DNS — Port 53 — Pentesting

 

Basic info

DNS (Domain Name System) is a critical protocol that acts as the internet’s directory. It translates human-readable domain names like example.com into IP addresses, allowing browsers to connect to web services. Due to its essential role in internet functionality, DNS servers are common attack targets.

Default port: 53

PORT STATE SERVICE REASON
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
5353/udp open zeroconf udp-response
53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

For full article click here

Photo by ε‘晨 on Unsplash

Key DNS Concepts

  • DNS Root Servers: The highest level in the DNS hierarchy, maintaining top-level domain information.
  • Authoritative Nameservers: Provide definitive answers about domain zones they manage.
  • Caching DNS Servers: Temporarily store DNS query results to improve performance.
  • Forwarding Servers: Forward DNS queries to another server for resolution.

Config files

host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*

Attack workflow

1. Reconnaissance and Enumeration

  • Banner Grabbing: Identify DNS version and services running on port 53.

2. DNS Zone Transfer Attack

  • Zone Transfer (AXFR): If DNS misconfigurations allow zone transfers, attackers can obtain sensitive domain records.

3. DNS Subdomain Bruteforcing

  • Bruteforce Subdomains: Use wordlists to identify valid subdomains via DNS queries.

4. Reverse DNS Lookup

  • Reverse DNS Lookup: Query PTR records to map IP addresses back to domain names.

5. DNS ANY Query

  • ANY Query: Query the DNS server for all available records it is willing to disclose.

6. DNSSEC Exploitation

  • DNSSEC Enumeration: Identify DNSSEC configurations and attempt exploitation or abuse.

7. DNS Amplification Attack (DDoS Simulation)

  • DNS Recursion Check: If recursion is enabled, the server may allow amplification attacks.

8. Active Directory DNS Service Enumeration

  • Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.

9. IPv6 DNS Bruteforcing

  • IPv6 DNS Bruteforce: Target AAAA records to uncover subdomains with IPv6 addresses.

10. Exploit Misconfigured Mail Servers

  • Mail Nondelivery Exploitation: Use misconfigured DNS for email servers to gather internal network information.

Penetration Testing Techniques for DNS

Banner Grabbing

Banner grabbing for DNS may involve querying for version information or other metadata that a DNS server discloses. A classic way to gather this is by querying the version.bind using DNS CHAOS requests or nmap scripts.

dig version.bind CHAOS TXT @<DNS_SERVER_IP>

nmap -sV - script dns-nsid <DNS_SERVER_IP>

fpdns <DNS_SERVER_IP>

Zone Transfer

DNS zone transfer (AXFR) can leak entire domain zone information, including subdomains, services, and IP addresses. It’s often a result of misconfigured DNS servers.

dig axfr @<DNS_SERVER_IP> <DOMAIN>

fierce - domain <DOMAIN> - dns-servers <DNS_SERVER_IP>

dnsrecon -t axfr -d <DOMAIN> -n <DNS_SERVER_IP>

ANY Query Enumeration

Using an ANY query, testers can attempt to retrieve all records a DNS server is willing to share.

dig ANY <DOMAIN> @<DNS_SERVER_IP>

dnsenum - dnsserver <DNS_SERVER_IP> - enum -p 0 -s 0 -o output.txt <DOMAIN>

dnsrecon -d <DOMAIN> -t any -n <DNS_SERVER_IP>

Subdomain Brute-Forcing

Subdomain brute-forcing is an effective technique to uncover hidden services or subdomains associated with a target domain.

dnsenum - dnsserver <DNS_SERVER_IP> -f subdomains.txt <DOMAIN>

dnscan -d <DOMAIN> -w subdomains.txt -r

dnsrecon -D subdomains.txt -d <DOMAIN> -n <DNS_SERVER_IP>

Reverse DNS Enumeration

Reverse DNS lookups allow attackers to map IP ranges to associated domain names, potentially exposing internal or less public-facing resources.

dnsrecon -r <IP_RANGE> -n <DNS_SERVER_IP>

reverse-scan -i <IP_RANGE> -d <DNS_SERVER_IP>

dig -x <IP_ADDRESS> @<DNS_SERVER_IP>

DNSSEC Vulnerability Scanning

DNSSEC is designed to provide an additional layer of security, but vulnerabilities can still exist in misconfigured setups. You can exploit DNSSEC records for potential DDoS or data exfiltration attacks.

nmap -p 53 - script dns-nsec-enum - script-args dns-nsec-enum.domains=<DOMAIN> <DNS_SERVER_IP>

dig DNSKEY <DOMAIN> @<DNS_SERVER_IP>

DNS Recursion Testing

DNS recursion allows DNS servers to query other DNS servers on behalf of a client. If improperly configured, this can be exploited for DNS amplification attacks.

dig google.com A @<DNS_SERVER_IP>

nmap - script dns-recursion <DNS_SERVER_IP>

nslookup
> SERVER <DNS_SERVER_IP>
> google.com

Mail Server Enumeration via DNS

Misconfigured DNS records often leak internal infrastructure information. By querying for mail exchange (MX) or service (SRV) records, you can learn about target email servers.

dig MX <DOMAIN> @<DNS_SERVER_IP>
dig SRV _ldap._tcp.<DOMAIN> @<DNS_SERVER_IP>

nslookup
> server <DNS_SERVER_IP>
> set type=MX
> <DOMAIN>

nmap - script dns-srv-enum - script-args dns-srv-enum.domain=<DOMAIN> <DNS_SERVER_IP>

Active Directory DNS Service Enumeration

Enumerate DNS services related to Active Directory for additional attack vectors. Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.

# Dig for AD services
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com

# Nslookup AD services
nslookup
> set type=srv
> _kerberos._tcp.<DOMAIN>

IPv6 DNS Bruteforce

dnsdict6 -t <DOMAIN>

dnsrevenum6 <DNS_SERVER_IP> <IPV6_RANGE>

Essential Collection: 20+ Hacking and Pentesting E-Books Bundle

Embark on a comprehensive learning journey with our Essential Collection: 20+ Hacking and Pentesting Books Bundle! This…

buymeacoffee.com

Comments

Post a Comment