dns enumeration

44
DNS Reconnaissance Carlos Perez Tuesday, November 20, 12

Upload: yoyosrt4

Post on 30-Oct-2014

2.545 views

Category:

Documents


7 download

DESCRIPTION

Reconocimiento de DNS en la red.

TRANSCRIPT

Page 1: DNS Enumeration

DNS Reconnaissance

Carlos Perez

Tuesday, November 20, 12

Page 2: DNS Enumeration

About MeDirector of Reverse Engineering for security vendor.

Podcaster with PaulDotCom

Contributor to Metasploit

Blog: http://www.darkoperator.com/

Twitter: @Carlos_Perez

Tuesday, November 20, 12

Page 3: DNS Enumeration

DisclaimerThe research and slides shown is my own and do not in any way are related or of knowledge of my current employer. All expressions and comments are my own.

Tuesday, November 20, 12

Page 4: DNS Enumeration

What is Recon

It is a systematic and methodical approach for gathering information about a target.

The information will provide a view in to the technologies and security posture of the target.

The process must be one of little impact and draw as little attention to the task as possible.

Tuesday, November 20, 12

Page 5: DNS Enumeration

Why DNSThe reliance of DNS in the enterprise has grown at the same rate as the complexity and distribution of the technologies has grown.

VOIP

Instant Messaging

Email

Management

Tuesday, November 20, 12

Page 6: DNS Enumeration

Why DNSMost organizations do not monitor DNS server traffic and logs.

Those that do monitor generally only do do Zone Transfer attempts in their IPS/IDS Systems.

Can provide information on security posture of the target.

Tuesday, November 20, 12

Page 7: DNS Enumeration

Caveats of DNSDNS is UDP so it is sensitive to the health of the connection path from the attacker to the target.

DNS tends to have fake entries, stale entries, incorrect entries and entries to hosts that can not be reached.

Location, location, location! what server we query will dictate what records we get.

Tuesday, November 20, 12

Page 8: DNS Enumeration

DNSReconIncluded in BackTrack Linux 5, tested on OSX, Linux and Windows.

Written in Python and tested on Python 2.6, 2.7 and 3.2 (Original was written in ruby 2 years ago)

Can save results in XML, CSV or SQLite3.

Includes Metasploit Plugin for importing XML and CSV results

Includes Parser tool for XML and CSV results

Tuesday, November 20, 12

Page 9: DNS Enumeration

GoalsProvide most of the known DNS enumeration techniques under one tool and that it.

What techniques are executed and automation must be controlled by the user for best precision.

Output must be easy to parse and easy to consume via command line or other tools.

Tuesday, November 20, 12

Page 10: DNS Enumeration

Types of EnumerationStandard Record Enumeration (Wildcard, DNSSEC, NS, SOA, MX, A, AAA, TXT, SPF and SRV)

Zone Transfer

Reverse Lookup

Domain and Host Brute-force

Cache Snooping

Zone Walking (DNSSEC)

Google Lookup

Tuesday, November 20, 12

Page 11: DNS Enumeration

Standard EnumerationWhat it does

Checks for Wildcard Resolving

Check if it responds to DNSSEC and type of proof of non-existence record used.

Resolves SOA, NS, MX, A, AAAA, TXT and SPF.

Enumerate known SRV Records Types

Tuesday, November 20, 12

Page 12: DNS Enumeration

Standard EnumerationPresence of DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) will reveal that email security technologies are in use.

SPF will reveal what servers can send email.

SRV (Service Records) Provide information on service, transport, port and order of importance for services and type of software can be deduced.

Tuesday, November 20, 12

Page 13: DNS Enumeration

Standard EnumerationPresence of records not having A, AAAA or CNAME records associated may show lack of maintenance or internal record names being leaked (no_ip).

Tuesday, November 20, 12

Page 14: DNS Enumeration

Standard EnumerationTo run standard enumeration:

./dnsrecon.py -d <domain>

./dnsrecon.py -d <domain> -t std

The -a option can be given to perform a AXFR against all NS records with port 53 TCP open

The -s option can be given to perform a Reverse Lookup against all ranges in the SPF (Sender Policy Framework) record

Tuesday, November 20, 12

Page 15: DNS Enumeration

Standard Enumeration

Tuesday, November 20, 12

Page 16: DNS Enumeration

Zone TransferIt is still found in engagements to this day.

Selects the Domain SOA and then queries for all of the NS records.

Tests each NS record to see if port TCP 53 is open and if it is it tries a AXFR for the zone against the Name Server.

Records returned are parsed and formatted.

Made optional since it is easily picked up in Logs and IDS/IPS Systems

Tuesday, November 20, 12

Page 17: DNS Enumeration

Zone TransferEven when a zone transfer is successful other NS servers should be queried for standard records compared to rule out:

Name Server may be a test server.

Name Server may contain stale data.

Name Server may be a decoy.

Tuesday, November 20, 12

Page 18: DNS Enumeration

Zone TransferTo run AXFR enumeration:

./dnsrecon.py -d <domain> -a

./dnsrecon.py -d <domain> -t axfr

More than one type can be specified

./dnsrecon.py -d <domain> -t std,axfr

Tuesday, November 20, 12

Page 19: DNS Enumeration

Reverse LookupPerforms a lookup for PTR (Pointer) Records against a given IPv4 or IPv6 range.

Can be performed against all ranges in SPF Records.

Can be performed against ranges found via Whois Queries against all A and PTR Records found.

Tuesday, November 20, 12

Page 20: DNS Enumeration

Reverse LookupTo run reverse lookup enumeration:

./dnsrecon.py -r <CDIR>

./dnsrecon.py -r <StartIP-EndIP>

Expand SPF Record Ranges

./dnsrecon.py -d <domain> -s

Perform Whois Queries against all IPs found

./dnsrecon.py -d <domain> -w

Tuesday, November 20, 12

Page 21: DNS Enumeration

Reverse Lookup

Tuesday, November 20, 12

Page 22: DNS Enumeration

Domain Brute-forceAppend to the domain each entry given in a dictionary and tries to resolve A, AAA and CNAME Record

Will perform a test to see if Wildcard resolution is enabled for the domain.

To run Domain Name Brute-force:

./dnsrecon.py -d <domain> -D <NameList> -t brt

Tuesday, November 20, 12

Page 23: DNS Enumeration

Domain Brute-force

Tuesday, November 20, 12

Page 24: DNS Enumeration

Cache SnoopingGiven a list of domain names it will check a specific Name Server for the presence of the record in its cache.

Great for determining relations and outside services used that can be leveraged in Phishing attempts

To perform the Cache Enumeration

./dnsrecon.py -t snoop -n Sever -D <Dict>

Tuesday, November 20, 12

Page 25: DNS Enumeration

Cache Snooping

Tuesday, November 20, 12

Page 26: DNS Enumeration

NSEC Zone WalkAbuses the the proof of non-existence NSEC records in the original DNSSEC standard to enumerate an entire zone.

Slow but more accurate results.

May reveal internal records if zone is improperly configured.

It is a “Feature/Capability” so it is hard to detect.

Tuesday, November 20, 12

Page 27: DNS Enumeration

NSEC

Points to the next valid name in the zone file and is used to provide proof of non-existence of a name in the Zone

Tuesday, November 20, 12

Page 28: DNS Enumeration

NSEC3

Replaced NSEC, points to the hashed value of next valid name in the zone file and is used to provide proof of non-existence of a name in the Zone

Tuesday, November 20, 12

Page 29: DNS Enumeration

Zone Walk

Tuesday, November 20, 12

Page 30: DNS Enumeration

SRV RR Leakage

Tuesday, November 20, 12

Page 31: DNS Enumeration

SRV RR Leakage

Tuesday, November 20, 12

Page 32: DNS Enumeration

SRV RR Leakage

Tuesday, November 20, 12

Page 33: DNS Enumeration

RR Leakage

Tuesday, November 20, 12

Page 34: DNS Enumeration

PTR RR Leakage

Tuesday, November 20, 12

Page 35: DNS Enumeration

A RR Leakage

Tuesday, November 20, 12

Page 36: DNS Enumeration

Parsing DataUsage: parser.py <options>

Options: -h, --help Show this help message and exit -f, --file <file> DNSRecon XML or CSV output file to parse. -l, --list Output an unique IP List that can be used with other tools. -i, --ips <ranges> IP Ranges in a comma separated list each in formats (first-last) or in (range/bitmask) for ranges to be included from output. For A, AAAA, NS, MX, SOA, SRV and PTR Records. -t, --type <type> Resource Record Types as a regular expression to filter output. For A, AAAA, NS, MX, SOA, TXT, SPF, SRV and PTR Records. -s, --str <regex> Regular expression between quotes for filtering host names on. For A, AAAA, NS, MX, SOA, SRV and PTR Records. -n, --name Return list of unique host names. For A, AAAA, NS, MX, SOA, SRV and PTR Records.

Tuesday, November 20, 12

Page 37: DNS Enumeration

Parsing Data

Tuesday, November 20, 12

Page 38: DNS Enumeration

Parsing Data

Tuesday, November 20, 12

Page 39: DNS Enumeration

Importing Data in to Metasploit

A Metasploit Plugin for importing CSV and XML results is included with the tool.

The file dnsr_import.rb just needs to be copied to the ~/.msf4/plugins folder to have it available to msfconsole.

The load command is used to load the pluginmsf > load dnsr_import [*] dnsr_import plugin loaded.[*] Successfully loaded plugin: dnsr_importmsf >

Tuesday, November 20, 12

Page 40: DNS Enumeration

Importing Data in to Metasploit

Commands AvailableDNSR_Import Commands====================

Command Description ------- ----------- import_dnsrecon_csv Import DNSRecon CSV output file. import_dnsrecon_xml Import DNSRecon XML output file.

Tuesday, November 20, 12

Page 41: DNS Enumeration

Importing Data in to Metasploit

Commands Available

Each command takes the -f option for loading the file generated by DNS Recon

DNSR_Import Commands====================

Command Description ------- ----------- import_dnsrecon_csv Import DNSRecon CSV output file. import_dnsrecon_xml Import DNSRecon XML output file.

Tuesday, November 20, 12

Page 42: DNS Enumeration

Importing Data in to Metasploit

Tuesday, November 20, 12

Page 43: DNS Enumeration

Importing Data in to Metasploit

Tuesday, November 20, 12

Page 44: DNS Enumeration

Questions?

Tuesday, November 20, 12