QUERYING DNS
TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.
Any organization with a website is registered in DNS. It doesn't matter if they are in Manhattan, NY or Los Angeles, CA, the URL they are using resolves to an IP address of their web server.
Querying DNS is a great way to learn more about what IP ranges are owned by a target organization. We usually know at least one piece of information about a company; their URL. As such, we can easily query DNS to find the IP address of the web server.
On a command line, type the following:
# nslookup trojanhorsesecurity.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: trojanhorsesecurity.com
Address: 23.236.62.147
As you can see, nslookup gives us the IP address belonging to the URL. Now, we can take this IP address and use it with our whois command we learnt earlier to see if the target owns any other IP addresses in the subnet.
What if we want to see if the target owns any other systems such an email servers or ftp servers. For example:
ftp.TrojanHorseSecurity.com
mail.TrojanHorseSecurity.com
We could issue the following commands into nslookup:
# nslookup
> set type=mx
> trojanhorsesecurity.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
trojanhorsesecurity.com mail exchanger=1 ASPMX.L.GOOGLE.com.
trojanhorsesecurity.com mail exchanger=5 ALT2.ASPMX.L.GOOGLE.com.
trojanhorsesecurity.com mail exchanger=10 ASPMX2.GOOGLEMAIL.com.
trojanhorsesecurity.com mail exchanger=10 ASPMX3.GOOGLEMAIL.com.
trojanhorsesecurity.com mail exchanger=5 ALT1.ASPMX.L.GOOGLE.com.
Authoritative answers can be found from:
ALT1.ASPMX.L.GOOGLE.com internet address=74.125.193.27
ASPMX3.GOOGLEMAIL.com internet address=64.233.185.27
ASPMX2.GOOGLEMAIL.com internet address=74.125.193.27
ALT2.ASPMX.L.GOOGLE.com internet address=64.233.185.26
ASPMX.L.GOOGLE.com internet address=74.125.129.27
Now we know another IP address that the target uses which we can again plug into whois.
There are however easier and quicker ways to get to this information. One tool that can achieve this is fierce. Fierce will identify the DNS servers, attempt a zone file transfer and brute force domain names based upon a wordlist.
# fierce -dns google.com -wordlist /usr/share/fierce/hosts.txt
DNS Servers for google.com:
ns4.google.com
ns2.google.com
ns3.google.com
ns1.google.com
Trying zone transfer first...
Testing ns4.google.com
Request timed out or transfer not allowed.
Testing ns2.google.com
Request timed out or transfer not allowed.
Testing ns3.google.com
Request timed out or transfer not allowed.
Testing ns1.google.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
173.194.33.178 academico.google.com
74.125.20.84 accounts.google.com
173.194.33.166 admin.google.com
74.125.20.138 ads.google.com
173.194.33.162 alerts.google.com
173.194.33.176 ap.google.com
173.194.33.166 apps.google.com
<snip>
Fierce will give us a lot of good information we can use to plug back into whois and find all the IP ranges of our target. Proper DNS enumeration is essential for any penetration test. Also, knowing what information is being leaked out onto the Internet can be very useful for a company in a cyber security audit.