Penetration Testing Bootcamp
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

DNS reconnaissance with DNSRecon

DNSRecon is a handy DNS-based utility that lets you perform various reconnaissance exercises on DNS records. First, you can enumerate DNS records for all the different types, check for any cached entries, and check for zone transfers or even enumerate Google for additional zone files.

DNSRecon is not a complicated utility, but it is a powerful one and can save you a lot of time with other tools manually. There are some command-line options with the dnsrecon  package, so definitely check out the main page to see what is relevant in your environment. I typically use the -g switch to do a Google enumeration. This finds additional subdomains that reference the main domain that I am looking for. This saves me a lot of time having to look through Google manually. This is a great way to automate some of that google-fu, which can yield some great information.

Here is an example in the lab using the -g switch. You will notice that in the first part of the command, standard information is given. The google enumeration is found later. The following is the general enumeration found via DNS lookup:

root@kali:~# dnsrecon -d cnn.com -g
[*] Performing General Enumeration of Domain: cnn.com
[-] DNSSEC is not configured for cnn.com
[*]    SOA ns-47.awsdns-05.com 205.251.192.47
[*]    NS ns-1086.awsdns-07.org 205.251.196.62
[*]    NS ns-1086.awsdns-07.org 2600:9000:5304:3e00::1
[*]    NS ns-1630.awsdns-11.co.uk 205.251.198.94
[*]    NS ns-1630.awsdns-11.co.uk 2600:9000:5306:5e00::1
[*]    NS ns-47.awsdns-05.com 205.251.192.47
[*]    MX ppsprmsa.turner.com 157.166.168.210
[*]    MX ppsprmsh.turner.com 157.166.157.29
[*]    A cnn.com 151.101.64.73
[*]    A cnn.com 151.101.128.73
[*]    A cnn.com 151.101.192.73
[*]    A cnn.com 151.101.0.73
[*]    TXT cnn.com 598362927-4422061
[*]    TXT cnn.com 321159687-4422031
[*]    TXT cnn.com v=spf1 include:cnn.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all
[*]    TXT cnn.com globalsign-domain-verification=2lI5pahhCu_jg_2RC5GEdolQmAa4K7rhP7_OA-lZBK
[*]    TXT cnn.com 353665828-4422052
[*] Enumerating SRV Records
[*]    SRV _sip._tls.cnn.com sipdir.online.lync.com 146.112.61.106 443 1
[*]    SRV _sip._tls.cnn.com sipdir.online.lync.com ::ffff:146.112.61.106 443 1
[*]    SRV _sipfederationtls._tcp.cnn.com sipfed.online.lync.com 146.112.61.106 5061 1
[*]    SRV _sipfederationtls._tcp.cnn.com sipfed.online.lync.com ::ffff:146.112.61.106 5061 1
[*] 4 Records Found

Here are examples of other sites found via Google enumeration:

[*] Performing Google Search Enumeration
[*]    CNAME www.cnn.com turner.map.fastly.net
[*]    A turner.map.fastly.net 151.101.192.73
[*]    A turner.map.fastly.net 151.101.128.73
[*]    A turner.map.fastly.net 151.101.64.73
[*]    A turner.map.fastly.net 151.101.0.73
[*]    CNAME edition.cnn.com www.edition.cnn.com
[*]    CNAME www.edition.cnn.com turner.map.fastly.net
[*]    A turner.map.fastly.net 151.101.192.73
[*]    A turner.map.fastly.net 151.101.128.73
[*]    A turner.map.fastly.net 151.101.64.73
[*]    A turner.map.fastly.net 151.101.0.73
[*]    CNAME cnnradio.cnn.com cnnradio.wordpress.com
[*]    CNAME cnnradio.wordpress.com vip-lb.wordpress.com
[*]    A vip-lb.wordpress.com 192.0.79.33
[*]    A vip-lb.wordpress.com 192.0.79.32
[*]    CNAME news.blogs.cnn.com cnnnews.wordpress.com
[*]    CNAME cnnnews.wordpress.com vip-lb.wordpress.com
[*]    A vip-lb.wordpress.com 192.0.79.33
[*]    A vip-lb.wordpress.com 192.0.79.32
[*]    CNAME
       religion.blogs.cnn.comcnnreligion.wordpress.com
[*]    CNAME cnnreligion.wordpress.com vip-
       lb.wordpress.com
[*]    A vip-lb.wordpress.com 192.0.79.33
[*]    A vip-lb.wordpress.com 192.0.79.32
[*]    CNAME ac360.blogs.cnn.com cnnac360.wordpress.com
[*]    CNAME cnnac360.wordpress.com vip-lb.wordpress.com

There are some important outputs in this screen. First, you can see that there is no DNSSEC configure. This is an important find that can be noted in the report. You can also notice the SPF records that let us know which servers can send email. Also notice that they are not using IPv6. I can also see they are using Lync services due to some of the records that exist, so definitely some Microsoft services are in their environment.

I want to follow up with an example where the use of DNSSEC did exist. Here is the output from a host that is currently using DNSSEC:

本周热推:
Python编程:从入门到实践Python编程:从入门到实践(第2版)Python从入门到精通Python深度学习(第2版)Python编程快速上手2
上一章目录下一章