Penetrating "Secure" Websites By Increasing Attack Vectors - Part II: DNS Enumeration

Prerequisites: 

This is part two of the tutorial series. If you have not yet read part one, use the following link:
SOLDIERX.COM Tutorials -> Penetrating "Secure" Websites By Increasing Attack Vectors - Part I

// Introduction

Part one was an introductory into information gathering and network mapping. As this is the follow-up, part two, I will be discussing additional techniques to increase awareness of available attack vectors. As there are many techniques, I will only briefly cover DNS enumeration in this particular tutorial. If you are already familiar, you may have no interest in reading beyond this line. Otherwise, enjoy.

// DNS Enumeration

Brute-Force Subdomains and Hostnames - Brute-force domains to check if they resolve to the IP address of our intended target. Watch out for wildcard resolution when automating this technique.

Reverse DNS Lookup/Resolution (rDNS) - Determine domain names associated with the IP address of our target via a reverse in-addr entry which queries the ARPA (Address and Routing Paramater Area) database.

Name Server (NS) Record Lookup - Retrieve the authoritative name server of our target. On *nix based operating systems there is a tool named "NSLookup" used for exactly this. Example:

[email protected]:~$ nslookup
> shadow.net

Server: 111.222.333.444
Address: 111.222.333.444#53

Non-authoritative answer:
Name: shadow.net
Address: 111.222.333.444

Mail Exchange (MX) Record Lookup - Stored as part of a domain's DNS records and used in e-mail by the sending server to determine corresponding IP address of the recipients delivery server.

DNS AXFR Zone Transfer - If the name server which hosts the target's domain zone is vulnerable to a zone transfer attack. A simple AXFR query will display all saved DNS records. Example:

[email protected]:~$ dig shadow.net axfr

// DNS Enumeration Software and Services

In this section, I'd like to cover some of the tools and web-based services currently available that are capable of acquiring information through DNS enumeration.

MSF Auxiliary DNS Enumeration Module - For those familiar with MSF (MetaSploit Framework), there is a very handy auxiliary module called "DNS Enumeration." From the MSF console, use the following command to access the module:

msf > use auxiliary/gather/dns_enum

Hostmap - Hostmap is the "automatic hostnames and virtual hosts discovery tools" which incorporates not only DNS enumeration by a number of additional techniques that have not been covered in this tutorial. As far as I am aware at this time, the official website for hostmap is located at http://hostmap.lonerunners.net. Your typical scan would be run with the following command:

[email protected]:~$ ruby hostmap.rb -t 111.222.333.444

// The End

Look for part three of this tutorial series as it will cover techniques that were not so much as mentioned in this tutorial.