Activity 3.1: DNS Enumeration - Ptsoares/SEC_335_Techjournal GitHub Wiki
Overview
The goal of this lab is to become more familiar with DNS enumeration techniques
Useful Commands and Instructions
nslookup can be forced to use a specific DNS server:
nslookup [host_address] [DNS_server_address]
One of the first parts of this lab is to run a script that takes a network prefix (/24) and a DNS server, and from there runs through the address range looking for hosts to identify, outputting the ones that are "up". Here is a link to the script.
The next step was to use nmap to find DNS servers on the network:
sudo nmap 10.0.5.0/24 -p 53 --open -Pn -oG dns-servers2.txt
The command above is used to scan the 10.0.5.0 network for a DNS server (hence why it's looking for port 53 with -p 53). The -Pn flag specifies to only do port scans (no host discovery), and the --open specifies to only show open ports. -oG [FILENAME] specifies sending Grepable output to the specified file.
cat dns-servers2.txt | grep -v Nmap | grep -v Status | cut -b 7-15
The command above prints the contents of the dns-servers file from the nmap command mentioned earlier. grep -v A.K.A. --invert-match is used to select non-matching lines (the content specified after -v will be excluded from the grep). I used this twice to get rid of unneeded content and redundancy. The cut command, when used with the -b option (byte selection) will extract specific bytes from the output. In this situation, I specified a range of bytes to extract and print, effectively removing the unnecessary information before and after the IP.
The following is a reverse-lookup from nmap:
sudo nmap 10.0.5.0/24 -sL --dns-server 10.0.5.22 | grep \( | grep -v nmap | grep -v hosts | cut -b 22-
This nmap command was modified to filter the output substantially. -sL lists targets only, there's no scan. When used with the --dns-server tag and a specified DNS server (as identified in the earlier command), a list of hosts (IPs) in the network and their respective hostnames is generated. To omit the addresses that don't have hostnames/aren't active, I used grep and then an escape character, \ followed by a parenthesis to select the lines with hostnames specifically. From there, I used grep -v to cut out unneeded lines, and then I used the cut -b command again, this time specifying that I want all content of selected lines from byte 22 until the end of the line (relevant hostname and IP information).
Because our DNS server is secured, we weren't able to perform a zone transfer on it--instead, there's an intentionally weakened DNS server so that you can practice:
First find the name servers:
dig @8.8.8.8 +short NS zonetransfer.me
Attempt the transfer itself:
dig axfr @nsztm1.digi.ninja zonetransfer.me > zt.txt
dig axfr @nsztm2.digi.ninja zonetransfer.me >> zt.txt
Now there's data stored in zt.txt. Here's a simplified data parse provided in the lab:
cat zt.txt | awk {'print $1"\t\t\t"$5'} | grep -v ";"
This output will be a little messy, but it does have some useful information. Below is my modified version that is more focused:
cat zt.txt | awk {'print $1","$5'} | grep -E "([0-9]{1,3}[.])" | grep -v ";" | grep -v "ninja"
The command above uses awk grep and some regex to filter out the useful information and parse data from the zone transfer. After cating the file, awk calls to print out the first and fifth parameters in the output, which in this case are mostly hostnames and IP addresses. From there, grep with the switch -E for extended regex is used to look for lines that have IP address syntax (a number between 1-9 repeated 1-3 times in front of a period (.)). Another grep is run, this time filtering out any lines with a semicolon, and yet another grep is run to filter out any output that includes the word "ninja". This resulted in a list of hostnames and IP addresses without any of the extra information that could've cluttered the output.
Issues and Troubleshooting
While working on filtering out content, I had to overcome some issues, such as remembering that in order to grep for a ( I'd need to specify and escape character \ first. This allowed me to output only the lines that I wanted. I also needed to learn that you can use grep -v multiple times to continuously filter out unwanted information. Specifying both in the same command didn't work as it took the input literally instead of separately.
Questions / Reflection
Most of the commands run in this lab took time to research syntax and then tweaked in order to achieve the desired output--at first I'd really overcomplicated the regex for the last command, and I tried creating a filter that would search for the full IP syntax. I later found that I could achieve the same results with only the first octet being specified. Man pages and other form of documentation helped explain what switches, options, and tags would parse the information in a desired format, but they were often buried in heavily detailed documents. I provided some of the more helpful resources below for later reference. I definitely struggled a fair bit during this lab, but my perseverance got me through, and now I have a much better understanding of how powerful tools like grep can be. Hopefully with more patience I'll be able to tackle other tricky subjects, and improve upon scripting and other automation techniques.