dnsrecon is part of the information gathering stage on a penetration test engagement.When a penetration tester is performing a DNS reconnaissance is trying to obtain as much as information as he can regarding the DNS servers and their records.The information that can be gathered it can disclose the network infrastructure of the company without alerting the IDS/IPS.This is due that most of the organizations are not monitoring their DNS server traffic and those that do they only monitor the zone transfers attempts.
On the web there are a variety of tools available that can gather DNS information effectively but in this article we will focus on the DNSRecon which is a tool that was developed by Carlos Perez and it is designed to perform DNS reconnaissance.This tool is included on backtrack and it is written in python.
Below is the list of things that we can do using DNSRECON Tool:
Top level domain expansion ( Zone Walking and Zone Transfer)
Reverse Lookup against IP range
Perform general DNS query for NS,SOA and MX records (Standard Record Enumeration)
Cache snooping against Name Servers
Google Scanning for Sub Domains and Host
1. Top level domain Expansion:
First of all we all should understand what are top level domains. A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. For ex: In www.mywebsite.com , .com is a top level domain. Usually expansion occurs for those websites which uses country codes as their top level domains ex: .in, .uk, .au etc. As the name suggests Top level domain Expansion means to expand your domain from one region to other which is also known as Zone Transfer and in case zones are not correctly configured we can extract almost all internal records of a domain which is also known as Zone Walking. So we can use DNS Recon for multiple purposes i.e. Zone Walking and Zone Transfer. Lets understand both of them in detail i.e. How we will use DNSRECON to exploit both of these features:
a. Zone Transfer :
The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers,host names,MX and CNAME records, zone serial number, Time to Live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays. However DNSRecon provides the ability to perform Zone Transfers and we can use following commands to perform Zone transfer:
dnsrecon -d <mywebsite.com> -a
or you can use below command :
dnsrecon -d <mywebsite.com> -t axfr
2. Reverse Lookup against IP range:
DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command:
dnsrecon -r <startIP>-<endIP>
For Example :
dnsrecon -r 192.168.5.100-192.168.5.200
Also reverse lookup can be performed against all ranges in SPF records with the command :
dnsrecon -d <domain> -s
3. Domain Brute Force Enumeration:
For performing Domain Brute force technique, we have to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.
In order to perform domain brute force attack user needs to type below command:
dnsrecon -d <domain> -D <namelist> -t brt
dnsrecon -d hackingloops.com -D namelist.txt -t brt
4. Cache Snooping against name servers:
DNS cache snooping happens when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information about the name servers and other DNS information.However DNS cache snooping does not happen quite often because servers normally do not cache DNS records.
The command that can be used to perform cache snooping is as follows:
dnsrecon -t snoop -n server -D <dictionary file>
For example :
dnsrecon -t snoop -n <server IP address> -D dictionary.txt
5. Standard Records Enumeration:
Standard Enumeration is generally used to gather information about NameServers,SOA and MX records. In order to perform standard enumeration you can use below command:
dnsrecon -d <domain>
dnsrecon -d hackingloops.com
There are lot of other options that DNSRECON tool provides. It is an extremely useful tool to gather plenty of information about DNS records.
-h, --help Show this help message and exit -d, --domain <domain> Domain to Target for enumeration. -r, --range <range> IP Range for reverse look-up brute force in formats (first-last) or in (range/bitmask). -n, --name_server <name> Domain server to use, if none is given the SOA of the target will be used -D, --dictionary <file> Dictionary file of sub-domain and hostnames to use for brute force. -f Filter out of Brute Force Domain lookup records that resolve to the wildcard defined IP Address when saving records. -t, --type <types> Specify the type of enumeration to perform: std To Enumerate general record types, enumerates. SOA, NS, A, AAAA, MX and SRV if AXRF on the NS Servers fail. rvl To Reverse Look Up a given CIDR IP range. brt To Brute force Domains and Hosts using a given dictionary. srv To Enumerate common SRV Records for a given domain. axfr Test all NS Servers in a domain for misconfigured zone transfers. goo Perform Google search for sub-domains and hosts. snoop To Perform a Cache Snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option. tld Will remove the TLD of given domain and test against all TLD's registered in IANA zonewalk Will perform a DNSSEC Zone Walk using NSEC Records. -a Perform AXFR with the standard enumeration. -s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the targeted domain with the standard enumeration. -g Perform Google enumeration with the standard enumeration. -w Do deep whois record analysis and reverse look-up of IP ranges found thru whois when doing standard query. -z Performs a DNSSEC Zone Walk with the standard enumeration. --threads <number> Number of threads to use in Range Reverse Look-up, Forward Look-up Brute force and SRV Record Enumeration --lifetime <number> Time to wait for a server to response to a query. --db <file> SQLite 3 file to save found records. --xml <file> XML File to save found records. -c, --csv <file> Comma separated value file. -v Show attempts in the bruteforce modes.
