Lab 3.1: DNS Enumeration - squatchulator/Tech-Journal GitHub Wiki

DNS can be a treasure trove of information for penetration testers. Hostnames, naming conventions, hierarchical namespaces and of course IP resolution can focus your attack efforts. A misconfigured DNS server can also provide a great deal of information.

What is a zone transfer?

A zone transfer is a way to replicated DNS records across one or more DNS servers. This is useful in the sense that once one DNS server is configured with records, you can replicate them using an AXFR zone transfer rather than recreating the same records manually. AXFR can be used to gather information on hosts when on an unsecured DNS server.

• Some really good documentation can be found here
• To perform:
  • dig axfr @<ip of DNS server or FQDN> zonetrasnfer.me

Lab reflection (scripts written can be found here)

• This lab gave me quite a bit of trouble especially when it came to the last deliverable, which involved grepping a list of FQDNs and their associated IPs from a zone transfer file. Mainly what I found challenging was working with regex to pull IPs from the file, however after observing what other students had working I learned that the solution was a lot simpler than the direction I was going. Mainly, I feel that I need to get a better grasp on working with grep as it is one of the tools I find myself using the most when it comes to working in bash.

dns-resolver.sh

#!/bin/bash

pref=$1
dnsserver=$2
end=254

if [ "$#" -ne 2 ]; then
  echo "Incorrect parameters! Usage: $0 <ip prefix> <dns server ip>"
  exit 1
fi
echo "DNS Resolution for $pref"
for ((i=1;i<=end;i++)); do
  ip="$pref.$i"
  nslookup $ip $dnsserver | grep name
done

portscanner2.sh

#!/bin/bash

ip=$1
port=$2
end=254
if [ "$#" -ne 2 ]; then
  echo "Incorrect parameters! Usage: $0 <ip address> <port>"
  exit 1
fi

for ((i=1;i<=end;i++)); do
  address="$ip.$i"
  timeout .1 bash -c "echo >/dev/tcp/$address/$port" 2>/dev/null &&
    echo "$address:$port"
done