Scribd Logo
Unggah

Selamat datang di Scribd!

  • DNS Reconnaissance: Carlos Perez

    Diunggah oleh

    YoYoSrt4
    3K tayangan44 halaman
    Reconocimiento de DNS en la red.

    Judul Asli

    DNS Enumeration

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Reconocimiento de DNS en la red.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    3K tayangan44 halaman

    DNS Reconnaissance: Carlos Perez

    Diunggah oleh

    YoYoSrt4
    Reconocimiento de DNS en la red.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 44

    DNS Reconnaissance

    Carlos Perez

    Tuesday, November 20, 12

    About Me
    Director of Reverse Engineering for security vendor. Podcaster with PaulDotCom Contributor to Metasploit Blog: http://www.darkoperator.com/ Twitter: @Carlos_Perez

    Tuesday, November 20, 12

    Disclaimer
    The research and slides shown is my own and do not in any way are related or of knowledge of my current employer. All expressions and comments are my own.

    Tuesday, November 20, 12

    What is Recon
    It is a systematic and methodical approach for gathering information about a target. The information will provide a view in to the technologies and security posture of the target. The process must be one of little impact and draw as little attention to the task as possible.

    Tuesday, November 20, 12

    Why DNS
    The reliance of DNS in the enterprise has grown at the same rate as the complexity and distribution of the technologies has grown. VOIP Instant Messaging Email Management

    Tuesday, November 20, 12

    Why DNS
    Most organizations do not monitor DNS server trafc and logs. Those that do monitor generally only do do Zone Transfer attempts in their IPS/IDS Systems. Can provide information on security posture of the target.

    Tuesday, November 20, 12

    Caveats of DNS
    DNS is UDP so it is sensitive to the health of the connection path from the attacker to the target. DNS tends to have fake entries, stale entries, incorrect entries and entries to hosts that can not be reached. Location, location, location! what server we query will dictate what records we get.

    Tuesday, November 20, 12

    DNSRecon
    Included in BackTrack Linux 5, tested on OSX, Linux and Windows. Written in Python and tested on Python 2.6, 2.7 and 3.2 (Original was written in ruby 2 years ago) Can save results in XML, CSV or SQLite3. Includes Metasploit Plugin for importing XML and CSV results Includes Parser tool for XML and CSV results

    Tuesday, November 20, 12

    Goals
    Provide most of the known DNS enumeration techniques under one tool and that it. What techniques are executed and automation must be controlled by the user for best precision. Output must be easy to parse and easy to consume via command line or other tools.

    Tuesday, November 20, 12

    Types of Enumeration
    Standard Record Enumeration (Wildcard, DNSSEC, NS, SOA, MX, A, AAA, TXT, SPF and SRV) Zone Transfer Reverse Lookup Domain and Host Brute-force Cache Snooping Zone Walking (DNSSEC) Google Lookup

    Tuesday, November 20, 12

    Standard Enumeration
    What it does Checks for Wildcard Resolving Check if it responds to DNSSEC and type of proof of non-existence record used. Resolves SOA, NS, MX, A, AAAA, TXT and SPF. Enumerate known SRV Records Types

    Tuesday, November 20, 12

    Standard Enumeration
    Presence of DKIM (DomainKeys Identied Mail) and SPF (Sender Policy Framework) will reveal that email security technologies are in use. SPF will reveal what servers can send email. SRV (Service Records) Provide information on service, transport, port and order of importance for services and type of software can be deduced.

    Tuesday, November 20, 12

    Standard Enumeration
    Presence of records not having A, AAAA or CNAME records associated may show lack of maintenance or internal record names being leaked (no_ip).

    Tuesday, November 20, 12

    Standard Enumeration
    To run standard enumeration: ./dnsrecon.py -d <domain> ./dnsrecon.py -d <domain> -t std The -a option can be given to perform a AXFR against all NS records with port 53 TCP open The -s option can be given to perform a Reverse Lookup against all ranges in the SPF (Sender Policy Framework) record
    Tuesday, November 20, 12

    Standard Enumeration

    Tuesday, November 20, 12

    Zone Transfer
    It is still found in engagements to this day. Selects the Domain SOA and then queries for all of the NS records. Tests each NS record to see if port TCP 53 is open and if it is it tries a AXFR for the zone against the Name Server. Records returned are parsed and formatted. Made optional since it is easily picked up in Logs and IDS/IPS Systems

    Tuesday, November 20, 12

    Zone Transfer
    Even when a zone transfer is successful other NS servers should be queried for standard records compared to rule out: Name Server may be a test server. Name Server may contain stale data. Name Server may be a decoy.

