Now we begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS isconfigured insecurely, it is possible to obtain revealing information about the organization.
One of the most serious misconfigurations a system administrator can make is
allowing untrusted Internet users to perform a DNS zone transfer. While this technique
has become almost obsolete, we include it here for three reasons:
1. This vulnerability allows for signifi cant information gathering on a target.
2. It is often the springboard to attacks that would not be present without it.
3. Believe it or not, you can fi nd many DNS servers still allowing this feature.
A zone transfer allows a secondary master server to update its zone database from the
primary master. This provides for redundancy when running DNS, should the primary
name server become unavailable. Generally, a DNS zone transfer needs to be performed
only by secondary master DNS servers. Many DNS servers, however, are misconfigured
and provide a copy of the zone to anyone who asks. This isn’t necessarily bad if the only
information provided is related to systems that are connected to the Internet and have
valid hostnames, although it makes it that much easier for attackers to find potential
targets. The real problem occurs when an organization does not use a public/private
DNS mechanism to segregate its external DNS information (which is public) from its
internal, private DNS information. In this case, internal hostnames and IP addresses are
disclosed to the attacker. Providing internal IP address information to an untrusted user
over the Internet is akin to providing a complete blueprint, or roadmap, of an organization’s
internal network.
Let’s take a look at several methods we can use to perform zone transfers and the
types of information that can be gleaned. Although many different tools are available to
perform zone transfers, we are going to limit the discussion to several common types.
A simple way to perform a zone transfer is to use the nslookup client that is usually
provided with most UNIX and Windows implementations. We can use nslookup in
interactive mode, as follows:
[bash]$ nslookup
Default Server: ns1.example.com
Address: 10.10.20.2
> 192.168.1.1
Server: ns1.example.com
Address: 10.10.20.2
Name: gate.example.com
Address: 192.168.1.1
> set type=any
> ls -d example.com. >\> /tmp/zone_out
We first run nslookup in interactive mode. Once started, it will tell us the default
name server that it is using, which is normally the organization’s DNS server or a DNS
server provided by an ISP. However, our DNS server (10.10.20.2) is not authoritative for
our target domain, so it will not have all the DNS records we are looking for. Therefore,
we need to manually tell nslookup which DNS server to query. In our example, we want
to use the primary DNS server for example.com (192.168.1.1).
Next we set the record type to “any.” This will allow us to pull any DNS records
available (man nslookup) for a complete list.
Finally, we use the ls option to list all the associated records for the domain. The –d
switch is used to list all records for the domain. We append a period (.) to the end to
signify the fully qualified domain name—however, you can leave this off most times. In
addition, we redirect our output to the file /tmp/zone_out so that we can manipulate
the output later.
After completing the zone transfer, we can view the file to see whether there is any
interesting information that will allow us to target specific systems. Let’s review simulated
output for example.com:
bash]$ more zone_out
acct18 ID IN A 192.168.230.3
ID IN HINFO “Gateway2000” “WinWKGRPS”
ID IN MX 0 exampleadmin-smtp
ID IN RP bsmith.rci bsmith.who
ID IN TXT “Location:Telephone Room”
ce ID IN CNAME aesop
au ID IN A 192.168.230.4
ID IN HINFO “Aspect” “MS-DOS”
ID IN MX 0 andromeda
ID IN RP jcoy.erebus jcoy.who
ID IN TXT “Location: Library”
acct21 ID IN A 192.168.230.5
ID IN HINFO “Gateway2000” “WinWKGRPS”
ID IN MX 0 exampleadmin-smtp
ID IN RP bsmith.rci bsmith.who
ID IN TXT “Location:Accounting”
We won’t go through each record in detail, but we will point out several important
types. We see that for each entry we have an “A” record that denotes the IP address of
the system name located to the right. In addition, each host has an HINFO record that
identifies the platform or type of operating system running (see RFC 952). HINFO records
are not needed, but they provide a wealth of information to attackers. Because we saved
the results of the zone transfer to an output file, we can easily manipulate the results
with UNIX programs such as grep, sed, awk, or perl.
Suppose we are experts in SunOS/Solaris. We could programmatically find out the
IP addresses that have an HINFO record associated with Sparc, SunOS, or Solaris:
[bash]$ grep -i solaris zone_out |wc –l
388
We can see that we have 388 potential records that reference the word “Solaris.”
Obviously, we have plenty of targets.
Suppose we wanted to find test systems, which happen to be a favorite choice for
attackers. Why? Simple: they normally don’t have many security features enabled, often
have easily guessed passwords, and administrators tend not to notice or care who logs
in to them. They’re a perfect home for any interloper. Thus, we can search for test systems
as follows:
[bash]$ grep –I tes t /tmp/zone_out |wc –l
96
So we have approximately 96 entries in the zone file that contain the word “test.”
This should equate to a fair number of actual test systems. These are just a few simple
examples. Most intruders will slice and dice this data to zero in on specific system types
with known vulnerabilities.
Keep a few points in mind. First, the aforementioned method queries only one
nameserver at a time. This means you would have to perform the same tasks for all
nameservers that are authoritative for the target domain. In addition, we queried only
the example.com domain. If there were subdomains, we would have to perform the same
type of query for each subdomain (for example, greenhouse.example.com). Finally, you
may receive a message stating that you can’t list the domain or that the query was
refused. This usually indicates that the server has been configured to disallow zone
transfers from unauthorized users. Therefore, you will not be able to perform a zone
transfer from this server. However, if there are multiple DNS servers, you may be able to
find one that will allow zone transfers.
Now that we have shown you the manual method, there are plenty of tools that
speed the process, including host, Sam Spade, axfr, and dig.
The host command comes with many flavors of UNIX. Some simple ways of using
host are as follows:
host -l example.com
and
host -l -v -t any example.com
If you need just the IP addresses to feed into a shell script, you can just cut out the IP
addresses from the host command:
host -l example.com |cut - f 4 -d"" "" >\> /tmp/ip_out
Not all footprinting functions must be performed through UNIX commands. A
number of Windows products, such as Sam Spade, provide the same information.
The UNIX dig command is a favorite with DNS administrators and is often used to
troubleshoot DNS architectures. It too can perform the various DNS interrogations
mentioned in this section. It has too many command-line options to list here; the man
page explains its features in detail.
Finally, you can use one of the best tools for performing zone transfers: axfr (http://
packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz) by Gaius. This utility will
recursively transfer zone information and create a compressed database of zone and host
files for each domain queried. In addition, you can even pass top-level domains such as
.com and .edu to get all the domains associated with .com and .edu, respectively.
However, this is not recommended due to the vast number of domains within each of
these TLDs.
To run axfr, you would type the following:
[bash]$ axfr example.com
axfr: Using default directory: /root/axfrdb
Found 2 name servers for domain ''example.com.'':
Text deleted.
Received XXX answers (XXX records).
To query the axfr database for the information just obtained, you would type the
following:
[bash]$ axfrcat example.com
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন