DNS Zone Transfers
Domain Name System(DNS) is a protocol that is used to resolve domain names/hostnames to IP addresses
A DNS server (nameserver) is like a telephone directory that contains domain names and their corresponding IP addresses.
A plethora of public DNS servers have been set up by companies like cloudfare (1.1.1.1) and Google (8.8.8.8). These DNS servers contain the records of almost all domains on the internet
Google.com is a domain name, it is easier to remember this instead of the IP address, so dns maps names to IP addresses
DNS Records
A - Resolves a hostname or domain name to an IPv4 address AAAA - Resolves a hostname or domain to an IPv6 address. NS - Reference to the domains nameserver MX - Resolves a domain to a mail server CNAME - Used for domain aliases TXT - Text record HINFO - Host information SOA - Domain authority SRV - Service records PTR - Resolves an IP address to a hostname DNS interrogation is the process of enumerating DNS records for a specific domain. The objective of DNS interrogation is to probe a DNS server to provide us with DNS records for specific domain. This process can provide with important information like the IP address of a domain, subdomains. mail server addresses etcDNS Zone Transfers The process of sending zone files from one DNS to another. This can provide penetration testers with a holistic view of an organization’s network layout. If misconfigured the functionality can be abused by attackers to copy the zone file from the primary DNS server to another DNS server.
Practical Demo
We can use dnsenum here, this can automatically perform a dns zone transfer
dnsenum --help
This can also be used to perform a dns bruteforce.
Before DNS your computer will typically utilize the host file (/etc/hosts). The /etc/hosts file is a local domain, it can’t be accessed on the internet
In order for a dns zone transfer to work, the dns zone transfer functionality must be enabled on any one of those main servers, primarily the primary dns server or nameserver.
dnsenum zonetransfer.me
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ dnsenum zonetransfer.me
dnsenum VERSION:1.2.6
----- zonetransfer.me -----
Host's addresses:
__________________
zonetransfer.me. 6466 IN A 5.196.105.14
Name Servers:
______________
nsztm1.digi.ninja. 10800 IN A 81.4.108.41
nsztm2.digi.ninja. 10800 IN A 34.225.33.2
Mail (MX) Servers:
___________________
ASPMX2.GOOGLEMAIL.COM. 293 IN A 142.250.153.26
ASPMX5.GOOGLEMAIL.COM. 293 IN A 74.125.200.27
ALT1.ASPMX.L.GOOGLE.COM. 293 IN A 142.250.153.27
ASPMX.L.GOOGLE.COM. 293 IN A 173.194.76.26
ASPMX4.GOOGLEMAIL.COM. 293 IN A 142.250.150.26
ASPMX3.GOOGLEMAIL.COM. 293 IN A 142.251.9.27
ALT2.ASPMX.L.GOOGLE.COM. 293 IN A 142.251.9.27
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for zonetransfer.me on nsztm1.digi.ninja ...
zonetransfer.me. 7200 IN SOA (
zonetransfer.me. 300 IN HINFO "Casio
zonetransfer.me. 301 IN TXT (
zonetransfer.me. 7200 IN MX 0
zonetransfer.me. 7200 IN MX 10
zonetransfer.me. 7200 IN MX 10
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT (
_sip._tcp.zonetransfer.me. 14000 IN SRV 0
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT ";
contact.zonetransfer.me. 2592000 IN TXT (
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53
DZC.zonetransfer.me. 7200 IN TXT AbCdEfG
email.zonetransfer.me. 2222 IN NAPTR (
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT (
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin
rp.zonetransfer.me. 321 IN RP (
sip.zonetransfer.me. 3333 IN NAPTR (
sqli.zonetransfer.me. 300 IN TXT "'
sshock.zonetransfer.me. 7200 IN TXT "()
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
Trying Zone Transfer for zonetransfer.me on nsztm2.digi.ninja ...
zonetransfer.me. 7200 IN SOA (
zonetransfer.me. 300 IN HINFO "Casio
zonetransfer.me. 301 IN TXT (
zonetransfer.me. 7200 IN MX 0
zonetransfer.me. 7200 IN MX 10
zonetransfer.me. 7200 IN MX 10
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN MX 20
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT (
_acme-challenge.zonetransfer.me. 301 IN TXT (
_sip._tcp.zonetransfer.me. 14000 IN SRV 0
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT ";
contact.zonetransfer.me. 2592000 IN TXT (
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53
DZC.zonetransfer.me. 7200 IN TXT AbCdEfG
email.zonetransfer.me. 2222 IN NAPTR (
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT (
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 52.91.28.78
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin
rp.zonetransfer.me. 321 IN RP (
sip.zonetransfer.me. 3333 IN NAPTR (
sqli.zonetransfer.me. 300 IN TXT "'
sshock.zonetransfer.me. 7200 IN TXT "()
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
Another tool tool you can use for dns zone transfer is dig
dig axfr @nsztm1.digi.ninja zonetransfer.me
“axfr” is the switch for zone transfer
Dig is the most preferred
fierce is an open source recon tool used to enumerate sub-domains of a target website
fierce --domain zonetransfer.me
Host Discovery With Nmap
The IP you get during your enumeration phase is what you’ll test here.
NMAP(Network Mapper), designed to scan large networks
-sn (tells nmap not to do a port scan, referred to as ping sweep)
You can use nmap, netdiscover
sudo netdiscover -r 10.10.10.0/24 -i wlan0
Port Scanning with Nmap
Switches
-F (scans the 100 most used ports)
-sU (For UPD ports)
-sC (runs a list of nmap scripts for the open ports)
-T4 (aggressive scanning)
-oX (write scan in an xml format)