Navigation
« Automating My VMware Lab | Main | Do not be a Fanboy be a Hacker and Remove the Blinders »
Friday
Dec112009

DNS Enumeration with Metasploit

One of the old fashion methods of enumeration that I see time and time again give a large amount of information of great use is DNS (Domain Name Server), a large number of systems now a day depend greatly on this service to be able to operate, from IP Telephony, Windows Active Directory, Backup Systems and many other are dependent on this service. This service simplifies configuration of many services and for this same reason is one of the first areas to look at when gathering information of a target network. At the beginning this service used to be just hosts file that where shared by the system administrators of the systems connected to the internet, now a days we have a much more robust system. System administrators are required to not only know the basics but also understand this system since so much is tied to it, especially since this service easies so much the administration of large IP networks by abstraction of the addressing layer simplifying configurations, resiliency and flexibility of today’s networks. There are 2 main ways I see this system configured in most of companies. In the first configuration the client has one DNS system only for external requests and only external servers to the enterprise are registered and an internal system for Active Directory. In the second configuration the client uses the same DNS system for both internal and external use. The first type of configuration keeps both the internal naming structure and the external naming structure separate does providing some security thru obscurity when the attacker is doing the enumeration from the outside of the network. Many times on small to medium sized companies there only have what it is called a Forward Lookup Zone, this is when you simply give a name and you get back an IP, on some you might find what it is called Wildcard Name Resolution, this is nothing more that the DNS server you are querying if it does not have a specific record for that name will return a pre-defined address, this makes enumeration thru brute force more time consuming since false positives must be cleared and check. The accuracy of the results of DNS enumeration varies a lot depending on the Name Server being queried. A target network may have different domain name spaces that they employ and prior enumeration thru metadata, email headers and other methods reveal this domain names so as to be able to enumerate and take advantage of this service. Also a UDP and TCP portscan with fingerprinting is also a very good idea so as to find any NS server that might be part of a test system or internal exposed DNS server. For DNS enumeration I wrote Metasploit Module to aide in enumeration of targets, the module is called dns_enum. Below you will be able to see how the module can be loaded and list its options inside msfconsole:

msf > use auxiliary/gather/dns_enum 
msf auxiliary(dns_enum) > info

Name: DNS Enumeration Module
Version: $Rev: 7500

License: Metasploit Framework License (BSD)

ided by:
rlos Perez

c options:
me Current Setting Required Description
-- --------------- -------- -----------
MAIN yes The target domain name
UM_AXFR true yes Initiate a zone Transfer against each NS record
UM_BRT false yes Brute force subdomains and hostnames via wordlist
UM_RVL false yes Reverse lookup a range of IP addresses
UM_SRV true yes Enumerate the most common SRV records
UM_STD true yes Enumerate standard record types (A,MX,NS,TXT and SOA)
UM_TLD false yes Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
RANGE no The target address range or CIDR identifier
no Specify the nameserver to use for queries, otherwise use the system DNS
OP_WLDCRD false yes Stops Brute Force Enumeration if wildcard resolution is detected
RDLIST /Users/cperez/msf3/data/wordlists/namelist.txt no Wordlist file for domain name brute force.

ription:
is module can be used to enumerate various types of information
out a domain from a specific DNS server.

rences:
tp://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0532


As it can be seen in the options there are several ways one can enumerate a targeted domain, the methods are:

• Zone Transfer

• Hostname and Subdomain Dictionary Brute Force

• Reverse Lookup

• Service Record

• Standard Record Query

•Top Lever Domain Name Expansion

The module will print the results to the screen and if a database is configured in Metasploit it will save the results in the database, when using the module I highly recommend the use of MySQL or Postgres as the database to be used to save the results since this module uses multi-threading and might cause locks if using SQLite as the database, if you still choose SQLite for portability and simple management I recommend that the advanced option of THREADS to 1, this will mean a slower enumeration.

The recommended use of the module is to execute a combination of the Standard Record enumeration and the SRV enumeration so as to get a feel of all the domains found. Also testing each NS server that is found thru port scanning for the domain names found thru other methods of enumeration. The module will default to the SOA Server of the DNS name for the domain specified, to override this method and have it test against a specific DNS Name Server set the NS option value to the IP of the DNS server to test against.

