2007
A HACKING ODYSSEY PART I: RECONNAISSANCE CONT...
Without DNS you would have to
remember 64.233.167.99 and use this when you wanted to go to Google.
Then when you wanted to go to Hotmail you would have to enter
64.4.33.7, and then if you wanted to go to Digg you would have to enter
64.191.203.30…… can you see how confusing this would become. If you
wanted to advertise your business web site you would have to use an IP
address and hope everyone could remember it……
DNS allows us to use a human readable syntax that we can remember
easily, to browse the Internet. Without it, the Internet would be very
chaotic.
You can find a very good explanation of DNS here:
http://en.wikipedia.org/wiki/Domain_name_system
But what has all this got to do with our reconnaissance? Well there are
different types of DNS records that will be used for different
services. If we wanted to send an email to an organisation the a DNS
record would tell the appropriate mail server the IP address of where
that organisations mail server is located. This records is called an MX
record (Mail Exchange), DNS records can also be used for web servers,
FTP servers etc.
If we could get our hands on all of these DNS records for our target
domain, we would have a huge chuck of valuable information for when it
comes to the next phase of our attack; as we would know where to go to
try and gain specific entry to the network….if we wanted to exploit
their mail server DNS would tell us where it is, if we wanted to attack
their FTP server DNS would tell us where it is……..
DNS servers support something called a Zone Transfer and what this is,
is a way of the DNS server telling someone all the information it has
about a certain domain, MX records, A records, PTR records etc.
There is a catch to this though and that is properly configured DNS
servers only support Zone Transfers to authorised people and sometimes
not at all. To go back to the WHOIS record we found, the very last
entry listed is the DNS servers that our target uses:
Quote:
Name servers:
ns0.serve.co.uk
ns0.serve.net.uk
So let us try and see if a Zone Transfer will work on these DNS servers:
Go back to your nslookup prompt:
Code:
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
Address: 192.168.1.254
>
And type “server ns0.serve.co.uk” (you could even do an nslookup for
this and use the IP address if you wanted to Wink )
Code:
> server ns0.serve.co.uk
Default Server: ns0.serve.co.uk
Address: 212.69.220.10
>
This is telling the nslookup application to query the server you have
specified and not your own default one. (Obviously since this is where
the information relating to the shedstore.co.uk domain is located, it
is the server we need to get the info off)
To ask it for all the information it has on the shedstore.co.uk domain
(a Zone Transfer), we use the following command:
Code:
> ls -d shedstore.co.uk
If Zone Transfers are enabled to casual users, and we have the right
DNS server for our domain, it should reply will all of the DNS records
it holds:
Code:
> server ns0.serve.co.uk
Default Server: ns0.serve.co.uk
Address: 212.69.220.10
> ls -d shedstore.co.uk
[ns0.serve.co.uk]
shedstore.co.uk.
SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2
006122800 3600 1800 86400 3600)
shedstore.co.uk.
NS ns0.serve.co.uk
shedstore.co.uk.
NS ns0.serve.net.uk
shedstore.co.uk.
MX 5 mx81.emailfiltering.com
shedstore.co.uk.
MX 10 mx82.emailfiltering.com
shedstore.co.uk.
MX 20 mx83.emailfiltering.com
shedstore.co.uk.
A 212.69.210.106
ftp
CNAME www.shedstore.co.uk
mail
CNAME www.shedstore.co.uk
smtp
CNAME www.shedstore.co.uk
www
A 212.69.210.106
shedstore.co.uk.
SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2
006122800 3600 1800 86400 3600)
>
** Tip – there will nearly always be two name servers listed on the
WHOIS records – if the first one does not allow Zone Transfers always
try the second one too, as this is usually a backup DNS server and may
not be configured the same as the first one.. **
So what have we got?
We have the Start of Authority (SOA) which is the authoritative DNS
server for the shedstore.co.uk domain – the numbers after it are pretty
unimportant to us but refer to the zones serial number, refresh rate,
retry rate etc.
The Name Server (NS) records basically tie the domain name to the DNS
server. Think of it a mapping so others can find the correct DNS server.
The MX records which we have already covered refer to where all email
should be sent to for the domain. In our case it looks like Shed Store
is outsourcing their email to a hosting provider of some kind.
The CNAME or Canonical name records are aliases and point back to the A
record. They are usually used when there is more than one type of
service using the same IP address. In this case it is FTP, HTTP and
SMTP.
The A record (Address record) is the main DNS record and does the
actual mapping of the domain name to the IP address. The CNAME records
referred to above all refer to this A record. ( if you now do an
nslookup for shedstore.co.uk it is this very A record that will be
consulted to return the IP address to you)
The one glaring omission is a PTR record – which handles the rDNS
lookup. (the opposite of the A record so to speak) If you do an
nslookup on the IP address 212.69.210.106 you won’t get shedstore.co.uk:
Code:
C:\Documents and Settings\Nokia>nslookup 212.69.210.106
Server: speedtouch.lan
Address: 192.168.1.254
Name: internetdesign.dsvr.co.uk
Address: 212.69.210.106
This is another indication that the website is hosted by a third party,
probably called Internet Design and they have only bothered to update
the A record and not the PTR record. If you go back to the WHOIS record
it will back this theory up:
Code:
Registrant's agent:
Thus plc t/a DSVR [Tag
= DSVR]
URL:
http://www.dsvr.co.uk
If we couple this with the fact the DNS server itself is not configured
adequately and we were able to complete a Zone Transfer we could come
up with the conclusion that this is a very sloppy setup and could mean
they are not using as good a web hosting service as they could do, that
they do not understand the DNS implications of their own setup, that
the have never tested their security - hence more proof they may not be
very IT savvy……
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on February 7th, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.