cyborg@cyborg:~$ sudo dnsrecon -d google.com -a [*] Performing General Enumeration of Domain: google.com [*] Checking for Zone Transfer for google.com name servers [*] Resolving SOA Record [*] SOA ns4.google.com 188.8.131.52 [*] Resolving NS Records [*] NS Servers found: [*] NS ns1.google.com 184.108.40.206 [*] NS ns4.google.com 220.127.116.11 [*] NS ns3.google.com 18.104.22.168 [*] NS ns2.google.com 22.214.171.124 [*] Removing any duplicate NS server IP Addresses... [*] Trying NS server 126.96.36.199 [*] 188.8.131.52 Has port 53 TCP Open [-] Zone Transfer Failed! [-] [*] Trying NS server 184.108.40.206 [*] 220.127.116.11 Has port 53 TCP Open [-] Zone Transfer Failed! [-] [*] Trying NS server 18.104.22.168 [*] 22.214.171.124 Has port 53 TCP Open [-] Zone Transfer Failed! [-] [*] Trying NS server 126.96.36.199 [*] 188.8.131.52 Has port 53 TCP Open [-] Zone Transfer Failed! [-] [-] DNSSEC is not configured for google.com [*] SOA ns4.google.com 184.108.40.206 [*] NS ns1.google.com 220.127.116.11 [*] NS ns4.google.com 18.104.22.168 [*] NS ns2.google.com 22.214.171.124 [*] NS ns3.google.com 126.96.36.199 [*] MX alt1.aspmx.l.google.com 188.8.131.52 [*] MX alt3.aspmx.l.google.com 184.108.40.206 [*] MX alt2.aspmx.l.google.com 220.127.116.11 [*] A google.com 18.104.22.168 [*] AAAA google.com 2404:6800:4007:805::200e [*] TXT google.com v=spf1 include:_spf.google.com ~all [*] Enumerating SRV Records [*] SRV _ldap._tcp.google.com ldap.google.com 22.214.171.124 389 0 [*] SRV _xmpp-client._tcp.google.com xmpp.l.google.com 126.96.36.199 5222 0 [*] SRV _xmpp-client._tcp.google.com xmpp.l.google.com 2404:6800:4003:c01::7d 5222 0 [*] SRV _xmpp-client._tcp.google.com alt4.xmpp.l.google.com 188.8.131.52 5222 0 [*] SRV _xmpp-client._tcp.google.com alt4.xmpp.l.google.com 2607:f8b0:4001:c07::7d 5222 0 [*] SRV _xmpp-client._tcp.google.com alt1.xmpp.l.google.com 2404:6800:4008:c01::7d 5222 0 [*] SRV _xmpp-client._tcp.google.com alt3.xmpp.l.google.com 184.108.40.206 5222 0 [*] SRV _xmpp-client._tcp.google.com alt3.xmpp.l.google.com 2607:f8b0:4003:c02::7d 5222 0 [*] SRV _xmpp-client._tcp.google.com alt2.xmpp.l.google.com 220.127.116.11 5222 0 [*] SRV _xmpp-client._tcp.google.com alt2.xmpp.l.google.com 2607:f8b0:400e:c03::7d 5222 0 [*] SRV _xmpp-server._tcp.google.com alt3.xmpp-server.l.google.com no_ip 5269 0 [*] SRV _xmpp-server._tcp.google.com alt1.xmpp-server.l.google.com 18.104.22.168 5269 0 [*] SRV _xmpp-server._tcp.google.com alt2.xmpp-server.l.google.com 22.214.171.124 5269 0 [*] SRV _xmpp-server._tcp.google.com alt4.xmpp-server.l.google.com no_ip 5269 0 [*] SRV _xmpp-server._tcp.google.com xmpp-server.l.google.com 126.96.36.199 5269 0 [*] SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com 188.8.131.52 5222 0 [*] SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com 2607:f8b0:4001:c07::7d 5222 0 [*] SRV _jabber-client._tcp.google.com xmpp.l.google.com no_ip 5222 0 [*] SRV _jabber-client._tcp.google.com alt2.xmpp.l.google.com 184.108.40.206 5222 0 [*] SRV _jabber-client._tcp.google.com alt3.xmpp.l.google.com 220.127.116.11 5222 0 [*] SRV _jabber-client._tcp.google.com alt3.xmpp.l.google.com 2607:f8b0:4003:c08::7d 5222 0 [*] SRV _jabber-client._tcp.google.com alt1.xmpp.l.google.com 18.104.22.168 5222 0 [*] SRV _jabber-client._tcp.google.com alt1.xmpp.l.google.com 2404:6800:4008:c01::7d 5222 0 [*] 23 Records Found