IT Consulting | Online Security | Network Security | Computer Security

QUERYING DNS

TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.

 

 

Any organization with a website is registered in DNS. It doesn't matter if they are in Manhattan, NY or Los Angeles, CA, the URL they are using resolves to an IP address of their web server.

 

Querying DNS is a great way to learn more about what IP ranges are owned by a target organization. We usually know at least one piece of information about a company; their URL. As such, we can easily query DNS to find the IP address of the web server.

 

On a command line, type the following:

 

# nslookup trojanhorsesecurity.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:    trojanhorsesecurity.com
Address: 23.236.62.147

 

As you can see, nslookup gives us the IP address belonging to the URL. Now, we can take this IP address and use it with our whois command we learnt earlier to see if the target owns any other IP addresses in the subnet.

 

What if we want to see if the target owns any other systems such an email servers or ftp servers. For example:

 

ftp.TrojanHorseSecurity.com

mail.TrojanHorseSecurity.com

 

We could issue the following commands into nslookup:

 

# nslookup
> set type=mx
> trojanhorsesecurity.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
trojanhorsesecurity.com    mail exchanger=1 ASPMX.L.GOOGLE.com.
trojanhorsesecurity.com    mail exchanger=5 ALT2.ASPMX.L.GOOGLE.com.
trojanhorsesecurity.com    mail exchanger=10 ASPMX2.GOOGLEMAIL.com.
trojanhorsesecurity.com    mail exchanger=10 ASPMX3.GOOGLEMAIL.com.
trojanhorsesecurity.com    mail exchanger=5 ALT1.ASPMX.L.GOOGLE.com.

Authoritative answers can be found from:
ALT1.ASPMX.L.GOOGLE.com    internet address=74.125.193.27
ASPMX3.GOOGLEMAIL.com    internet address=64.233.185.27
ASPMX2.GOOGLEMAIL.com    internet address=74.125.193.27
ALT2.ASPMX.L.GOOGLE.com    internet address=64.233.185.26
ASPMX.L.GOOGLE.com    internet address=74.125.129.27

 

Now we know another IP address that the target uses which we can again plug into whois.

 

There are however easier and quicker ways to get to this information. One tool that can achieve this is fierce. Fierce will identify the DNS servers, attempt a zone file transfer and brute force domain names based upon a wordlist.

 

# fierce -dns google.com -wordlist /usr/share/fierce/hosts.txt
DNS Servers for google.com:
    ns4.google.com
    ns2.google.com
    ns3.google.com
    ns1.google.com

Trying zone transfer first...
    Testing ns4.google.com
        Request timed out or transfer not allowed.
    Testing ns2.google.com
        Request timed out or transfer not allowed.
    Testing ns3.google.com
        Request timed out or transfer not allowed.
    Testing ns1.google.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
173.194.33.178    academico.google.com
74.125.20.84    accounts.google.com
173.194.33.166    admin.google.com

74.125.20.138    ads.google.com
173.194.33.162    alerts.google.com
173.194.33.176    ap.google.com
173.194.33.166    apps.google.com

<snip>

 

Fierce will give us a lot of good information we can use to plug back into whois and find all the IP ranges of our target. Proper DNS enumeration is essential for any penetration test. Also, knowing what information is being leaked out onto the Internet can be very useful for a company in a cyber security audit.

BACK