DNS Enumeration

All posts tagged DNS Enumeration

For quite some time fierce was my go to DNS testing tool, we even wrote a post on it, and I still use it extensively but recently I have been using dmitry in parallel. dmitry is the Deepmagic Information Gathering Tool and while it doesn’t have the subdomain brute force functionality that I love in fierce it automates other functions that I never realized I was tired of doing manually.

Why do we spend so much time on DNS? A companies DNS server is a gold mine of information during a penetration test. This is especially true if organizations that have an improperly configured split view DNS where internal records are exposed externally. It is also pretty common to find test, development, or integration servers that have been exposed in DNS and then forgotten about. Why spend all of your penetration testing efforts on the fully patched and hardened server when the test server from 2006 is available. DNS helps find the path of least resistance. Once again we will be using the hackerone directory to demonstrate this tool on real world systems. For dmitry I chose marktplaats.nl.

root@kali:~# dmitry -h
Deepmagic Information Gathering Tool
"There be some deep magic going on"

dmitry: invalid option -- 'h'
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
  -o     Save output to %host.txt or to file specified by -o file
  -i     Perform a whois lookup on the IP address of a host
  -w     Perform a whois lookup on the domain name of a host
  -n     Retrieve Netcraft.com information on a host
  -s     Perform a search for possible subdomains
  -e     Perform a search for possible email addresses
  -p     Perform a TCP port scan on a host
* -f     Perform a TCP port scan on a host showing output reporting filtered ports
* -b     Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed

We are going to simply step through the options with a brief description and talk about what information would be useful during different phases of a pen test.

-i and -w perform a whois lookup in a slightly different way. We will combine them together to get an IP address and a whois lookup at the same time. For our primer the domain name would probably be the preferred start point but if you only had an IP address to start with the -i option would get the same results. I’ve used dmitry to track down the source of a brute force attack on an internet facing system. It wasn’t very amazing it was a compromised host in a medium size company.

Whois Lookup

Figure 1 – Whois Lookup

I’ve redacted the screenshot since whois reports are fairly extensive. But we know that the IP address we are working on is 91.211.72.194 and it is part of the 91.211.72.0/22 subnet. We also know that it is part of RIPE the regional internet registry that includes Europe. Which makes since because they are out of the Netherlands.

Next we will get the netcraft.com information for the domain. Netcraft is an internet security firm out of the UK which does anti-spam and anti-phishing work. We learn two things from the -n option. First, they are reputable enough to not have been reported for spam/phishing and second, that the IP address for the system changed so they probably have a load balancer or are hosting from multiple locations. This also makes sense.

Netcraft Report

Figure 2 – Netcraft Report

Lets use the -s option to look for subdomains. This isn’t super interesting but at least it has a few that we could look at if we were testing the entire domain.

Subdomain Search

Figure 3 – Subdomain Search

The -e option is useful for starting phishing attacks or feeding information into recon-ng, which we also have a tutorial on (hint, hint). This specific test was super anti-climatic but you get the idea.

Email Search

Figure 4 – Email Search

dmitry also has a built in port scanner, I like the banner enumeration function so I normally stack the -b option onto the -p port scan option.

Port Scan

Figure 5 – Port Scan

Wow, that is a lot of step. Why wouldn’t you just stack all those into one and write it out to a file instead? Because then how would this whole primer be longer than one page? The last screenshot is how I actually use it and I read out of the file instead of off the screen.

Combined Testing

Figure 6 – Combined Testing

marktplaats.nl was a boring choice for this tool but with luck whatever domain you point it at will be fruitful.

DNS Enumeration Theory

Already a genius? Skip this part. The Domain Name System (DNS) is a distributed database containing the address for every domain on a network. When a browser requests a website by name, the local DNS cache is checked to see if a record already exists. If a record doesn’t exist, a DNS lookup is sent to the servers configured in the network setting. If the servers configured for this connection don’t have a cached record, they will forward the request up the hierarchy until either a server knows the address or one of the thirteen root DNS servers that are authoritative for the entire internet respond. Complicated, right? Computers love numbers, and people love words. DNS does the heavy lifting of converting between what people like and what computers like.

Continue Reading