Sunday, October 15, 2017

Information Gathering: DNS Enumeration and Zone Transfer with Nslookup, Host, Dnsrecon, Dnsenum, Fierce , NSE and whois


- Layout for this exercise:

1 - Introduction

- DNS servers are some of the best sources for gathering information about a domain or an organization.

- DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.

- Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.

- DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. 

DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. 

- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. 

- The portion of the database containing the list of all DNS names is the zone file.

- The data contained in a DNS zone may be sensitive from an operational security aspect. 

- This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.

2 - nslookup

- nslookup is a popular tool that queries name and email servers in the Internet given the domain:

- Applying the NS query option for name servers:

- Applying the MX query option for mail servers:

- Applying the ANY query option for both name and mail servers:

3 - host 

- host is a Linux command that performs powerful DNS lookups given a domain name:

- Without any other parameter host provides help:

- Looking for name servers (-t type ns):

- Looking for email servers (-t type mx):

- Looking for web servers :(-t type www):

4 - DNS Zone Transfer with host

- Now, let's use host for a little more complicated task like a DNS Zone Transfer.

- First, let's try with the previously enumerated ns1 name server. The zone transfer fails:

- However, the zone transfer with ns2 is successful:

- Finally the zone transfer with ns3 also fails:

- The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.

- Let's try entering into a browser some of the IPs obtained from the DNS Zone Transfer:

5 - dnsrecon

- dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.

- Let's see that information provided by dnsrecon is the same as obtained before.

- First, dnsrecon detects the DNS servers ns1, ns2 and ns3:

- Then, dnsrecon tries a successful DNS zone transfer with ns2:

- Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:

6 - dnsenum

- dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.

- The output obtained with dnsenum is the same as before:

7 - fierce

- fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:

8 - Nmap Scripting Engine (NSE)

 Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:

- The NSE dns-zone-transfer script provides same output than before:

- A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:

9 - whois 

 - whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

- Looking for the domain

SMB enumeration with NSE, nbtscan and enum4linux


- Layout for this exercise:

1 - Introduction

- Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. 

- SMB also provides an authenticated inter-process communication mechanism. 

- Most usage of SMB involves computers running Microsoft Windows.

- SMB can run on top of the session network layers in two ways:

i) directly over TCP port 445
ii) via the NetBIOS API on TCP ports 137, 139.

- SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. 

- One section of the SMB protocol specifically deals with access to filesystems, such that clients may make requests to a file server; but some other sections of the SMB protocol specialize in inter-process communication (IPC). 

- The Inter-Process Communication (IPC) share, or ipc$, is a network share on computers running Microsoft Windows. 

- This virtual share is used to facilitate communication between processes and computers over SMB, often to exchange data between computers that have been authenticated.

- NetBIOS is commonly known as the Windows "Network Neighborhood" protocol, and it provides a nameservice that listens on TCP port 139 and UDP port 137. 

- When it receives a query on this port, NetBIOS responds with a list of all services it offers.

- Port 139 was more popular with older machines and NetBIOS running under the SMB protocol for file sharing / printers etc..

- Nowadays we're more likely to see microsoft-ds running on port 445 in conjunction with port 139 and the netbios-ssn service.

- nbtscan is a program for scanning IP networks for NetBIOS name information. 

- nbtscan sends NetBIOS status query to each address in supplied range and lists received information in human readable form. 

- For each responded host nbtscab lists IP address, NetBIOS computer name, logged-in user name and MAC address such as Ethernet.

2 - Scanning the subnet for open SMB ports and the NetBIOS service

- As said before, the SMB runs on ports 139 and 445.

- Discovering hosts of the subnet where SMB is running can be performed with Nmap:

- nbtscan is a program for scanning IP networks for NetBIOS name information. 

- nbtscan sends NetBIOS status query to each address in supplied range and lists received information in human readable form.

- For each responded host nbtscab lists IP address, NetBIOS computer name, logged-in user name and MAC address such as Ethernet:

3 - NSE (Nmap Scripting Engine) for SMB enumeration

- There is a number of NSE (Nmap Scripting Engine) scripts that can be used for SMB enumeration purposes:

- Let's try some of them.

- smb-os-discovery tries to connect to the SMB service of a target in order to discover its operating system version:

- smb-vuln scripts try to discover specific vulnerabilities at the target. For instance, the script smb-vuln-ms08-67 refers to the CVE-2008-4250 vulnerability reported here:

- smb-enum-users enumerates users at the target:

4 - enum4linux

- enum4linux is a wrapper written in Perl around tools like smbclient, rpcclient, net and nmblookup.

- The purpose of enum4linux is to enumerate information from Windows and Samba systems. 

- Let's run enum4linux over a Windows system: