DNS (tcp & udp-53)
Post

DNS (tcp & udp-53)

DNS RECORDS

Dig

Retrieve DNS record

1
2
3
4
dig @10.10.10.224 realcorp.htb # Retrieve DNS record
dig @10.10.10.224 realcorp.htb ns # Retrieve Name Servers
dig @10.10.10.224 realcorp.htb axfr # Transfer Zone
dig @10.10.10.224 realcorp.htb mx # Mail Server

Examples: Tentacle

Retrieve Name Servers

Host

Manually discover DNS records

1
2
3
host -t mx www.megacorpone.com 10.10.10.224
host -t txt www.megacorpone.com 10.10.10.224
host -t ptr www.megacorpone.com 149.56.244.87

Automatically resolve another websites from subnet discovered

1
for ip in $(seq  50 100); do host 38.100.193.$ip; done | grep -v "not found"

Dnsenum

Enumeration of subdomains:

1
dnsenum --dnsserver 10.10.10.224 --threads 50 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt realcorp.htb

Examples: Cascade

DNS Zone Transfers

A zone transfer is basically a database replication between related DNS servers in which the zone file is copied from a master DNS server to a slave server. The zone file contains a list of all the DNS names configured for that zone. Zone transfers should only be allowed to authorized slave DNS servers but many administrators misconfigure their DNS servers, and in these cases, anyone asking for a copy of the DNS server zone will usually receive one.

Host

First you need to grab the dns FQDN with:

1
host -t ns megacorpone.com

Then you must use the following command with each NS server:

1
host -l megacorpone.com ns1.megacorpone.com

Retrieve hostname from IPs by knowing the DNS IP:

1
for ip in $(seq  1 255); do host 192.168.173.$ip 192.168.173.149; done

The host command syntax for performing a zone transfer is as follows:

1
host -l <domain name> <dns server address>

REMEMBER THAT IF YOU ARE SEARCHING ONTO A PRIVATE NETWORK FIRST STEP IS TO FIND THE DNS SERVER THIS WILL RETRIEVE ALL THE INFORMATION WITHIN THE NETWORK:

Always use DNS server after the domain name to perform all the queries:

1
2
host -l dc.mailman.com <DNS SERVER>
host -t txt dc.MAILMAN.com 192.168.173.149

After retrieve the whole information about an specific site, which means that txt, a, aaa, ptr records are already substracted the most interesting part are NS records:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
dig axfr @192.168.173.149 mailman.com     

; (1 server found)
;; global options: +cmd
mailman.com.            3600    IN      SOA     dc.mailman.com. hostmaster.mailman.com. 158 900 600 86400 3600
mailman.com.            3600    IN      NS      dc.mailman.com. `<---`
_msdcs.mailman.com.     3600    IN      NS      dc.mailman.com.
_gc._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 3268 dc.mailman.com.
_kerberos._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 88 dc.mailman.com.
_kerberos._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 88 winserv19-temp.mailman.com.
_ldap._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.Default-First-Site-Name._sites.mailman.com. 600 IN SRV 0 100 389 winserv19-temp.mailman.com.
_gc._tcp.mailman.com.   600     IN      SRV     0 100 3268 dc.mailman.com.
_gc._tcp.mailman.com.   600     IN      SRV     0 100 3268 winserv19-temp.mailman.com.
_kerberos._tcp.mailman.com. 600 IN      SRV     0 100 88 dc.mailman.com.
_kpasswd._tcp.mailman.com. 600  IN      SRV     0 100 464 dc.mailman.com.
_kpasswd._tcp.mailman.com. 600  IN      SRV     0 100 464 winserv19-temp.mailman.com.
_ldap._tcp.mailman.com. 600     IN      SRV     0 100 389 dc.mailman.com.
_kerberos._udp.mailman.com. 600 IN      SRV     0 100 88 dc.mailman.com.
_kerberos._udp.mailman.com. 600 IN      SRV     0 100 88 winserv19-temp.mailman.com.
_kpasswd._udp.mailman.com. 600  IN      SRV     0 100 464 dc.mailman.com.
_kpasswd._udp.mailman.com. 600  IN      SRV     0 100 464 winserv19-temp.mailman.com.
dc.mailman.com.         3600    IN      A       192.168.173.149
dc.mailman.com.         3600    IN      TXT     "OS{1221212}"
DomainDnsZones.mailman.com. 600 IN      A       192.168.50.149
DomainDnsZones.mailman.com. 600 IN      A       192.168.120.149
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.DomainDnsZones.mailman.com. 600 IN SRV 0 100 389 winserv19-temp.mailman.com.
ForestDnsZones.mailman.com. 600 IN      A       192.168.50.149
ForestDnsZones.mailman.com. 600 IN      A       192.168.120.149
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
_ldap._tcp.ForestDnsZones.mailman.com. 600 IN SRV 0 100 389 dc.mailman.com.
mailman.com.            3600    IN      SOA     dc.mailman.com. hostmaster.mailman.com. 158 900 600 86400 3600
;; Query time: 100 msec
;; SERVER: 192.168.173.149#53(192.168.173.149) (TCP)
;; WHEN: Fri Sep 02 02:22:24 EDT 2022
;; XFR size: 30 records (messages 1, bytes 1454)

It’s time to attack another domain server to gather further information, this can be done by doing an axfr request first on the initial compromised DNS server and then call the other DNS with the same technique:

1
dig axfr @192.168.173.149 _msdcs.mailman.com

The same result can be achieved with:

1
host -l -a _msdcs.mailman.com 192.168.173.149

Domain Zone Transfer Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash

# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage

if [ -z "$1" ]; then
  echo "[*] Simple Zone transfer script"
  echo "[*] Usage   : $0 <domain name> "
  exit 0
fi

# if argument was given, identify the DNS servers for the domain

for server in $(host -t ns $1 | cut -d " " -f4); do
  # For each of these servers, attempt a zone transfer
  host -l $1 $server |grep "has address"
done

DNSRecon

Zone Transfer

1
dnsrecon -d megacorpone.com -t axfr

Brute Force

1
dnsrecon -d megacorpone.com -D ~/list.txt -t brt

DNSEnum

1
dnsenum zonetransfer.me<

Bluto

Bluto TODO

Each domain can use different types of DNS records. Some of the most common types of DNS records include:

  • NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
  • A - Also known as a host record, the “a record” contains the IP address of a hostname (such as www.megacorpone.com).
  • MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
  • PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.
  • CNAME - Canonical Name Records are used to create aliases for other host records.
  • TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.