DNS reconnaissance and route mapping
Once a tester has identified the targets that have an online presence and contain items of interest, the next step is to identify the IP addresses and routes to the target.
DNS reconnaissance is concerned with identifying who owns a particular domain or series of IP addresses (whois-type information), the DNS information defining the actual domain names and IP addresses assigned to the target, and the route between the penetration tester or the attacker and the final target.
This information gathering is semi-active—some of the information is available from freely available open sources, while other information is available from third parties such as DNS registrars. Although the registrar may collect IP addresses and data concerning requests made by the attacker, it is rarely provided to the end target. The information that could be directly monitored by the target, such as DNS server logs, is almost never reviewed or retained.
Because the information needed can be queried using a defined systematic and methodical approach, its collection can be automated.
Tip
Note that DNS information may contain stale or incorrect entries. To minimize inaccurate information, query different source servers and use different tools to cross-validate results. Review results, and manually verify any suspect findings. Use a script to automate the collection of this information. The script should create a folder for the penetration test, and then a series of folders for each application being run. After the script executes each command, pipe the results directly to the specific holding folder.
WHOIS
The first step in researching the IP address space is to identify the addresses that are assigned to the target site. This is usually accomplished by using the whois command, which allows people to query databases that store information on the registered users of an Internet resource, such as a domain name or IP address.
Depending on the database that is queried, the response to a whois request will provide names, physical addresses, phone numbers, and e-mail addresses (useful in facilitating social engineering attacks), as well as IP addresses and DNS server names.
An attacker can use information from a whois query to:
- Support a social engineering attack against the location or persons identified in the query
- Identify a location for a physical attack
- Identify phone numbers that can be used for a war dialing attack, or to conduct a social engineering attack
- Conduct recursive searches to locate other domains hosted on the same server as the target or operated by the same user; if they are insecure, an attacker can exploit them to gain administrative access to the server, and then compromise the target server
- In cases where the domain is due to expire, an attacker can attempt to seize the domain, and create a look-alike website to compromise visitors who think they are on the original website
- An attacker will use the authoritative DNS servers, which are the records for lookups of that domain, to facilitate DNS reconnaissance
Note that there is an increase in the usage of third parties to shield this data, and some domains, such as .gov and .mil, may not be accessible to the public domain. Requests to these domains are usually logged. There are several online lists available that describe domains and IP addresses assigned for government use; most tools accept options for "no contact" addresses, and government domains should be entered into these fields to avoid the wrong type of attention!
The easiest way to issue a whois query is from the command line. The following screenshot shows the whois command run against the domain of Digital Defence:
The returned whois record contains geographical information, names, and contact information—all of which can be used to facilitate a social engineering attack.
There are several websites that automate whois lookup enquiries, and attackers can use these sites to insert a step between the target and themselves; however, the site doing the lookup may log the requester's IP address.
DNS reconnaissance
The Domain Name System (DNS), is a distributed database that resolves names (www.digitaldefence.ca) to its IP addresses (192.150.2.140).
Attackers use the DNS information in the following ways:
- Using brute-force attacks, allows attackers to identify new domain names associated with the target.
- If the DNS server is configured to permit a zone transfer to any requester, it will provide hostnames and IP addresses of Internet-accessible systems, making it easier to identify potential targets. If the target does not segregate public (external) DNS information from private (internal) DNS information, a zone transfer might disclose the hostnames and IP addresses of internal devices. (Note that most IDS and IPS systems will trigger an alarm if a zone transfer request is triggered).
- Finding services that may be vulnerable (for example, FTP) or are otherwise interesting (remote administration panels and remote access).
- Finding misconfigured and/or unpatched servers (
dbase.test.target.com). - Service records (SRV), provide information on service, transport, port, and order of importance for services. This can allow an attacker to deduce the software.
- DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records are used to control spam e-mails. If these records are identified, the attacker knows that:
- They are more security conscious than most organizations.
- This may impact phishing and other social engineering attacks.
Both Windows and Unix support basic command-line tools such as nslookup, and Unix systems support additional command-line options such as dig. Unfortunately, these commands usually interrogate one server at a time, and require interactive responses to be effective.
Kali features several tools designed to iteratively query DNS information for a particular target. The selected tool must accommodate the Internet Protocol version that is used for communications with the target—IPv4 or IPv6.
The IP, or Internet Protocol address, is a unique number used to identify devices that are connected to a private network or the public Internet. Today, the Internet is largely based on version 4, IPv4. Kali includes several tools to facilitate DNS reconnaissance, as given in the following table:
During testing, most investigators run fierce to confirm that all possible targets have been identified, and then run at least two comprehensive tools (for example, dnsenum and dnsrecon) to generate the maximum amount of data and provide a degree of cross validation.
