• HOME

  • ABOUT US

  • SERVICES

  • CONTACT

  • KNOWLEDGE

  • BUY ONLINE

  • More

    CYBER SECURITY ASSESSMENTS // PENETRATION TESTING // DATA SECURITY // IT SECURITY // SECURITY AUDITS // DIGITAL FORENSICS // CYBER INTELLIGENCE

    IT Consulting | Online Security | Network Security | Computer Security

    QUERYING DNS

    TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.

     

     

    Any organization with a website is registered in DNS. It doesn't matter if they are in Manhattan, NY or Los Angeles, CA, the URL they are using resolves to an IP address of their web server.

     

    Querying DNS is a great way to learn more about what IP ranges are owned by a target organization. We usually know at least one piece of information about a company; their URL. As such, we can easily query DNS to find the IP address of the web server.

     

    On a command line, type the following:

     

    # nslookup trojanhorsesecurity.com
    Server:        192.168.1.1
    Address:    192.168.1.1#53

    Non-authoritative answer:
    Name:    trojanhorsesecurity.com
    Address: 23.236.62.147

     

    As you can see, nslookup gives us the IP address belonging to the URL. Now, we can take this IP address and use it with our whois command we learnt earlier to see if the target owns any other IP addresses in the subnet.

     

    What if we want to see if the target owns any other systems such an email servers or ftp servers. For example:

     

    ftp.TrojanHorseSecurity.com

    mail.TrojanHorseSecurity.com

     

    We could issue the following commands into nslookup:

     

    # nslookup
    > set type=mx
    > trojanhorsesecurity.com
    Server:        192.168.1.1
    Address:    192.168.1.1#53

    Non-authoritative answer:
    trojanhorsesecurity.com    mail exchanger=1 ASPMX.L.GOOGLE.com.
    trojanhorsesecurity.com    mail exchanger=5 ALT2.ASPMX.L.GOOGLE.com.
    trojanhorsesecurity.com    mail exchanger=10 ASPMX2.GOOGLEMAIL.com.
    trojanhorsesecurity.com    mail exchanger=10 ASPMX3.GOOGLEMAIL.com.
    trojanhorsesecurity.com    mail exchanger=5 ALT1.ASPMX.L.GOOGLE.com.

    Authoritative answers can be found from:
    ALT1.ASPMX.L.GOOGLE.com    internet address=74.125.193.27
    ASPMX3.GOOGLEMAIL.com    internet address=64.233.185.27
    ASPMX2.GOOGLEMAIL.com    internet address=74.125.193.27
    ALT2.ASPMX.L.GOOGLE.com    internet address=64.233.185.26
    ASPMX.L.GOOGLE.com    internet address=74.125.129.27

     

    Now we know another IP address that the target uses which we can again plug into whois.

     

    There are however easier and quicker ways to get to this information. One tool that can achieve this is fierce. Fierce will identify the DNS servers, attempt a zone file transfer and brute force domain names based upon a wordlist.

     

    # fierce -dns google.com -wordlist /usr/share/fierce/hosts.txt
    DNS Servers for google.com:
        ns4.google.com
        ns2.google.com
        ns3.google.com
        ns1.google.com

    Trying zone transfer first...
        Testing ns4.google.com
            Request timed out or transfer not allowed.
        Testing ns2.google.com
            Request timed out or transfer not allowed.
        Testing ns3.google.com
            Request timed out or transfer not allowed.
        Testing ns1.google.com
            Request timed out or transfer not allowed.

    Unsuccessful in zone transfer (it was worth a shot)
    Okay, trying the good old fashioned way... brute force

    Checking for wildcard DNS...
    Nope. Good.
    Now performing 2280 test(s)...
    173.194.33.178    academico.google.com
    74.125.20.84    accounts.google.com
    173.194.33.166    admin.google.com

    74.125.20.138    ads.google.com
    173.194.33.162    alerts.google.com
    173.194.33.176    ap.google.com
    173.194.33.166    apps.google.com

    <snip>

     

    Fierce will give us a lot of good information we can use to plug back into whois and find all the IP ranges of our target. Proper DNS enumeration is essential for any penetration test. Also, knowing what information is being leaked out onto the Internet can be very useful for a company in a cyber security audit.

    BACK

    Trojan 1 | PCI Compliance | HIPAA Compliance | GLBA Compliance | GDPR Compliance | Penetration Testing | Web Application Assessment | Corporate Security Assessment | Cyber Threat Intelligence 24 / 7

     

    Cyber Breach Lawyers | Vulnerability Assessments | CISO On Demand | Black Ops | Secure Cloud | Personal Security Assessments | Small Business IT Security  | NY Cybersecurity Rule 23 NYCRR 500

     

    Ethical Hacking for Small Businesses | IT Compliance Small Business | Security Breach Management Solutions | Big Data Security | Corporate Randsomware

     

    Website Security for Small Businesses | Security Consulting Services | Enterprise Security Services | Drone & Robotic IT Security

     

    Complete IT/Cyber Security Assessment |  Security Governance Services | Security & Risk Management | Digital Forensics

     

    Social Engineering Testing  | Cyber Liability Insurance | Data Centers Transformation & Security | Secure Access and Continuity Solutions

     

    Mobility Management  & Security | Network Management  Security Solutions | EndPoint Security Solutions |  National Vulnerability Database

    2200 PENNSYLVANIA AVENUE | NW | 4TH FLOOR EAST​ | WASHINGTON, D.C. 20037​

    ​​Tel: 202.507.5773 | Fax: 202.507.5601​ |  ContactUs@TrojanHorseSecurity.com

     

    • s-linkedin
    • s-facebook
    • Google Metallic
    • YouTube Metallic
    • Pinterest Metallic
    • s-tbird

    © 2020  TROJAN HORSE SECURITY INC

    • HOME

    • ABOUT US

    • SERVICES

    • CONTACT

    • KNOWLEDGE

    • BUY ONLINE

    • More