April 21, 2008

Yet another trick to suck info from DNS

Tonight I was chatting with Roelof.Temmingh (A really cool and helpful man) , and we reached the point he recommended me to have a blog post about the topic we were on . so here it is Roelof ! He also mentioned many new cool and interesting updates that will be included in Maltego v2 in it`s upcoming release . Since I`m not sure about his plans , let`s wait till he officially release details through mailing-list .

There are few well-known ways to extract information from a DNS server :
  • Zone Transfer
  • Brute-force sub-domain names
  • Resolving hostnames to IP addresses
all of above methods are well documented everywhere . But there`s yet another trick to extract information from a DNS server we`ve targeted . I call it "Reverse IP brute-forcing" . Here`s how it`s done :

Depending on (mis)configuration of DNS servers , some times it`s possible to extract valid stored DNS records by querying the IP address from DNS and asking to resolve it . We usually ask "nslookup hostname.target.com ns1.target.com" and get back some IP . But this time we`ll ask "nslookup a.b.c.d ns1.target.com" and wait for response .

And how to fill a.b.c.d ? it can be either an INTERNAL ip address , or another public ip address related to targeted dns server . This trick comes extremely useful when zone-transfer is denied and brute-forcing hostnames didn`t gave you much interesting results . But relying to this trick ( of course if targeted DNS server is vulnerable to it ! ) you`re open to enumerate almost all useful records of the restricted DNS server directly and indirectly . Let`s try it in some real scenario :

{ Be warned that I`ve randomly choosed below domain to present the idea . I`m NOT responsible for YOUR tests against it . feel free to find and test your own test-bed ! }

Assume we want to enumerate any possible information from a target domain and it`s DNS server . first shoot would be ns.target.com , or ns1.target.com to get IP of responsible DNS server . we do host-name brute-force and fond ns1 , ns2 , .... , etc . Then we`ll try to do zone transfer , and doh ! we`re blocked .

> ls -d target.org
*** Can't list domain target.org: Query refused

Here we can begin our test . In order to check if server is ready for our attack , we feed it a valid IP in it`s range , to check if it can handle and resolve it back to a hostname for us. Valid means queried IP must be already responsive, for example try www.target.com`s IP.

> www.target.org
Server: ns2.target.org
Address: 2xx.1xx.16.10

Name: nioc-sa.target.org
Address: 2xx.1xx.16.4
Aliases: www.target.org

> 2xx.1xx.16.10
Server: ns2.target.org
Address: 2xx.1xx.16.10

Name: M.new-target.ir
Address: 2xx.1xx.16.10

Seems it`s working ! Next step can be trying all public IP addresses related to target . if everything goes fine , at the end you`ll have a list of host/domain names ,some of them even not in same domain as your targeted one , which means new tip for beginning another loop of foot-printing . At least you`ll know what OTHER domains are valid or hosted in the IP range you`ve targeted . good.
But note that same trick can be used to query INTERNAL hosts and IP addresses . How about enumerating hostnames of all internal clients and systems behind that mad firewall ? ;)
To do so , you must already know internal IP ranges, or at least guess it . quick guesses can be 10.x.x.x , 192.168.x.x or 172.16.x.x . But in case basic guesses failed :
  • Try to grab an email header by googleing "@target.com" or even send a junk mail to them and wait for any response . It`s very common to find internal IP addresses of systems in response headers .
  • Try any technical documentation available on support sites of target , like those explaining how to config proxy , email-client , etc ...
  • Crawl public web-sites hosted in targetted IP range , and check them one by one : in HTLM source look for any hyper-link to \\192.* or \\172.* or http://192.* or alike combinations . It`s again common to find image tags in HTLM linked to internal hosts or IPs .
  • Use your Google Fu , to do above task.
In my target case , last trick assumed to work . I browsed http://www.target.org , visited page-source , and a quick search resulted : " <a href=" " .
Now I`ve narrowed down to a specific range for brute-force .Now I can try this internal range as above , to enumerate info .

In order to speed this process I`ve prepared a very simple perl script :

# DNS IP brute-forcer v0.1
# hamid@oissg.org
# --------------------------------------------
# This script use NET::DNS , if you don`t have it installed
# use below command (win32) to install it :
# "ppm install net-dns"
use Net::DNS;
$res = Net::DNS::Resolver->new;
$res->tcp_timeout(1); #5
$res->udp_timeout(1); #5
$res->retry(1); #3
$res->retrans(1); #2

my ($range,$host,$ip);
unless ($ARGV[0])
print "\n=======================\nDNS IP brute-forcer 0.1\nBy Hamid \@ oissg.org\n=======================\n";
print "This script try to abuse dns-server misconfiguration\n";
print "and extract valid hosts from server.\n";
print "Using this script against public dns-servers to brute-force\n";
print "internal IP ranges may give back interesting results ;)\n";
print "\nUsage: \n=======================\n";
print "dns-ip-brute.pl {ip-block} {dns-server}\n\n";
print "{ip-block}\tIP range you like to brute-force ,without last IP digit.\n";
print "{dns-server}\tDNS server to use for brute-force.\n";
print "=======================\n";
print "Example :\n";
print "dns-ip-brute.pl 192.168.1\n";

$range = $ARGV[0];
print "\nBrute-forcing $ARGV[0].*\n--------------------------\n\n";
for $host (2..254)
$ip = "$ARGV[0].$host";
$query = $res->query($ip);

if ($query)
foreach my $rr ($query->answer)
#next unless $rr->type eq "PTR";
#print $rr->address, "\n";
print "\n",$ip,"\t",$rr->rdatastr,;
#print $ip,"\t",$rr->string,"\n";
# else {
# #warn "query failed: ", $res->errorstring, "\n";
# warn "query failed!\n";
# }

#print "\rChecking (",$ip,")";
print "\n--------------------------\nDone!\n";

Running it against affected DNS server would result in something like this :

>dns-ip-brute.pl 2xx.1xx.16 2xx.1xx.16.10

Brute-forcing 2xx.1xx.16.*

2xx.1xx.16.4 mail.target.org.
2xx.1xx.16.10 M.target.ir.
2xx.1xx.16.24 payeshgari.target.ir.
2xx.1xx.16.250 samaneh.target.ir.

Recently I searched for the same trick in google again because my first try back in the days I was using it ,had no result containing any tool nor script .Now , seems FIRECE.pl is an alternative to mine , plus it have many other options for enumerating info from DNS servers . Check it out . TXDNS and DNS-Digger are my other favorite DNS tools , but non of them by default support this method . Some day I may release my modified versions based on these two tools .

No comments:

Post a Comment