In the following screenshot, dnsrecon is used to generate a standard DNS record search, and a search that is specific for SRV records. An excerpt of the results is shown for each case.
DNSrecon allows the penetration tester to obtain the SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP address ranges in use.
Although IPv4 seems to permit a large address space, freely available IP addresses were exhausted several years ago, forcing the employment of NAT and DHCP to increase the number of available addresses. A more permanent solution has been found in the adoption of an improved IP addressing scheme, IPv6. Although it constitutes less than five percent of Internet addresses, its usage is increasing, and penetration testers must be prepared to address the differences between IPv4 and IPv6.
In IPv6, the source and destination addresses are 128 bits in length, yielding 2128 possible addresses, that is, 340 undecillion addresses!
The increased size of the addressable address space presents some problems to penetration testers, particularly when using scanners that step through the available address space looking for live servers. However, some features of the IPv6 protocol have simplified discovery, especially the use of ICMPv6 to identify active link-local addresses.
It is important to consider IPv6 when conducting initial scans for the following reasons:
- There is uneven support for IPv6 functionality in testing tools, so the tester must ensure that each tool is validated to determine its performance and accuracy in IPv4, IPv6, and mixed networks.
- Because IPv6 is a relatively new protocol, the target network may contain misconfigurations that leak important data; the tester must be prepared to recognize and use this information.
- Older network controls (firewalls, IDS, and IPS) may not detect IPv6. In such cases, penetration testers can use IPv6 tunnels to maintain covert communications with the network, and exfiltrate the data undetected.
Kali includes several tools developed to take advantage of IPv6 (most comprehensive scanners, such as nmap, now support IPv6), some of which are as follows; tools that are particular to IPv6 were largely derived from the THC-IPv6 Attack Toolkit.
The execution of the dnsdict6 command is shown in the following screenshot:
Mapping the route to the target
Route mapping was originally used as a diagnostic tool that allows you to view the route that an IP packet follows from one host to the next. Using the time to live (TTL) field in an IP packet, each hop from one point to the next elicits an ICMP TIME_EXCEEDED message from the receiving router, decrementing the value in the TTL field by 1. The packets count the number of hops and the route taken.
From an attacker's, or penetration tester's perspective, the traceroute data yields the following important data:
- The exact path between the attacker and the target
- Hints pertaining to the network's external topology
- Identification of accessing control devices (firewalls and packet-filtering routers) that may be filtering attack traffic
- If the network is misconfigured, it may be possible to identify internal addressing
Tip
Using a web-based
traceroute(www.traceroute.org), it is possible to trace various geographic origin sites to the target network. These types of scans will frequently identify more than one different network connecting to the target, which is information that could be missed by conducting only a singletraceroutefrom a location close to the target. Web-basedtraceroutemay also identify multihomed hosts which connect two or more networks together. These hosts are an important target for attackers, because they drastically increase the attack surface leading to the target.
In Kali, traceroute is a command-line program that uses ICMP packets to map the route; in Windows, the program is tracert.
If you launch traceroute from Kali, it is likely that you will see most hops filtered (data is shown as * * *). For example, traceroute from the author's present location to www.google.com would yield the following:
However, if the same request was run using tracert from the Windows command line, we would see the following:
Not only do we get the complete path, but we can also see that www.google.com is resolving to a slightly different IP address, indicating that load balancers are in effect (you can confirm this using Kali's lbd script; however, this activity may be logged by the target site).
The reason for the different path data is that, by default, traceroute used UDP datagrams while Windows tracert uses ICMP echo request (ICMP type 8). Therefore, when completing a traceroute using Kali tools, it is important to use multiple protocols in order to obtain the most complete path, and to bypass packet-filtering devices.
Kali provides the following tools for completing route traces:
hping3 is one of the most useful tools due to the control it gives over packet type, source packet, and destination packet. For example, Google does not allow ping requests. However, it is possible to ping the server if you send the packet as a TCP SYN request.
In the following example, the tester attempts to ping Google from the command line. The returned data identifies that www.google.com is an unknown host; Google is clearly blocking ICMP-based ping commands. However, the next command invokes hping3, instructing it to do the following:
- Send a ping-like command to Google using TCP with the SYN flag set (
-S). - Direct the packet to port 80; legitimate requests of this type are rarely blocked (
- p 80). - Set a count of sending three packets to the target (
-c 3).
To execute the previous steps, use the commands as shown in the following screenshot:
The hping3 command successfully identifies that the target is online, and provides some basic routing information.