomain naming conventions to make it harder for attackers to guess valid subdomains.
  • Regularly monitor DNS records for any unauthorized changes or additions.
  • Implement rate limiting or CAPTCHA mechanisms to prevent automated subdomain enumeration.
  • Use DNS security extensions (DNSSEC) to ensure the integrity and authenticity of DNS responses.
  • Consider using a web application firewall (WAF) to detect and block suspicious DNS queries.

Conclusion

Reverse BF is a powerful technique for discovering subdomains and can provide valuable information for further penetration testing or vulnerability assessment. By understanding this technique and implementing appropriate mitigation measures, organizations can better protect their DNS infrastructure from potential attacks.

dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses
dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer

{% hint style="info" %} vaj jImejDI' subdomains resolving to internal IP-addresses, vaj vItlhutlh reverse dns BF to the NSs of the domain asking for that IP range. {% endhint %}

Another tool to do so: https://github.com/amine7536/reverse-scan

You can query reverse IP ranges to https://bgp.he.net/net/205.166.76.0/24#_dns (this tool is also helpful with BGP).

DNS - Subdomains BF

dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt <DOMAIN>
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan

Active Directory servers

Overview

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides a centralized location for managing and organizing network resources, such as users, computers, and groups. AD servers play a crucial role in the authentication and authorization process within a Windows domain.

Pentesting Active Directory Servers

When pentesting AD servers, there are several techniques and tools that can be used to identify vulnerabilities and potential attack vectors. Some of these techniques include:

  • Enumeration: Enumerating AD servers can provide valuable information about the network, such as domain names, domain controllers, and trust relationships. Tools like nmap and ldapsearch can be used for this purpose.

  • Brute-forcing: Brute-forcing AD servers involves attempting to guess usernames and passwords to gain unauthorized access. Tools like Hydra and Mimikatz can be used for this purpose.

  • Exploiting misconfigurations: AD servers can be vulnerable to misconfigurations that can be exploited to gain unauthorized access or escalate privileges. Common misconfigurations include weak passwords, insecure group policies, and unpatched vulnerabilities.

  • Pass-the-Hash attacks: Pass-the-Hash attacks involve using the hash of a user's password to authenticate as that user without knowing the actual password. Tools like Mimikatz can be used for this purpose.

  • Kerberoasting: Kerberoasting is a technique that involves extracting service account credentials from AD servers. These credentials can then be cracked offline to gain unauthorized access. Tools like Rubeus can be used for this purpose.

  • Golden Ticket attacks: Golden Ticket attacks involve forging Kerberos tickets to gain unauthorized access to AD servers. Tools like Mimikatz can be used for this purpose.

Conclusion

Pentesting AD servers is an essential part of assessing the security of a Windows domain network. By identifying vulnerabilities and potential attack vectors, organizations can take proactive measures to secure their AD infrastructure and protect sensitive data.

dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
dig -t _kpasswd._tcp.lab.domain.com

nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
nslookup -type=srv _kerberos._tcp.domain.com

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"

DNSSec

DNSSec (Domain Name System Security Extensions) is a set of security extensions for DNS that provide authentication and integrity for DNS responses. DNSSec uses digital signatures to verify the authenticity of DNS data, ensuring that the responses received are from legitimate sources and have not been tampered with.

DNSSec protects against various DNS attacks, such as DNS cache poisoning and man-in-the-middle attacks. By validating the authenticity of DNS responses, DNSSec helps prevent attackers from redirecting users to malicious websites or intercepting their communications.

To implement DNSSec, a DNS zone must be signed with a private key, and the corresponding public key must be published in the DNS. When a client requests DNS information, the server signs the response with the private key, and the client can verify the signature using the public key. If the signature is valid, the client can trust the response.

While DNSSec provides enhanced security for DNS, it is not widely adopted. Many DNS servers and clients do not support DNSSec, and configuring DNSSec can be complex. Additionally, DNSSec does not protect against all types of DNS attacks, such as denial-of-service attacks.

Overall, DNSSec is a valuable security measure for DNS, but its implementation and adoption are still limited. It is important for organizations to assess the risks and benefits of implementing DNSSec in their DNS infrastructure.

#Query paypal subdomains to ns3.isc-sns.info
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info

IPv6

Brute force using "AAAA" requests to gather IPv6 of the subdomains.

IPv6

"AAAA" pochmeywI'pu' 'ej subdomains IPv6 gather laH.

dnsdict6 -s -t <domain>

Bruteforce reverse DNS in using IPv6 addresses

To bruteforce reverse DNS in using IPv6 addresses, you can follow these steps:

  1. Generate a list of possible IPv6 addresses that you want to bruteforce reverse DNS for. You can use tools like ipv6gen or fcrackzip to generate a list of possible addresses.

  2. Use a DNS lookup tool like nslookup or dig to perform reverse DNS lookups for each IPv6 address in your list. For example, you can use the following command with nslookup:

    nslookup -type=PTR <IPv6_address>

    This will return the reverse DNS record for the specified IPv6 address.

  3. Analyze the results of the reverse DNS lookups. Look for any patterns or interesting information that can help you in your pentesting activities. For example, you might find subdomains or hostnames that are associated with the IPv6 addresses.

  4. Repeat the process for all the IPv6 addresses in your list.

By bruteforcing reverse DNS in using IPv6 addresses, you can gather valuable information about the target network and potentially discover vulnerabilities or misconfigurations that can be exploited during a pentest.

dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net

DNS Recursion DDoS

DNS recursion is enabled: DNS recursion jIyajbe'. Attacker jatlh origin UDP packet spoof DNS response victim server yIqem. Attacker ANY DNSSEC record types abuse vaj response jIbogh.
DNS recursion support check way domain name query flag "ra" (recursion available) response check:

dig google.com A @<IP>

Qa'Hom:

Qa'Hom:

Qa'Hom vulnerability assessment & penetration testing instantly available setup. 20+ tools & features to recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Qa'Hom to nonexistent account

Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed.

The provided nondelivery report includes information such as:

  • The generating server was identified as server.example.com.
  • A failure notice for user@example.com with the error code #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found was returned.
  • Internal IP addresses and hostnames were disclosed in the original message headers.
The original message headers were modified for anonymity and now present randomized data:

Generating server: server.example.com

user@example.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##

Original message headers:

Received: from MAILSERVER01.domain.example.com (192.168.1.1) by
mailserver02.domain.example.com (192.168.2.2) with Microsoft SMTP Server (TLS)
id 14.3.174.1; Mon, 25 May 2015 14:52:22 -0700
Received: from filter.example.com (203.0.113.1) by
MAILSERVER01.domain.example.com (192.168.1.1) with Microsoft SMTP Server (TLS)
id 14.3.174.1; Mon, 25 May 2015 14:51:22 -0700
X-ASG-Debug-ID: 1432576343-0614671716190e0d0001-zOQ9WJ
Received: from gateway.domainhost.com (gateway.domainhost.com [198.51.100.37]) by
filter.example.com with ESMTP id xVNPkwaqGgdyH5Ag for user@example.com; Mon,
25 May 2015 14:52:13 -0700 (PDT)
X-Envelope-From: sender@anotherdomain.org
X-Apparent-Source-IP: 198.51.100.37

Config files

Introduction

Config files, short for configuration files, are files that contain settings and parameters for various applications and services. These files are commonly used in the context of network services, including DNS servers.

Importance of Config Files in DNS Pentesting

During DNS pentesting, config files play a crucial role as they provide valuable information about the DNS server's configuration and settings. By analyzing these files, a pentester can identify potential vulnerabilities and misconfigurations that can be exploited.

Common Config Files in DNS Servers

1. named.conf

The named.conf file is the main configuration file for the BIND DNS server. It contains global settings, zone configurations, and options for various DNS-related features. Pentesters can analyze this file to identify potential security weaknesses, such as misconfigured access controls or insecure zone transfers.

2. named.conf.local

The named.conf.local file is used to define local zone configurations in the BIND DNS server. It includes settings for authoritative zones, forwarders, and other local DNS configurations. Pentesters can examine this file to identify potential misconfigurations or vulnerabilities specific to the local DNS setup.

3. named.conf.options

The named.conf.options file contains global options and settings for the BIND DNS server. It includes parameters related to logging, recursion, caching, and other DNS server functionalities. Pentesters can review this file to identify potential security weaknesses or misconfigurations that can be exploited.

Conclusion

Config files are essential resources for DNS pentesters as they provide valuable insights into the DNS server's configuration and settings. By analyzing these files, pentesters can identify potential vulnerabilities and misconfigurations, allowing them to conduct effective penetration testing.

host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*

pentesting-dns.md

QaD

QaD - Bind

QaD - Bind - Configuration

QaD - Bind - Configuration - Dangerous Settings
Option Description
allow-query Defines which hosts are allowed to send requests to the DNS server.
allow-recursion Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics Collects statistical data of zones.

References

HackTricks Automatic Commands

Protocol_Name: DNS    #Protocol Abbreviation if there is one.
Port_Number:  53     #Comma separated if there is more than one.
Protocol_Description: Domain Name Service        #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for DNS
Note: |
#These are the commands I run every time I see an open DNS port

dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name}
dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name}
dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}
dig axfr @{IP}
dig axfr {Domain_Name} @{IP}
nslookup
SERVER {IP}
127.0.0.1
{IP}
Domain_Name
exit

https://book.hacktricks.xyz/pentesting/pentesting-dns

Entry_2:
Name: Banner Grab
Description: Grab DNS Banner
Command: dig version.bind CHAOS TXT @DNS

Entry_3:
Name: Nmap Vuln Scan
Description: Scan for Vulnerabilities with Nmap
Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP}

Entry_4:
Name: Zone Transfer
Description: Three attempts at forcing a zone transfer
Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name}


Entry_5:
Name: Active Directory
Description: Eunuerate a DC via DNS
Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}"

Entry_6:
Name: consolesless mfs enumeration
Description: DNS enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'

vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: