DNS reconnaissance is part of the information gathering stage on a penetration test engagement. When a penetration tester is performing a DNS reconnaissance he is trying to obtain as much information as he can regarding the DNS servers and their records. The information that can be gathered can disclose the network infrastructure of the company without alerting the IDS/IPS. This can happen because most of the organizations are not monitoring their DNS server traffic and those that do, only monitor the zone transfers attempts.
DNSRecon is a tool that was developed by Carlos Perez and it is designed to perform DNS reconnaissance. This tool is included on kali linux and it is written in python.
This script provides the ability to perform:
In order to perform standard DNS enumeration with the DNSRecon we have to use the following syntax:
./dnsrecon.py -d <domain>
DNS zone transfer can be used to expose network topology. Specifically when a user is trying to perform a zone transfer, he sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to Live records etc. Depending on the size and the type of a network, this can present significant security problem. The shear amount of information that can be obtained through DNS zone transfer is staggering. DNS zone transfers are now-days usually turned of by default and I would be surprised if you are find one. Nevertheless, DNSRecon provides the ability to perform Zone Transfers with the commands
./dnsrecon.py -d <domain> -a or ./dnsrecon.py -d <domain> -t axfr
DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges. To run reverse lookup enumeration use:
./dnsrecon.py -r <startIP-endIP>
Also reverse lookup can be performed against all ranges in SPF records with the command .
/dnsrecon.py -d <domain> -s.
For performing this technique all we have to do is to give a name list and it will try to resolve the A, AAA and CNAME records against the domain by trying each entry one by one. In order to run the Domain Name Brute-Force we need to type:
./dnsrecon.py -d <domain> -D <namelist> -t brt
DNS cache snooping is occurred when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information. However DNS cache snooping is not happening very often:
./dnsrecon.py -t snoop -n Sever -D <Dict>
This technique may unveils internal records if zone is not configured properly.The information that can be obtained can help us to map network hosts by enumerating the contents of a zone:
./dnsrecon.py -d <host> -t zonewalk
Installation instructions for Ubuntu 10.10 they should work with little to no modification on previous versions. Install needed packages, for Backtrack you only need to install git-core:
$ sudo apt-get install libavahi-compat-libdnssd1 git-core $ sudo apt-get install python-setuptools
Once those packages are installed we will install the supporting libraries for python to be able to run the script:
$ sudo easy_install netaddr $ sudo easy_install dnspython
Navigate to the folder you want to install the DNSRecon script and run the following command to download the script and files:
$ git clone git://github.com/darkoperator/dnsrecon.git
To keep the script and associated files updated just navigate into the dnsrecon folder and run:
$ git pull