The DNS is the responsible to match an IP address with its internet site name, this way we don't have to memorize all
website's IPs.
Example: http://www.pentest-standard.org/index.php/Main_Page resolves to 96.126.116.56
You can do a query on the domain names and know what the DNS is resolving so you see what is the IP address they are pointing at.
One of the tools you can use for this is nslookup (name server lookup) that maps the domain name with the IP address of to other DNS records.
root@blackgem nslookup www.pentest-standard.org
Server: 100.64.0.1
Address: 100.64.0.1#53
Non-authoritative answer:
Name: www.pentest-standard.org
Address: 96.126.116.56Just note that big sites will have specific configurations that won't make easy for you to directly get an inverse IP address to their domain. Also, big corporations will own a whole network block that will behold all their subdomains.
The authoritative server is often also known as the name server for the domain.
An authoritative DNS server is the server that is responsible for storing the DNS records for a particular domain name and where any updates to your domain name DNS records would be made.
DNS Records
A DNS record is a database record used to map a URL to an IP address. DNS records are stored in DNS servers and work to help users connect their websites to the outside world.
A Record
These records resolve to IPv4 addresses, for example 104.26.10.229
AAAA Record
These records resolve to IPv6 addresses, for example 2606:4700:20::681a:be5
CNAME Record
These records resolve to another domain name.
MX Record
These records resolve to the address of the servers that handle the email for the domain you are querying. These records also come with a priority flag. This tells the client in which order to try the servers, this is perfect for if the main server goes down and email needs to be sent to a backup server.
PTR Record
Is a reverse mapping from IP to name.
DNS Propagation
There are servers around the internet storing these directories with the information needed to allow this resolution and keep updated and redundancies.
When you update the records from your DNS configuration, be careful as they won't be updated in real time, depending on the number of records and the origin of the DNS some sites may take up to 24 hours to finish replication around the DNS servers globally.
DNSchecker is a great tool to monitor on the propagation in real time so you know when the changes you have done are being applied.
DNS Enumeration
When conducting a pentesting, DNS information is vital to start enumerating on the origin of services hold in urls.
Some of the most common used sites to perform these enumerations and get a good grasp on the information from DNS are:
host - Is a linux command used for DNS (Domain Name System) lookup operations.You can to find the IP address of a particular domain name or if you want to find out the domain name of a particular IP address the host command becomes useful.
(root㉿blackgem)-[~]
└─$ host google.com
google.com has address 142.250.69.46
google.com has IPv6 address 2607:f8b0:4012:808::200e
google.com mail is handled by 10 smtp.google.com.dig - Is a command in Linux used to gather DNS information. It stands for Domain Information Groper, and it collects data about Domain Name Servers. The dig command is helpful for troubleshooting DNS problems, but is also used to display DNS information.
(root㉿blackgem)-[~]
└─$ dig google.com 
fierce - this is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.
┌──(root㉿blackgem)-[~]
└─$ fierce --domain google.com 
(root㉿blackgem)-[~]
└─$ dnsmap google.com
dnsmap 0.36 - DNS Network Mapper
[+] searching (sub)domains for google.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
aa.google.com
IPv6 address #1: 2607:f8b0:4012:815::200e
aa.google.com
IP address #1: 142.251.34.142
accounts.google.com
IPv6 address #1: 2607:f8b0:4012:805::200d
accounts.google.com
IP address #1: 142.251.34.205dnsrecon - Is a Python script that provides the ability to perform:
- Check all NS Records for Zone Transfers.
- Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
- Perform common SRV Record Enumeration.
- Top Level Domain (TLD) Expansion.
- Check for Wildcard Resolution.
- Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
- Perform a PTR Record lookup for a given IP Range or CIDR.
- Check a DNS Server Cached records for A, AAAA and CNAME
- Records provided a list of host records in a text file to check.
- Enumerate Hosts and Subdomains using Google
(root㉿blackgem)-[~]
└─$ dnsrecon -d google.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
reference - https://www.kali.org/tools/dnsrecon/
dnstracer - determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.
(root㉿blackgem)-[~]
└─$ dnstracer -r 3 -v google.com
Tracing to google.com[a] via 192.168.1.254, maximum of 3 retries
192.168.1.254 (192.168.1.254) IP HEADER
- Destination address: 192.168.1.254
DNS HEADER (send)reference - https://www.kali.org/tools/dnstracer/
dnsenum - is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. The main purpose of Dnsenum is to gather as much information as possible about a domain
reference - https://www.kali.org/tools/dnsenum/
dnsdumpster - is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
In another post, we are going to discuss about DNS attacks and how to prevent them. I hope you found this useful and please let me know if you think I have missed one.
No comments:
Post a Comment