Difference between revisions of "DNS"
(→Lesson) |
(→DNS Recon) |
||
| Line 10: | Line 10: | ||
=== DNS Recon === | === DNS Recon === | ||
| − | In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon | + | In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type: |
{{code|text= | {{code|text= | ||
| − | host random.com | + | host random.com |
}} | }} | ||
| − | That will | + | That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records. |
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: | Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: | ||
| + | |||
| + | {{code|text= | ||
host -tns random.com | host -tns random.com | ||
| − | + | }} | |
| + | |||
| + | This would give return the dns servers for random.com, allowing you to do something like: | ||
| + | |||
| + | {{code|text= | ||
| + | host -l random.com. ns75.worldnic.com | ||
| + | }} | ||
| + | |||
| + | In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer: | ||
| + | |||
| + | {{code|text= | ||
outlookccc.wideopenwest.com has address 64.233.207.77 | outlookccc.wideopenwest.com has address 64.233.207.77 | ||
mail.outlookccc.wideopenwest.com has address 12.152.37.50 | mail.outlookccc.wideopenwest.com has address 12.152.37.50 | ||
| Line 26: | Line 38: | ||
pop-14.wideopenwest.com has address 64.233.207.60 | pop-14.wideopenwest.com has address 64.233.207.60 | ||
portal.wideopenwest.com has address 64.233.207.39 | portal.wideopenwest.com has address 64.233.207.39 | ||
| + | }} | ||
| − | + | There are many useful free DNS utilities on the internet. One that in particular is endorsed by us is [[YouGetSignal http://www.yougetsignal.com/tools/web-sites-on-web-server/]], that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip. | |
See [[protocols]] for more information. | See [[protocols]] for more information. | ||
Revision as of 16:06, 4 January 2012
Dymic Name System or Domain Name System
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.
DNS Basics
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
DNS Recon
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
|
host random.com |
That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
|
host -tns random.com |
This would give return the dns servers for random.com, allowing you to do something like:
|
host -l random.com. ns75.worldnic.com |
In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
|
outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39 |
There are many useful free DNS utilities on the internet. One that in particular is endorsed by us is YouGetSignal http://www.yougetsignal.com/tools/web-sites-on-web-server/, that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip.
See protocols for more information.
