53 - Pentesting DNS

Reading time: 8 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

The Domain Name System (DNS) serves as the internet's directory, allowing users to access websites through easy-to-remember domain names like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.

Default port: 53

PORT STATE SERVICE REASON 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 5353/udp open zeroconf udp-response 53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

Different DNS Servers

  • DNS Root Servers: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (ICANN) oversees their operation, with a global count of 13.
  • Authoritative Nameservers: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.
  • Non-authoritative Nameservers: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.
  • Caching DNS Server: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.
  • Forwarding Server: Serving a straightforward role, forwarding servers simply relay queries to another server.
  • Resolver: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative.

Enumeration

There aren't banners in DNS but you can gran the magic query for version.bind. CHAOS TXT which will work on most BIND nameservers.
You can perform this query using dig:

bash
dig version.bind CHAOS TXT @DNS

Moreover, the tool fpdns can also fingerprint the server.

It's also possible to grab the banner also with a nmap script:

--script dns-nsid

Any record

The record ANY will ask the DNS server to return all the available entries that it is willing to disclose.

bash
dig any victim.com @<DNS_IP>

Zone Transfer

This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR).

bash
dig axfr @<DNS_IP> #Try zone transfer without domain dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack

More info

bash
dig ANY @<DNS_IP> <DOMAIN> #Any information dig A @<DNS_IP> <DOMAIN> #Regular DNS request dig AAAA @<DNS_IP> <DOMAIN> #IPv6 DNS request dig TXT @<DNS_IP> <DOMAIN> #Information dig MX @<DNS_IP> <DOMAIN> #Emails related dig NS @<DNS_IP> <DOMAIN> #DNS that resolves that name dig -x 192.168.0.2 @<DNS_IP> #Reverse lookup dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup #Use [-p PORT] or -6 (to use ivp6 address of dns)

Automation

bash
for sub in $(cat <WORDLIST>);do dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>

Using nslookup

bash
nslookup > SERVER <IP_DNS> #Select dns server > 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... > <IP_MACHINE> #Reverse lookup of a machine, maybe...

Useful metasploit modules

bash
auxiliary/gather/enum_dns #Perform enumeration actions

Useful nmap scripts

bash
#Perform enumeration actions nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

DNS - Reverse BF

bash
dnsrecon -r 127.0.0.0/24 -n <IP_DNS> #DNS reverse of all of the addresses dnsrecon -r 127.0.1.0/24 -n <IP_DNS> #DNS reverse of all of the addresses dnsrecon -r <IP_DNS>/24 -n <IP_DNS> #DNS reverse of all of the addresses dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer

note

If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range.

Another tool to do so: https://github.com/amine7536/reverse-scan

You can query reverse IP ranges to https://bgp.he.net/net/205.166.76.0/24#_dns (this tool is also helpful with BGP).

DNS - Subdomains BF

bash
dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt <DOMAIN> dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS> dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan

Active Directory servers

bash
dig -t _gc._tcp.lab.domain.com dig -t _ldap._tcp.lab.domain.com dig -t _kerberos._tcp.lab.domain.com dig -t _kpasswd._tcp.lab.domain.com nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN> nslookup -type=srv _kerberos._tcp.domain.com nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"

DNSSec

bash
#Query paypal subdomains to ns3.isc-sns.info nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info

IPv6

Brute force using "AAAA" requests to gather IPv6 of the subdomains.

bash
dnsdict6 -s -t <domain>

Bruteforce reverse DNS in using IPv6 addresses

bash
dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net

DNS Recursion DDoS

If DNS recursion is enabled, an attacker could spoof the origin on the UDP packet in order to make the DNS send the response to the victim server. An attacker could abuse ANY or DNSSEC record types as they use to have the bigger responses.
The way to check if a DNS supports recursion is to query a domain name and check if the flag "ra" (recursion available) is in the response:

bash
dig google.com A @<IP>

Non available:

Available:

Mail to nonexistent account

Sending an email to a non-existaent address using the victims domain could trigger the victim to send a nondelivery notification (NDN) message whose headers could contain interesting information such as the name of internal servers and IP addresses.

Post-Exploitation

  • When checking the configuration of a Bind server check the configuration of the param allow-transfer as it indicates who can perform zone transfers and allow-recursion and allow-query as the indicate who can send recursive requests and requests to it.
  • The following are the names of DNS related files that could be interesting to search inside machines:
host.conf /etc/resolv.conf /etc/bind/named.conf /etc/bind/named.conf.local /etc/bind/named.conf.options /etc/bind/named.conf.log /etc/bind/*

References

HackTricks Automatic Commands

Protocol_Name: DNS #Protocol Abbreviation if there is one. Port_Number: 53 #Comma separated if there is more than one. Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for DNS Note: | #These are the commands I run every time I see an open DNS port dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name} dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name} dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name} dig axfr @{IP} dig axfr {Domain_Name} @{IP} nslookup SERVER {IP} 127.0.0.1 {IP} Domain_Name exit https://book.hacktricks.wiki/en/todo/pentesting-dns.html Entry_2: Name: Banner Grab Description: Grab DNS Banner Command: dig version.bind CHAOS TXT @DNS Entry_3: Name: Nmap Vuln Scan Description: Scan for Vulnerabilities with Nmap Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP} Entry_4: Name: Zone Transfer Description: Three attempts at forcing a zone transfer Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name} Entry_5: Name: Active Directory Description: Eunuerate a DC via DNS Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}" Entry_6: Name: consolesless mfs enumeration Description: DNS enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit'

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks