Exploit Notes

DNS (Domain Name Systems) Pentesting

Last modified: 2023-02-01

Privilege Escalation Reconnaissance

DNS is often called as a phonebook for internet. A default port is 53.

Enumeration

You can use Nmap to enumerate automatically.

nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains vulnerable.com -p 53 <target-ip>
nmap --script dns-random-srcport -p 53 <target-ip>
nmap --script dns-recursion -p 53 <target-ip>
nmap --script dns-service-discovery -p 53 <target-ip>
nmap --script dns-* -p 53 <target-ip>

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <target-ip>

Investigation

DNSdumpster is an online tool for reconnaissance DNS records.

IP Address from the Domain

host example.com

DNS Records

Dig is a command-line tool for querying the Domain Name System.

# ANY record
dig any example.com @<target-ip>
dig any @<target-ip> example.com
dig example.com any +nocmd +noall +answer

# NS (nameserver) record
dig ns example.com

# TXT record
dig txt example.com


# Specify a public DNS server
# Cloudflare
dig example.com @1.1.1.1
# Google
dig example.com @8.8.8.8
# Quad9
dig example.com @9.9.9.9

Zone Transfer

The zone transfer is the process of copying the zone file on a primary DNS server to a secondary DNS server.

# axfr: Check if the Full Zone Transfer (AXFR) is available
dig axfr @<nameserver>
dig axfr example.com @<nameserver>
dig axfr example.com @example.com
dig axfr <zone-name> @<nameserver>

BIND

BIND is the most commonly used DNS server.

# BIND version
dig @<nameserver> chaos txt version.bind

Reverse Lookup

Resolves a domain name from given IP address.

dig -x <ip>
dig -x 8.8.8.8

Resolve Domains and IP Addresses in /etc/hosts

Edit /etc/hosts file as root to add custom domains.

127.0.0.1  localhost

# Add the custom domain
10.0.0.2  vulnerable.com sub.vulnerable.com
10.0.0.3  vulnerable2.com

If you want to force the system to reflect the changes, restart hostnamed.

sudo systemctl restart systemd-hostnamed

Resolve Nameservers in /etc/resolv.conf

Edit /etc/resolv.conf file as root to add custom nameservers.

# Google nameservers
nameserver 8.8.8.8
nameserver 8.8.4.4

# Google nameservers (IPv6)
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

If you want to force the system to reflect the changes, restart resolved.

sudo systemctl restart systemd-resolved.service

DNS Spoofing

Also known as DNS cache poisoning. It corrupts Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.


Flush the DNS Cache

Clear IP addresses or DNS records from caches.

sudo resolvectl flush-caches
# or
sudo systemd-resolve --flush-cache

Check DNS caches are actually flushed

sudo resolvectl statistics
# or
sudo systemd-resolve --statistics

DNS Exfiltration

dns-exfil-infil


DNS Infiltration

Coming soon...


DNS Tunneling

Iodine

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.