DNS (53)

DNS Hierarchy

Nmap

/!\ Script fonctionne pas sous exegol, essayer avec Kali

nmap -sSU -p 53 --script dns-nsid 10.129.11.180

nmap -sSU -p 53 --script=dns-service-discovery 10.129.11.180

nmap -p53 -Pn -sV -sC 10.10.110.213

Host

host support.inlanefreight.com

support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com

FQDN

$ export TARGET="facebook.com"
$ nslookup $TARGET

$ export TARGET=www.facebook.com
$ nslookup -query=A $TARGET

$ nslookup -query=PTR 31.13.92.36

nslookup -type=NS inlanefreight.htb 10.129.104.34
Server:		10.129.104.34
Address:	10.129.104.34#53

inlanefreight.htb	nameserver = ns.inlanefreight.htb.

dig facebook.com @1.1.1.1

dig a www.facebook.com @1.1.1.1

dig -x 31.13.92.36 @1.1.1.1

DNS record

DNS Record	Description
A	Returns an IPv4 address of the requested domain as a result.
AAAA	Returns an IPv6 address of the requested domain.
MX	Returns the responsible mail servers as a result.
NS	Returns the DNS servers (nameservers) of the domain.
TXT	This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME	This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR	The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA	Provides information about the corresponding DNS zone and email address of the administrative contact.

$ export TARGET="facebook.com"
$ nslookup -query=TXT $TARGET

dig txt facebook.com @1.1.1.1

$ dig CH TXT version.bind 10.129.120.85

; <<>> DiG 9.10.6 <<>> CH TXT version.bind
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
version.bind.       0       CH      TXT     "9.10.6-P1"

;; ADDITIONAL SECTION:
version.bind.       0       CH      TXT     "9.10.6-P1-Debian"

;; Query time: 2 msec
;; SERVER: 10.129.120.85#53(10.129.120.85)
;; WHEN: Wed Jan 05 20:23:14 UTC 2023
;; MSG SIZE  rcvd: 101

dig any inlanefreight.com

dig any google.com @8.8.8.8

$ export TARGET="google.com"
$ nslookup -query=ANY $TARGET

$ nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja

Zone transfer

If we manage to perform a successful zone transfer for a domain, there is no need to continue enumerating this particular domain as this will extract all the available information.

https://hackertarget.com/zone-transfer/

$ dig axfr inlanefreight.htb @10.129.14.128

; <<>> DiG 9.16.1-Ubuntu <<>> axfr inlanefreight.htb @10.129.14.128
;; global options: +cmd
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.      604800  IN      TXT     "MS=ms97310371"
inlanefreight.htb.      604800  IN      TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.      604800  IN      TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb.      604800  IN      NS      ns.inlanefreight.htb.
app.inlanefreight.htb.  604800  IN      A       10.129.18.15
internal.inlanefreight.htb. 604800 IN   A       10.129.1.6
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
ns.inlanefreight.htb.   604800  IN      A       10.129.34.136
inlanefreight.htb.      604800  IN      SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 4 msec
;; SERVER: 10.129.14.128#53(10.129.14.128)
;; WHEN: So Sep 19 18:51:19 CEST 2021
;; XFR size: 9 records (messages 1, bytes 520)

fierce --domain zonetransfer.me

NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{<DNS name @>: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
               '172800 900 1209600 3600\n'
               '@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
               '@ 301 IN TXT '
               '"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
               '@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.\n'
               '@ 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.\n'
               '@ 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.\n'
--SNIP--

Internal zone transfer

$ dig axfr internal.inlanefreight.htb @10.129.14.128

; <<>> DiG 9.16.1-Ubuntu <<>> axfr internal.inlanefreight.htb @10.129.14.128
;; global options: +cmd
internal.inlanefreight.htb. 604800 IN   SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN   TXT     "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN   TXT     "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN   TXT     "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
internal.inlanefreight.htb. 604800 IN   NS      ns.inlanefreight.htb.
dc1.internal.inlanefreight.htb. 604800 IN A     10.129.34.16
dc2.internal.inlanefreight.htb. 604800 IN A     10.129.34.11
mail1.internal.inlanefreight.htb. 604800 IN A   10.129.18.200
ns.internal.inlanefreight.htb. 604800 IN A      10.129.34.136
vpn.internal.inlanefreight.htb. 604800 IN A     10.129.1.6
ws1.internal.inlanefreight.htb. 604800 IN A     10.129.1.34
ws2.internal.inlanefreight.htb. 604800 IN A     10.129.1.35
wsus.internal.inlanefreight.htb. 604800 IN A    10.129.18.2
internal.inlanefreight.htb. 604800 IN   SOA     inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 10.129.14.128#53(10.129.14.128)
;; WHEN: So Sep 19 18:53:11 CEST 2021
;; XFR size: 15 records (messages 1, bytes 664)

MX Records

$ export TARGET="facebook.com"
$ nslookup -query=MX $TARGET

dig mx facebook.com @1.1.1.1

DNSSEC Exploitation

DNS zones that use DNSSEC must use NSEC or NSEC3 records as a means of authenticated denial-of-existence. NSEC allows for fully extracting DNS zones akin to an AXFR zone transfer or a "zone dump". NSEC3 adds hashes to this process which must be cracked, but offline cracking is faster than online brute-forcing. NSEC(3) Walker automates this extraction process

GitHub - Harrison-Mitchell/NSEC-3-Walker: Performs DNS zone dumps by walking DNSSEC NSEC(3) records.GitHub

TLD Brute Force

$ wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt

$ domain="domain"
while read tld; do
    fqdn="${domain}.${tld}"
    if host "$fqdn" > /dev/null 2>&1; then
        echo "$fqdn exists"
    fi
done < tlds-alpha-by-domain.txt

DNS Subdomain Enumeration

DNS Subdomain Enumeration

Whois

Whois

DNS Takeover

dnsreaper - test a domain for subdomain hijackingpunksecurity.co.uk

A Guide To Subdomain Takeovers 2.0 | HackerOneHackerOne

A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers — ProjectDiscovery BlogProjectDiscovery

Hunting down subdomain takeover vulnerabilitiesIntigriti

GitHub - indianajson/can-i-take-over-dns at blog.projectdiscovery.ioGitHub

Detection - Nuclei Template

id: servfail-refused-hosts

info:
  name: DNS Servfail Host Finder
  author: pdteam
  severity: info
  description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary
    networking issue.
  classification:
    cwe-id: CWE-200
  tags: dns,takeover

dns:
  - name: "{{FQDN}}"
    type: A

    matchers:
      - type: word
        words:
          - "SERVFAIL"
          - "REFUSED"

Subdomain takeover

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.GitHub

A Guide To Subdomain Takeovers 2.0 | HackerOneHackerOne

Domain/Subdomain takeover - HackTricksbook.hacktricks.xyz

AWS NS Takeover

GitHub - shivsahni/NSBrute: Python utility to takeover domains vulnerable to AWS NS TakeoverGitHub

Tools

GitHub - PentestPad/subzy: Subdomain takeover vulnerability checkerGitHub

 subzy --targets subdomains.txt

GitHub - haccer/subjack: Subdomain Takeover tool written in GoGitHub

subjack -w ./targets -v
subjack -w subdomains.txt -t 50 -o results.txt

GitHub - M1S0-0/CNAME-Sniffer: CNAME Sniffer is a subdomain takeover tool designed to help identify subdomains with vulnerable CNAME records that can be exploited for takeover purposes.GitHub

GitHub - ifconfig-me/subowner: SubOwner - A Simple tool check for subdomain takeovers.GitHub

GitHub - r3curs1v3-pr0xy/sub404: A python tool to check subdomain takeover vulnerabilityGitHub

GitHub - JordyZomer/autoSubTakeover: A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.GitHub

GitHub - HacktivistRO/HostileSubBruteForcer: Bruteforce subdomains for subdomains takeover and enumerate the service pointing toGitHub

Nuclei

subfinder -d domain | httpx -silent > subdomains.txt ; nuclei -t /root/nuclei-templates/http/takeovers -l subdomains.txt

CDN or Bucket takeover (S3/Azure)

Always investigate if the main application loads any resources from that subdomain, such as scripts and images.

Check the Network tab in your web console and filter by your subdomain to confirm!

DNS Spoofing

Local DNS Cache Poisoning

From a local network perspective, an attacker can also perform DNS Cache Poisoning using MITM tools like Ettercap or Bettercap.

map the target domain name (e.g., inlanefreight.com) that they want to spoof and the attacker's IP address (e.g., 192.168.225.110) that they want to redirect a user to:

cat /etc/ettercap/etter.dns

inlanefreight.com      A   192.168.225.110
*.inlanefreight.com    A   192.168.225.110

Next, start the Ettercap tool and scan for live hosts within the network by navigating to Hosts > Scan for Hosts. Once completed, add the target IP address (e.g., 192.168.152.129) to Target1 and add a default gateway IP (e.g., 192.168.152.2) to Target2.

Activate dns_spoof attack by navigating to Plugins > Manage Plugins. This sends the target machine with fake DNS responses that will resolve inlanefreight.com to IP address 192.168.225.110:

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.

• The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.

• Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.