Class Activity 3.1: DNS Enumeration - FlameSpyro/Tech-Journal GitHub Wiki

Breakdown

DNS can be extremely valuable when it comes to penetration testers! This includes Hostnames, naming conventions, hierarchical namespaces, and IP resolutions. This assignment involved a bunch of scripting and one-liners which I have included here.

Deliverables

1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.

  • A new directory should be made (although I didn't do that myself... whoops!) this new script is similar to last week.
  • Script can be found here
  • Results:
  • deliverable1
  • The screenshot also includes an additional configure command as permissions were denied at first

2. Provide a screenshot similar to the one below that shows your directory structure and the source code of your /24 port scanner. Note, this code can be 1 liner, but I want you to go through the process of submitting the source code to GitHub.

  • This deliverable is pretty much a refresher for using git which can be a bit difficult to negotiate with at times.
  • In this lab we simply did a git clone (GITHUB URL)
  • If this is the first time using the machine then use ssh-keygen, a file will be within the ~/ssh directory containing the public key that you would need to add on GitHub
  • After any changes have been made ensure to git add .
  • `git commit -m "update message"' followed by a "git push" will save the changes to your GitHub. You may need to verify your GitHub credentials before doing

3. Write a script that takes a network prefix and a specific DNS server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.

  • Beforehand use dig axfr 10.0.5.22 to try a zone transfer that doesn't work because the servers secured
  • Then perform a reverse lookup to use a specific server and host. Example nslookup 10.0.5.21 10.0.5.22
  • Then I created a script that performs the deliverable that can be found here.
  • Output should be like this dev3

4. Export Changes to Github

  • Refer to deliverable 2

5. Use nmap to find your DNS servers. Figure out how to:

  • skip host discovery

  • use a grepable output to send results to dns-servers2.txt

  • only scan for a single tcp port across 10.0.5.0/24

  • only report "open" ports

  • see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to * DNS lookups.

  • Provide a screenshot similar to the one below that shows the nmap run and output as well as the parsing of dns-servers2.txt

  • The one liner I wrote is sudo nmap 10.0.5.0/24 -Pn -p 53 --open -oG dns-servers2.txt

  • Verify results with cat dns-servers2.txt | grep -v "Nmap | cut -d " " -f 2 | sort -u

  • dav 5

6. The following nmap command will use -sL (list targets) while specifying a dns server. See if you can do some magic with grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run. Note, you may have different hosts listed as our target environment changes and grows over time.

  • I used a one liner to get the desired results sudo nmap -sL 10.0.5.0/24 --dns-servers 10.0.5.22 | grep ".org" | cut -d " " -f 5
  • dev7

7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.

  • Enter the following: cat zt.txt | grep -E "([0-9]{1,3}[.]){3}[0-9]{1,3}" | awk {'print $1","$5} | grep -v
  • devl