The first enumeration is what I call a Standard Record Lookup where the module queries:

· SOA Start of Authority Record

· NS Name Server Records

· MX Mail Exchange Records

· TXT Text Record

From this query we can determine the Main name server for the zone, all other domain name servers, mail servers and with the TXT record the main thing to look for is the SPF1 record, it is used to specify what IP addresses are allowed to send emails on behalf of the domain.

Another lookup to execute is a check for all common SRV or service records, this returns the service type, the port, priority and A or AAA record for the service. Microsoft Active Directory and many Unified Communications solutions use these services.

The module is set by default to perform these queries plus try a Zone Transfer against all NS record returned by the SOA server. Zone Transfer enumeration is when one takes advantage of a miss configuration of the registered Name Servers for a given domain where they are set to share their zone file to anyone who request this information, typically NS servers are set to only share their zones with servers that form part of their infrastructure or probably with a service provider. These transfers are run thru TCP port 53. The module is set to first enumerate the SOA or start of authority of the domain we want to target and query it for list of NS servers it knows of and then goes one by one of this NS servers testing if they would send the entire zone for the given domain. The reason for why each NS server is tested even if one of them returns an answer is that the NS servers might not all be synchronizing with each other and we might get different records from each of the NS servers that are open to this technique, typically some servers are set for testing or staging while others run the production

environment. One thing to keep in mind about this test is that all IPS/IDS systems out there have rules to detect this method of enumeration, but it is one that if successful will give the largest amount of information with the least effort. Lets use google.com as a sample target domain:


msf auxiliary(dns_enum) > set DOMAIN google.com
DOMAIN => google.com
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Retrieving General DNS Records
[*] Domain: google.com IP Address: 74.125.53.100 Record: A
[*] Domain: google.com IP Address: 74.125.45.100 Record: A
[*] Domain: google.com IP Address: 74.125.67.100 Record: A
[*] Start of Authority: ns1.google.com. IP Address: 216.239.32.10 Record: SOA
[*] Name Server: ns3.google.com. IP Address: 216.239.36.10 Record: NS
[*] Name Server: ns2.google.com. IP Address: 216.239.34.10 Record: NS
[*] Name Server: ns1.google.com. IP Address: 216.239.32.10 Record: NS
[*] Name Server: ns4.google.com. IP Address: 216.239.38.10 Record: NS
[*] Name: google.com.s9b2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9b1.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a1.psmtp.com. Preference: 10 Record: MX
[*] Text: v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all , TXT
[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Performing Zone Transfer against all nameservers in gmail.com
[*] Testing Nameserver: ns2.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns3.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns4.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns1.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Enumerating SRV Records for google.com
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk2.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk3.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk4.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk1.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk.l.google.com. Port: 5222 Priority: 5
[*] Auxiliary module execution completed


In this example we can see the Name Servers, Mail Servers and other standard records, as it can be seen the sfp records gives us the ip ranges for the mails servers, this ranges can later be examined by doing reverse lookups against them. Also on the SRV enumeration we can see all the jabber servers, their priority and ports, all of this very important information during a pentest when enumerating a target. Zone Transfer failed against all NS servers returned by our query. If examining a domain several of the ns servers enumerated do return the zone compare the results to make sure that one of those NS servers is not an orphan server not being updated or a possible test server.

The next method of enumeration is the Reverse Lookup, a typical DNS query where a name is resolved to an IP is known ad a Forward Lookup a reverse is just the opposite where we query is made for an IP and we get the FQDN (Fully Qualified Domain Name) for the IP, this method of enumeration tends to go un noticed by administrators and IPS/IDS systems. All hosts found thru this method must be verified since there might be old entries for none existing hosts and many times their name tends to give and idea of their purpose. Lets use PGP Corp. as an example, in the TXT record we see the spf1 entry with the ranges for host approved to send emails, lets enumerate on of this ranges:


[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Retrieving General DNS Records
[*] Domain: pgp.com IP Address: 209.237.226.39 Record: A
[*] Start of Authority: ns1.pgp.com. IP Address: 216.112.104.3 Record: SOA
[*] Name Server: ns1.pgp.com. IP Address: 216.112.104.3 Record: NS
[*] Name Server: ns2.pgp.com. IP Address: 216.112.104.4 Record: NS
[*] Name Server: ns3.pgp.com. IP Address: 209.237.226.43 Record: NS
[*] Name: mx1.pgp.com. Preference: 10 Record: MX
[*] Name: mx2.pgp.com. Preference: 20 Record: MX
[*] Text: v=spf1 ip4:216.112.104.0/23 ip4:216.112.105.0/24 ip4:66.236.113.0/24 ip4:209.237.226.32/27 ip4:80.154.106.8 ?all , TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >


