đź’ĄCyb3rBook

53 - DNS

4 min read

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Theory

DNS → Domain Name System

Enumeration

Nameserver Query

Query for All Available Nameservers

Dig
dig ns <DOMAIN> @<TARGET> +short
Dig

Query for DNS Server Version

dig CHAOS TXT version.bind @<TARGET> +short # Or CH
Nmap
nmap -p<DNS_PORT> --script dns-nsid -vvv -Pn <TARGET>
ANY Query

Query for All Available DNS Records

dig ANY <DOMAIN> @<TARGET>
Query for Specific DNS Records
A - AAAA
dig A <DOMAIN> @<TARGET>
dig AAAA <DOMAIN> @<TARGET>
MX
dig MX <DOMAIN> @<TARGET>
TXT
dig TXT <DOMAIN> @<TARGET>
CNAME
dig CNAME <DOMAIN> @<TARGET>

DNS Zone Transfer

Asynchronous Full Transfer Zone
Dig
  • Only DNS Records’ value from DNS Answer
dig AXFR @<TARGET> +short
dig AXFR @<TARGET> <DOMAIN> +short
  • Full DNS Answer
dig AXFR @<TARGET> +noall +answer
dig AXFR @<TARGET> <DOMAIN> +noall +answer
Fierce

Fierce

fierce --domain <DOMAIN>

Subdomains Enumeration

Tools
TOOL
DNSEnumSee here
FierceSee here
DNSReconSee here
AmassSee here
AssetFinderSee here
PureDNSSee here
Passive
Amass

Amass

  • Passive Mode
amass enum -passive -d <DOMAIN>
Subfinder

Subfinder

subfinder -v -d <DOMAIN>
Sublist3r

Sublist3r

python sublist3r.py --domain <DOMAIN>
Active - Subdomain Brute-Force
Dig
while IFS= read -r _subdomain ; do printf "%s.<DOMAIN> -> %s\n" "$_subdomain" "$( dig "$_subdomain".<DOMAIN> @<RESOLVER> +short)" ; done < <WORDLIST>
Gobuster

Reference

gobuster dns --resolver <RESOLVER> --domain <DOMAIN> --wordlist <WORDLIST>
Amass
  • Active Mode
amass enum -active -brute -w <WORDLIST> -d <DOMAIN> -o <OUTPUT_FILE>
DNSEnum

Reference

dnsenum --enum <DOMAIN> -f <WORDLIST> -r
Sublist3r

Subbrute module enabled

python sublist3r.py --domain <DOMAIN> --bruteforce

[sub]Domain Takeover

Resources

Can-I-take-over-XYZ

DNS Spoofing

Local DNS Spoofing

This can be carried out if an attacker achieves to compromise the Primary DNS Server of the victim i.e. usually the DC on Active Directory environments, or sets up a rogue DNS Server on the network which becomes the Primary DNS Server of the victim

The latter can be achieved through DHCPv6 Spoofing, where an attacker uses tools such as mitm6 to send IPv6 RA (Router Adversitement) to the network hosts and waits for clients to respond back with a DHCPv6 SOLICIT message

The client ends with an IPv6 configuration where the DNS Primary Server is the attacker’s DNS Rogue Server

Therefore, any NR (Name Resolution) via DNS from the victim is sent to the attacker

+ Info

Remote Dynamic DNS Updates

Workflow

Let’s suppose that we are able to disclose the content of any file in the system through a security flaw discovered in a web application hosted on the target e.g. LFI

We have seen previously that the 53 DNS Port is open in the victim and it’s a Linux system, so it’s probably a Bind9 DNS Server

So, we list the content of the /etc/bind/named.conf and see that there is a RNDC-Key, which is a symmetric key used to manage a DNS server remotely

Using this key, we can update, delete or modify any record of a defined DNS zone for which the RNDC-Key in question is allowed

So first, we must check if there is any allow-update directive within the DNS Zone definition that allows the given key

To do so, we have to list the content of the following resource

Based on the content above, we know that an operator can use the key to perform certain operations within the domain.tld zone remotely

Requirements

  • Knowledge of the RNDC-Key

  • 53 Ports Open and Accesible

TCP and UDP

  • RNDC-Key in question is allowed on the given DNS Zone

i.e. Allow-update

Abuse
Creating the RNDC-Key File locally
key "rndc-key" {
    algorithm hmac-sha256;
    secret "BEqUtce80hu3TOEGJJaMlS9WT2pkdeCtzBeDykQQA=";
};
Adding an arbitrary DNS Record

NSUpdate

nsupdate -k '<RNDC_KEY_FILE>'
> server '<DNS_SERVER_IP>'
> zone '<DOMAIN>.'
> update add '<DOMAIN>.' <TTL> '<RECORD_TYPE>' '<RECORD_NAME>'
> send
Reference

Snoopy HTB Machine

Look for walkthroughs

Resources

Most Popular Types of DNS Attacks

Graph View

Backlinks