mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
345 lines
15 KiB
Markdown
345 lines
15 KiB
Markdown
# 53 - Pentesting DNS
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
## **Basic Information**
|
|
|
|
The **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.
|
|
|
|
**Default port:** 53
|
|
|
|
```
|
|
PORT STATE SERVICE REASON
|
|
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
|
|
5353/udp open zeroconf udp-response
|
|
53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
|
|
```
|
|
|
|
### Different DNS Servers
|
|
|
|
* **DNS Root Servers**: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (**ICANN**) oversees their operation, with a global count of 13.
|
|
* **Authoritative Nameservers**: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.
|
|
* **Non-authoritative Nameservers**: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.
|
|
* **Caching DNS Server**: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.
|
|
* **Forwarding Server**: Serving a straightforward role, forwarding servers simply relay queries to another server.
|
|
* **Resolver**: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative.
|
|
|
|
## Enumeration
|
|
|
|
### **Banner Grabbing**
|
|
|
|
There aren't banners in DNS but you can gran the macgic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\
|
|
You can perform this query using `dig`:
|
|
|
|
```bash
|
|
dig version.bind CHAOS TXT @DNS
|
|
```
|
|
|
|
Moreover, the tool [`fpdns`](https://github.com/kirei/fpdns) can also fingerprint the server.
|
|
|
|
It's also possible to grab the banner also with a **nmap** script:
|
|
|
|
```
|
|
--script dns-nsid
|
|
```
|
|
|
|
### **Any record**
|
|
|
|
The record **ANY** will ask the DNS server to **return** all the available **entries** that **it is willing to disclose**.
|
|
|
|
```bash
|
|
dig any victim.com @<DNS_IP>
|
|
```
|
|
|
|
### **Zone Transfer**
|
|
|
|
This procedure is abbreviated `Asynchronous Full Transfer Zone` (`AXFR`).
|
|
|
|
```bash
|
|
dig axfr @<DNS_IP> #Try zone transfer without domain
|
|
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
|
|
fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack
|
|
```
|
|
|
|
### More info
|
|
|
|
```bash
|
|
dig ANY @<DNS_IP> <DOMAIN> #Any information
|
|
dig A @<DNS_IP> <DOMAIN> #Regular DNS request
|
|
dig AAAA @<DNS_IP> <DOMAIN> #IPv6 DNS request
|
|
dig TXT @<DNS_IP> <DOMAIN> #Information
|
|
dig MX @<DNS_IP> <DOMAIN> #Emails related
|
|
dig NS @<DNS_IP> <DOMAIN> #DNS that resolves that name
|
|
dig -x 192.168.0.2 @<DNS_IP> #Reverse lookup
|
|
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup
|
|
|
|
#Use [-p PORT] or -6 (to use ivp6 address of dns)
|
|
```
|
|
|
|
#### Automation
|
|
|
|
```bash
|
|
for sub in $(cat <WORDLIST>);do dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
|
|
|
|
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>
|
|
```
|
|
|
|
#### Using nslookup
|
|
|
|
```bash
|
|
nslookup
|
|
> SERVER <IP_DNS> #Select dns server
|
|
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
|
|
> <IP_MACHINE> #Reverse lookup of a machine, maybe...
|
|
```
|
|
|
|
### Useful metasploit modules
|
|
|
|
```bash
|
|
auxiliary/gather/enum_dns #Perform enumeration actions
|
|
```
|
|
|
|
### Useful nmap scripts
|
|
|
|
```bash
|
|
#Perform enumeration actions
|
|
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>
|
|
```
|
|
|
|
### DNS - Reverse BF
|
|
|
|
```bash
|
|
dnsrecon -r 127.0.0.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
|
dnsrecon -r 127.0.1.0/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
|
dnsrecon -r <IP_DNS>/24 -n <IP_DNS> #DNS reverse of all of the addresses
|
|
dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer
|
|
```
|
|
|
|
{% hint style="info" %}
|
|
If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range.
|
|
{% endhint %}
|
|
|
|
Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan)
|
|
|
|
You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#\_dns) (this tool is also helpful with BGP).
|
|
|
|
### DNS - Subdomains BF
|
|
|
|
```bash
|
|
dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt <DOMAIN>
|
|
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
|
|
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan
|
|
```
|
|
|
|
### Active Directory servers
|
|
|
|
```bash
|
|
dig -t _gc._tcp.lab.domain.com
|
|
dig -t _ldap._tcp.lab.domain.com
|
|
dig -t _kerberos._tcp.lab.domain.com
|
|
dig -t _kpasswd._tcp.lab.domain.com
|
|
|
|
nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
|
|
nslookup -type=srv _kerberos._tcp.domain.com
|
|
|
|
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
|
|
```
|
|
|
|
### DNSSec
|
|
|
|
```bash
|
|
#Query paypal subdomains to ns3.isc-sns.info
|
|
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info
|
|
```
|
|
|
|
### IPv6
|
|
|
|
Brute force using "AAAA" requests to gather IPv6 of the subdomains.
|
|
|
|
```bash
|
|
dnsdict6 -s -t <domain>
|
|
```
|
|
|
|
Bruteforce reverse DNS in using IPv6 addresses
|
|
|
|
```bash
|
|
dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net
|
|
```
|
|
|
|
### DNS Recursion DDoS
|
|
|
|
If **DNS recursion is enabled**, an attacker could **spoof** the **origin** on the UDP packet in order to make the **DNS send the response to the victim server**. An attacker could abuse **ANY** or **DNSSEC** record types as they use to have the bigger responses.\
|
|
The way to **check** if a DNS supports **recursion** is to query a domain name and **check** if the **flag "ra"** (_recursion available_) is in the response:
|
|
|
|
```bash
|
|
dig google.com A @<IP>
|
|
```
|
|
|
|
**Non available**:
|
|
|
|
![](<../.gitbook/assets/image (123).png>)
|
|
|
|
**Available**:
|
|
|
|
![](<../.gitbook/assets/image (146).png>)
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
### Mail to nonexistent account
|
|
|
|
Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed.
|
|
|
|
The provided nondelivery report includes information such as:
|
|
|
|
* The generating server was identified as `server.example.com`.
|
|
* A failure notice for `user@example.com` with the error code `#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found` was returned.
|
|
* Internal IP addresses and hostnames were disclosed in the original message headers.
|
|
|
|
```markdown
|
|
The original message headers were modified for anonymity and now present randomized data:
|
|
|
|
Generating server: server.example.com
|
|
|
|
user@example.com
|
|
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
|
|
|
|
Original message headers:
|
|
|
|
Received: from MAILSERVER01.domain.example.com (192.168.1.1) by
|
|
mailserver02.domain.example.com (192.168.2.2) with Microsoft SMTP Server (TLS)
|
|
id 14.3.174.1; Mon, 25 May 2015 14:52:22 -0700
|
|
Received: from filter.example.com (203.0.113.1) by
|
|
MAILSERVER01.domain.example.com (192.168.1.1) with Microsoft SMTP Server (TLS)
|
|
id 14.3.174.1; Mon, 25 May 2015 14:51:22 -0700
|
|
X-ASG-Debug-ID: 1432576343-0614671716190e0d0001-zOQ9WJ
|
|
Received: from gateway.domainhost.com (gateway.domainhost.com [198.51.100.37]) by
|
|
filter.example.com with ESMTP id xVNPkwaqGgdyH5Ag for user@example.com; Mon,
|
|
25 May 2015 14:52:13 -0700 (PDT)
|
|
X-Envelope-From: sender@anotherdomain.org
|
|
X-Apparent-Source-IP: 198.51.100.37
|
|
```
|
|
|
|
## Config files
|
|
|
|
```
|
|
host.conf
|
|
/etc/resolv.conf
|
|
/etc/bind/named.conf
|
|
/etc/bind/named.conf.local
|
|
/etc/bind/named.conf.options
|
|
/etc/bind/named.conf.log
|
|
/etc/bind/*
|
|
```
|
|
|
|
Dangerous settings when configuring a Bind server:
|
|
|
|
| **Option** | **Description** |
|
|
| ----------------- | ------------------------------------------------------------------------------ |
|
|
| `allow-query` | Defines which hosts are allowed to send requests to the DNS server. |
|
|
| `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. |
|
|
| `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. |
|
|
| `zone-statistics` | Collects statistical data of zones. |
|
|
|
|
## References
|
|
|
|
* [https://www.myrasecurity.com/en/knowledge-hub/dns/](https://www.myrasecurity.com/en/knowledge-hub/dns/)
|
|
* Book: **Network Security Assessment 3rd edition**
|
|
|
|
## HackTricks Automatic Commands
|
|
|
|
```
|
|
Protocol_Name: DNS #Protocol Abbreviation if there is one.
|
|
Port_Number: 53 #Comma separated if there is more than one.
|
|
Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out
|
|
|
|
Entry_1:
|
|
Name: Notes
|
|
Description: Notes for DNS
|
|
Note: |
|
|
#These are the commands I run every time I see an open DNS port
|
|
|
|
dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name}
|
|
dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name}
|
|
dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}
|
|
dig axfr @{IP}
|
|
dig axfr {Domain_Name} @{IP}
|
|
nslookup
|
|
SERVER {IP}
|
|
127.0.0.1
|
|
{IP}
|
|
Domain_Name
|
|
exit
|
|
|
|
https://book.hacktricks.xyz/pentesting/pentesting-dns
|
|
|
|
Entry_2:
|
|
Name: Banner Grab
|
|
Description: Grab DNS Banner
|
|
Command: dig version.bind CHAOS TXT @DNS
|
|
|
|
Entry_3:
|
|
Name: Nmap Vuln Scan
|
|
Description: Scan for Vulnerabilities with Nmap
|
|
Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP}
|
|
|
|
Entry_4:
|
|
Name: Zone Transfer
|
|
Description: Three attempts at forcing a zone transfer
|
|
Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name}
|
|
|
|
|
|
Entry_5:
|
|
Name: Active Directory
|
|
Description: Eunuerate a DC via DNS
|
|
Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}"
|
|
|
|
Entry_6:
|
|
Name: consolesless mfs enumeration
|
|
Description: DNS enumeration without the need to run msfconsole
|
|
Note: sourced from https://github.com/carlospolop/legion
|
|
Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'
|
|
```
|
|
|
|
<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
|
|
|
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|