Know we choose the first IP range:


msf auxiliary(dns_enum) > set ENUM_AXFR false
ENUM_AXFR => false
msf auxiliary(dns_enum) > set ENUM_SRV false
ENUM_SRV => false
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > set ENUM_RVL true
ENUM_RVL => true
msf auxiliary(dns_enum) > set IPRANGE 216.112.105.0/24
IPRANGE => 216.112.105.0/24
msf auxiliary(dns_enum) > run
[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Running Reverse Lookup against ip range 216.112.105.0-216.112.105.255
[*] Host Name: keys.testgeo.com. IP Address: 216.112.105.70
[*] Host Name: mail-out.pgp.com. IP Address: 216.112.105.68
[*] Host Name: gilda.pgp.com. IP Address: 216.112.105.67
[*] Host Name: gabriel.pgp.com. IP Address: 216.112.105.66
[*] Host Name: 216-112-105-64.pgp.com. IP Address: 216.112.105.64
[*] Host Name: mail-in.testgeo.com. IP Address: 216.112.105.69
[*] Host Name: chair-it.pgp.com. IP Address: 216.112.105.65
[*] Host Name: 216-112-105-71.pgp.com. IP Address: 216.112.105.71
[*] Host Name: dom01.mobile1.pgp.com. IP Address: 216.112.105.79
[*] Host Name: domeng.exchange.pgpeng.com. IP Address: 216.112.105.78
................
[*] Host Name: jrmobile.pgp.com. IP Address: 216.112.105.237
[*] Host Name: 216-112-105-238.pgp.com. IP Address: 216.112.105.238
[*] Host Name: cluster3.pgp.com. IP Address: 216.112.105.243
[*] Host Name: cluster1.pgp.com. IP Address: 216.112.105.241
[*] Host Name: cluster0.pgp.com. IP Address: 216.112.105.240
[*] Host Name: 216-112-105-239.pgp.com. IP Address: 216.112.105.239
[*] Host Name: cluster2.pgp.com. IP Address: 216.112.105.242
[*] Host Name: bletchley.pgp.com. IP Address: 216.112.105.244
[*] Host Name: mallen.pgp.com. IP Address: 216.112.105.245
[*] Host Name: mallenlaptop.pgp.com. IP Address: 216.112.105.246
[*] Host Name: mallenovid.pgp.com. IP Address: 216.112.105.247
[*] Host Name: 216-112-105-248.pgp.com. IP Address: 216.112.105.248
[*] Host Name: oakheaven.pgp.com. IP Address: 216.112.105.250
[*] Host Name: 216-112-105-253.pgp.com. IP Address: 216.112.105.253
[*] Host Name: 216-112-105-252.pgp.com. IP Address: 216.112.105.252
[*] Host Name: oak.pgp.com. IP Address: 216.112.105.249
[*] Host Name: pron.pgp.com. IP Address: 216.112.105.251
[*] Host Name: bubs.pgp.com. IP Address: 216.112.105.254
[*] Host Name: 216-112-105-255.pgp.com. IP Address: 216.112.105.255
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >


The output was abbreviated, new domain names that must be tested appeared and many of the host names give idea of their purpose and naming scheme. This is one of the mail reasons that even when a zone transfer is successful other enumeration methods must be executed so as to be able to detect this other domains that might have escaped the initial enumeration.

Another method of enumerations the brute force enumeration where a dictionary file is use to try to identify host or subdomains for a given domain. A wordlist is used for this, the success of this method is dependant on the wordlist used, some main points for a good wordlist are:


  • Words should follow the naming scheme of the target domain of one is found.
  • All words must have valid DNS name charectes

