DNS (53)

METHODOLOGY

• Try reverse lookup for 127.0.0.1 and the ip address. We can also try with 127.0.0.1/24 and ip/24
• Is this server vulnerable to transfer zone attack?
• If we a domain name, we can try to run dnsenum.

MORE RESOURCES

• https://book.hacktricks.xyz/pentesting/pentesting-dns
• https://github.com/mchern1kov/pentest-everything/tree/master/enum_and_exploit/tcp-53-dns

Enumeration

DNS is the service that translate domain names into ip address (is easier to a person to memorize a domain name that an ip address). For OSCP exam, the found names can be used by a web service to apply virtual hosting (we want hosts to add to /etc/hosts file). DNS is a very critical system, so we are going to cover some enumeration tips.

• A Records: Identifying IP addresses for target servers.
• MX Records: Identifying mail servers, which can sometimes be attacked or misconfigured.
• NS Records: Finding name servers, which might lead to further enumeration or exploitation opportunities.
• CNAME Records: Identifying aliases or potential misconfigurations.

Reverse lookup with nslookup:

nslookup
  SERVER <ip>
  127.0.0.1
  <ip>

nslookup google.com

DnsRecon, this command iterates the ip (127.0.0.1, 127.0.0.2 ... 127.0.0.255) and looks for a domain response.

dnsrecon -r 127.0.0.0/24 -n <ip>

Harvester
theHarvester is an open-source intelligence (OSINT) gathering tool. It collects information such as email addresses, subdomains, IP addresses, and people associated with a target from various sources.

theharvester --domain kali.org -b all

Nmap scripts enum

nmap -vv -p 53 -sT --script=+dns* --script-args "dns-nsec-enum.domains='<domain>',dns-nsec3-enum.domains='<domain>',dns-brute.domain='<domain>'" <ip>

A zone transfer is a replication of a DNS database. Sometimes, this is needed to copy a databases from a DNS master to other DNS slaves. If this are not correctly configured, and allow non slaves machines to ask for a zone transfer, an attacker can see the entire database. This is called zone transfer attack, and we can do it with dig.

Zone transfer without domain

dig axfr @<ip>

Zone transfer with domain

dig axfr @<DNS_IP> <DOMAIN> 

Using dnsrecon to check for zone transfer misconfigurations

dnsrecon -d <domain> -t axfr

Using dnsenum

dnsenum <dominio>
dnsenum --noreverse --enum --dnsserver <ip> <domain>

Simple DNS query

dig youtube.com

A records - IPv4 address of domain name

dig A youtube.com

AAAA records - IPv6 address of a domain name

dig AAAA youtube.com

MX records - email servers assigned for a domain

dig MX youtube.com

NS records - name servers of a domain name

dig NS youtube.com

SOA records - Start of Authority (SOA) record of a domain, containing basic information about the DNS zone

dig SOA youtube.com

TXT records - often used in mechanisms such as SPF and DKIM for email verification

dig TXT youtube.com

PTR records (reverse DNS lookup) - which domain name corresponds to an IP address.

dig -x 172.217.17.110

CNAME records - alias or canonical name of a domain name

dig CNAME youtube.com