Class Activty 3.1 DNS Enumeration

DNS Enumeration Using Bash

DNS has a large amount of information that can be helpful to pen testers including:

• hostnames

• naming conventions

• hierarchical namespaces

• IP resolution

A misconfigured DNS sever can be very useful!

DNS Enumeration is the process that uncovers all DNS records for a domain. It can reveal a domain's footprint and potential vulnerabilities.

Using the script from Assignment 2.1 Port Scanning 1 and from Activity 2.1 Host Discovery make script that scans against the network prefix 10.0.5/24, and the TCP port associated with DNS (53). Pass a network prefix (10.0.5) and a port (53) and scan from .1 to .254 on the network for DNS.

#!/bin/bash

#variables users must define when running the script

host=$1
port=$2

#append the last number to the IP address, and iterate through .1 to .254
for i in $(seq 1 254); do
    if timeout .1 bash -c "echo >/dev/tcp/$host.$i/$port" 2>/dev/null; then
     echo "$host.$i/$port"
#if the commands finds something then it will print it
    fi 
done

• $host.$i

  • since we want to append ito the end of the network prefix (host), we have to do $host.$i.

Deliverable 1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.

Portscanner2 Script in Kali

Successful run of the script

Organizing our Source Code

See the link below for instructions on how I set up git on my VM

How to Push Code to Github

Deliverable 2. Provide a screenshot similar to the one below that shows your directory structure and the source code of your /24 port scanner. Note, this code can be 1 liner, but I want you to go through the process of submitting source code to github.

sec335/week3/portscanner2.sh at main · Hsanokklis/sec335GitHub

DNS Reverse Lookup

Ignore 10.0.5.2 (the default gateway/firewall) and settle in on the other DNS server that was found (10.0.5.22). We are going to attempt a zone transfer (this won't work because it's a secured DNS server).

A zone transfer is the process of copying a DNS zone file from a primary server to a seconadary file. This allows the secondary server to continue to resolve names if the primary server fails. (also fabulous for pen testing purposes)

• dig axfr 10.0.5.22

  • axfr is a zone transfer command

Try a reverse lookup using nslookup. We can force nslookup to use a specific dns server to lookup a host.

• nslookup 10.0.5.21 10.0.5.22

Deliverable 3. Write a script that takes a network prefix and a specific dns server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.

#!/bin/bash 

network=$1
DNS_Server=$2

for i in $(seq 1 254); do
  nslookup "$network.$i" "$DNS_Server" | grep "name ="
done

Script in Kali

Script running successfully

Deliverable 4. Provide a screenshot similar to the one below that shows your directory structure and the source code of your dns resolver.

sec335/week3/dns-resolver.sh at main · Hsanokklis/sec335GitHub

NMAP

Deliverable 5. Use nmap to find your DNS servers. Figure out how to:

● skip host discovery

● use a grepable output to send results to dns-servers2.txt

● only scan for a single tcp port across 10.0.5.0/24

● only report "open" ports

● see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to DNS lookups.

sudo nmap -Pn -p 53 --open 10.0.5.0/24 -oG dns-servers.txt

Skip host discovery, grepable output to dns-servers.txt, scan a single port, only report open ports

• cat dns-servers.txt | grep -o -m 1 "10.0.5.22"

  • -o only matching, print only the matched part of the line instead of the line

  • -m 1 max-count, stop reading a file after 1 matching line

  https://stackoverflow.com/questions/14093452/grep-only-the-first-match-and-stop

unique one liner working

Reverse Lookup with NMAP

Deliverable 6. Use nmap with -sL (list targets) while specifying a DNS server. Use grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run.

• sudo nmap -sL 10.0.5.0/24 -dns-server 10.0.5.22 | grep '.\{32,\}' | sed 's/Nmap scan report for//I'

  • grep '.\32,\}' matches lines with at least 32 characters

  • sed 's/Nmap scan report for//Ig'

    • 's Nmap scan report for//tells the sedcommand to replace Nmap scan report for with nothing.

    • I makes it case sensitive

Zone Transfer

Refer to this document --> https://digi.ninja/projects/zonetransferme.php

This security researcher has kindly set up a weak dns server that allows zone transfer. We will use the following commands to see what a successful zone transfer looks like

Find the nameservers:

Attempt the zone transfer:

Deliverable 7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.

parsing the zt.txt file

• grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}' zt.txt

  • -E enables extended regular expressions

  • The regex ([0-9]{1,3}\.){3}[0-9]{1,3} matches IPv4 addresses.

• awk '{print $1 "," $5}'

  • $1 prints the hostname

  • $5 Prints the associated IP

Extended regex (regular expressions) provide a richer set of pattern matching tools with a syntax that is easier to read and write, especially for complex patterns.