🌐DNS

Enumeration

sudo nmap -sVC -p 53 -Pn IP

DNS Zone Transfer

If misconfigured then anyone will be able to ask the DNS server for copy of it's zone information. We could abuse this to learn more about a target's DNS namespace.

Dig AXFR Zone Transfer

Dump the entire DNS namespace from a vulnerable DNS server

dig AXFR @ns.domain.com domain.com

Fierce

GitHub - mschwager/fierce: A DNS reconnaissance tool for locating non-contiguous IP space.GitHub

fierce --domain zonetransfer.me

Domain Takeovers & Subdomain Enumeration

Used for registering a non existent domain name to gain control over another domain. If find an expired domain we can claim it to perform attacks like hosting malicious content or sending phishing emails.

Finding Subdomains 👁‍🗨

./subfinder -d domain.com -v

git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
cd subbrute
echo "IP" > ./resolvers.txt
./subbrute domain -s ./names.txt -r ./resolvers.txt

Local DNS Cache Poisoning

We can use Ettercap or Bettercap

To exploit the DNS cache with Ettercap we edit the /etc/ettercap/etter.dsn file to map the target domain and our IP like below

cat /etc/ettercap/etter.dns

domain.com      A   10.10.xx.x
*.domain.com    A   10.10.xx.x

We can now start Ettercap and scan for live hosts

Hosts -> Scan for Hosts

Once finished we can add the target IP to Target1 and a default gateway to Target2

We then can activate dns_spoof from Plugins -> Manage Plugins.

This will send the target machine with DNS responses that resolve to our domain and the domain's IP.

If successful the victim will be diverted to our Fake Page when they try to visit the domain

Latest Vulnerabilities

NVD - CVE-2022-22836

PreviousFTP NextEmail

Last updated 1 year ago

Was this helpful?