Pages

Tuesday, March 6, 2012

DNS Analysis in Backtrack

dnsdict6

dnsdict6 is a utility used to enumerate a domain for IPv6 DNS entries, meaning it will try to find as many IPv6 (AAAA records) DNS records for the selected domain as possible. This is useful for finding sub domains that may be invisible to the public, but still exists in DNS records. Often, these forgotten about domains are outdated and can be a vector for exploit based attacks against the domain. dnsdict6 uses a dictionary list which is used to guess possible DNS entries.

Example Usage: dnsdict6 google.com


dnsenum.pl

dnsenum is a Perl utility used to collect as much information as possible regarding a domain. It collects basic information such as A records(host addresses), nameserves, and MX records (mail hosts), but also extracts useful information such as BIND versions and searches for unlisted subdomains using a dictionary based attack. dnsenum also has reverse lookup utilities that can perform reverse DNS lookups for C class network ranges. In the example below, we use dnsenum in order to look for as much information as possible for the technology-flow.com domain.

Example Usage: ./dnsenum.pl –enum -f dns.txt –update a -r technology-flow.com

dnsmap

dnsmap is a utility used to create a list of hosts and DNS records for a domain. It uses a word list to search for possible subdomains, and can output results in several different formats, such as CSV or plain .txt. In the examples below, we use the dnsmap utility to attempt to map the hosts that technology-flow.com uses. In the second example, a wordlist is used to guess subdomains, and then the results are written to /root/results.txt. The final example simply writes the results to /root/results.txt.
Example Usage: dnsmap technology-flow.com
Example Usage: dnsmap technology-flow.com -w wordlist.txt -r /root/results.txt
Example Usage: dnsmap technology-flow.com -r /root/results.txt

dnsrecon

dnsrecon is a Python based utility. Currently, dnsrecon has 6 features that make it great for gathering information about a domain or IP address from DNS records:
  1. Reverse lookups for IP blocks
  2. Top level domain expansion
  3. DNS host and domain bruteforce
  4. A, NS, SOA and MX record lookups
  5. Zone transfer for each NS server found
  6. Find SRV records
In the example below, dnsrecon is used in order to guess (brute force option of -t brt) subdomains for technology-flow.com, using dictionary.lst as a dictionary file to pull entries from.

Example Usage:./dnsrecond.py -t brt -d technology-flow.com -D dictionary.lst

dnstracer

dnstracer is a program that reports the chain of DNS servers that a DNS request takes in order to do a DNS lookup. It tells the user which servers have authority for a zone, and the intermediary DNS nodes the were found in the way. This tool is very simple to use; the below example uses dnstracer to verbosely find DNS server information for a lookup for technology-flow.com.
Example Usage:dnstracer -v technology-flow.com

dnswalk

dnswalk is a Perl script that helps debug DNS servers. It can run zone transfers for domains, and can help check for consistancy and accuracy of records. While originally intended for use as a DNS debugger, dnswalk can be used in order to gather information about a particular target domain or target DNS server. In the example below, we look up information for the technology-flow.com domain. Note the tailing “.”, which is an important part of the domain name system. Also note that dnswalk provides as much information in its error/warning messages (many servers don’t allow zone transfers), as it does in successfully completed queries and transfers.

Example Usage:./dnswalk technology-flow.com.

fierce

fierce is a Perl program that aims to scan for non contiguous IP address space. This means it uses a brute force DNS lookup method in order to search for allocated/unallocated IP addresses for a domain. This information is useful for other scanners, such as nmap, nessus, or nikto, since IP information is needed for these utilities. In the first example below, we scan for IP adresses in the 111.222.333.0/24 range, using ns1.nameserver.com as the nameserver. Next, we use fierce in order to scan a particular domain, technology-flow.com.

Example Usage:./fierce.pl -range 111.222.333.0-255 -dnsserver ns1.nameserver.com
Example Usage:./fierce.pl technology-flow.com

lbd

lbd is a proof of concept shell script that attempts to detect whether a domain uses a load balancing system. In order to do this, it looks for both DNS and HTTP load balancing, and attempts to calculate if it is used. This is useful in gathering iformation regarding a domain’s architecture, as well as how a domain may react to a sudden increase in traffic, such as those caused by a Distributed Denial of Service (DDoS) attack. In this example, we check whether technology-flow.com uses load balancing (it does not):

Example Usage:./lbs.sh technology-flow.com
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)