    Tuesday, November 20, 12

    Zone Transfer
    To run AXFR enumeration: ./dnsrecon.py -d <domain> -a ./dnsrecon.py -d <domain> -t axfr More than one type can be specied ./dnsrecon.py -d <domain> -t std,axfr

    Tuesday, November 20, 12

    Reverse Lookup
    Performs a lookup for PTR (Pointer) Records against a given IPv4 or IPv6 range. Can be performed against all ranges in SPF Records. Can be performed against ranges found via Whois Queries against all A and PTR Records found.

    Tuesday, November 20, 12

    Reverse Lookup
    To run reverse lookup enumeration: ./dnsrecon.py -r <CDIR> ./dnsrecon.py -r <StartIP-EndIP> Expand SPF Record Ranges ./dnsrecon.py -d <domain> -s Perform Whois Queries against all IPs found ./dnsrecon.py -d <domain> -w

    Tuesday, November 20, 12

    Reverse Lookup

    Tuesday, November 20, 12

    Domain Brute-force
    Append to the domain each entry given in a dictionary and tries to resolve A, AAA and CNAME Record Will perform a test to see if Wildcard resolution is enabled for the domain. To run Domain Name Brute-force:
    ./dnsrecon.py -d <domain> -D <NameList> -t brt

    Tuesday, November 20, 12

    Domain Brute-force

    Tuesday, November 20, 12

    Cache Snooping
    Given a list of domain names it will check a specic Name Server for the presence of the record in its cache. Great for determining relations and outside services used that can be leveraged in Phishing attempts To perform the Cache Enumeration ./dnsrecon.py -t snoop -n Sever -D <Dict>

    Tuesday, November 20, 12

    Cache Snooping

    Tuesday, November 20, 12

    NSEC Zone Walk


    Abuses the the proof of non-existence NSEC records in the original DNSSEC standard to enumerate an entire zone. Slow but more accurate results. May reveal internal records if zone is improperly congured. It is a Feature/Capability so it is hard to detect.

    Tuesday, November 20, 12

    NSEC
    Points to the next valid name in the zone le and is used to provide proof of non-existence of a name in the Zone

    Tuesday, November 20, 12

    NSEC3
    Replaced NSEC, points to the hashed value of next valid name in the zone le and is used to provide proof of non-existence of a name in the Zone

    Tuesday, November 20, 12

    Zone Walk

    Tuesday, November 20, 12

    SRV RR Leakage

    Tuesday, November 20, 12

    SRV RR Leakage

    Tuesday, November 20, 12

    SRV RR Leakage

    Tuesday, November 20, 12

    RR Leakage

    Tuesday, November 20, 12

    PTR RR Leakage

    Tuesday, November 20, 12

    A RR Leakage

    Tuesday, November 20, 12

    Parsing Data
    Usage: parser.py <options> Options: -h, --help Show this help message and exit -f, --le <le> DNSRecon XML or CSV output le to parse. -l, --list Output an unique IP List that can be used with other tools. -i, --ips <ranges> IP Ranges in a comma separated list each in formats (rst-last) or in (range/bitmask) for ranges to be included from output. For A, AAAA, NS, MX, SOA, SRV and PTR Records. -t, --type <type> Resource Record Types as a regular expression to lter output. For A, AAAA, NS, MX, SOA, TXT, SPF, SRV and PTR Records. -s, --str <regex> Regular expression between quotes for ltering host names on. For A, AAAA, NS, MX, SOA, SRV and PTR Records. -n, --name Return list of unique host names. For A, AAAA, NS, MX, SOA, SRV and PTR Records.

    Tuesday, November 20, 12

    Parsing Data

    Tuesday, November 20, 12

    Parsing Data

    Tuesday, November 20, 12

    Importing Data in to Metasploit


    A Metasploit Plugin for importing CSV and XML results is included with the tool. The le dnsr_import.rb just needs to be copied to the ~/.msf4/plugins folder to have it available to msfconsole. The load command is used to load the plugin
    msf > load dnsr_import [*] dnsr_import plugin loaded. [*] Successfully loaded plugin: dnsr_import msf >

    Tuesday, November 20, 12

    Importing Data in to Metasploit


    Commands Available
    DNSR_Import Commands ==================== Command ------import_dnsrecon_csv import_dnsrecon_xml Description ----------Import DNSRecon CSV output le. Import DNSRecon XML output le.

    Tuesday, November 20, 12

    Importing Data in to Metasploit


    Commands Available
    DNSR_Import Commands ==================== Command ------import_dnsrecon_csv import_dnsrecon_xml Description ----------Import DNSRecon CSV output le. Import DNSRecon XML output le.

    Each command takes the -f option for loading the le generated by DNS Recon

    Tuesday, November 20, 12

    Importing Data in to Metasploit

    Tuesday, November 20, 12

    Importing Data in to Metasploit

    Tuesday, November 20, 12

    Questions?

    Tuesday, November 20, 12

    Anda mungkin juga menyukai