The use of a password list is not recommended. A simple one is included with Metasploit and configured by default. Lets execute one against google.com:


msf auxiliary(dns_enum) > set ENUM_BRT true
ENUM_BRT => true
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Host Name: academico.google.com IP Address: 74.125.47.105
[*] Host Name: academico.google.com IP Address: 74.125.47.103
[*] Host Name: academico.google.com IP Address: 74.125.47.106
[*] Host Name: academico.google.com IP Address: 74.125.47.147
[*] Host Name: academico.google.com IP Address: 74.125.47.99
[*] Host Name: academico.google.com IP Address: 74.125.47.104
[*] Host Name: ads.google.com IP Address: 74.125.159.112
[*] Host Name: alerts.google.com IP Address: 74.125.159.100
[*] Host Name: alerts.google.com IP Address: 74.125.159.101
[*] Host Name: alerts.google.com IP Address: 74.125.159.113
[*] Host Name: alerts.google.com IP Address: 74.125.159.102
[*] Host Name: alerts.google.com IP Address: 74.125.159.139
[*] Host Name: alerts.google.com IP Address: 74.125.159.138
[*] Host Name: ap.google.com IP Address: 74.125.47.105
[*] Host Name: ap.google.com IP Address: 74.125.47.103
[*] Host Name: ap.google.com IP Address: 74.125.47.104
[*] Host Name: ap.google.com IP Address: 74.125.47.106
[*] Host Name: ap.google.com IP Address: 74.125.47.147
[*] Host Name: ap.google.com IP Address: 74.125.47.99
[*] Host Name: apps.google.com IP Address: 74.125.159.101
[*] Host Name: apps.google.com IP Address: 74.125.159.139
[*] Host Name: apps.google.com IP Address: 74.125.159.113
[*] Host Name: apps.google.com IP Address: 74.125.159.138
[*] Host Name: apps.google.com IP Address: 74.125.159.100
[*] Host Name: apps.google.com IP Address: 74.125.159.102
[*] Host Name: asia.google.com IP Address: 66.249.89.103
[*] Host Name: asia.google.com IP Address: 66.249.89.99
[*] Host Name: asia.google.com IP Address: 66.249.89.147
[*] Host Name: asia.google.com IP Address: 66.249.89.104
[*] Host Name: blog.google.com IP Address: 74.125.47.191
[*] Host Name: calendar.google.com IP Address: 74.125.159.102
[*] Host Name: calendar.google.com IP Address: 74.125.159.113
[*] Host Name: calendar.google.com IP Address: 74.125.159.101
[*] Host Name: calendar.google.com IP Address: 74.125.159.139
[*] Host Name: calendar.google.com IP Address: 74.125.159.138
[*] Host Name: calendar.google.com IP Address: 74.125.159.100
[*] Host Name: catalog.google.com IP Address: 74.125.159.102
[*] Host Name: catalog.google.com IP Address: 74.125.159.113
..................................
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >


One thing to remember is that depending on the size of the dictionary and the number of threads the time for performing this type of enumeration will vary.

Another type of DNS enumeration is TLD or Top Level Domain expansion where we look for other DNS registrations for our targets domain. There are 2 types of TLD the Country Code TLD or ccTLD to reflect a country and the gTLD the General TLD like for organization (org), information (info) and like wise, many company have servers deployed in different countries to provide faster service to users there and many times the updates and maintenance of this services are staged and done in a gradual process allowing for the possibility of finding vulnerable systems. One must take great care since the scope might limit one country and the understanding of the laws of that country must be understood before embarking on attacking this remote systems. The manner in the module works is that it will strip the TLD of the domain name and replace it with the most common one, many times companies and other DNS registrars have another level that they add that varies from registrar by registrar so a bit of Google enumeration might be needed to further enumerate any of them that might have been missed by the module. Here is a sample of doing a TLD Expansion against HP:


msf auxiliary(dns_enum) > set DOMAIN hp.co
DOMAIN => hp.co
msf auxiliary(dns_enum) > run

[*] Performing Top Level Domain Expansion
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.140 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.21 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.22 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.138 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.139 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.2.21 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.21 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.22 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.23 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.24 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.21 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.22 Record: A
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.139 Record: A
[*] Domain: hp.ag Name: hp.ag. IP Address: 217.26.48.101 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.21 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.22 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.138 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.139 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.2.21 Record: A
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.30.21 Record: A
.............................
[*] Auxiliary module execution completed


This has been a short introduction to DNS enumeration and what type of information can be gathered from this service.

Reader Comments (3)

you might find this tool useful for auto finding DNS servers (by subnets):
http://sites.google.com/site/dnslocator/
March 30, 2010 | Unregistered CommenterCISO
what if someone wants to expand a whole TLD to find out all the domains registered with it, like all the domains under the 'az' or 'fi' TLD?
would this module help with that ? and if not ... what could be a possible way of going about it ?
August 23, 2010 | Unregistered CommenterHassun Mujeeb
There is no easy way to do this other than leveraging search engines that I know of
August 29, 2010 | Registered CommenterCarlos Perez

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.