Security Weekly
Content

DNS Enumeration with Metasploit

One of the old fashion methods of enumeration that I see time and time again give a large amount of information of great use is DNS (Domain Name Server), a large number of systems now a day depend greatly on this service to be able to operate, from IP Telephony, Windows Active Directory, Backup Systems and many other are dependent on this service. This service simplifies configuration of many services and for this same reason is one of the first areas to look at when gathering information of a target network. At the beginning this service used to be just hosts file that where shared by the system administrators of the systems connected to the internet, now a days we have a much more robust system. System administrators are required to not only know the basics but also understand this system since so much is tied to it, especially since this service easies so much the administration of large IP networks by abstraction of the addressing layer simplifying configurations, resiliency and flexibility of today’s networks. There are 2 main ways I see this system configured in most of companies.

In the first configuration the client has one DNS system only for external requests and only external servers to the enterprise are registered and an internal system for Active Directory. In the second configuration the client uses the same DNS system for both internal and external use.

The first type of configuration keeps both the internal naming structure and the external naming structure separate does providing some security thru obscurity when the attacker is doing the enumeration from the outside of the network. Many times on small to medium sized companies there only have what it is called a Forward Lookup Zone, this is when you simply give a name and you get back an IP, on some you might find what it is called Wildcard Name Resolution, this is nothing more that the DNS server you are querying if it does not have a specific record for that name will return a pre-defined address, this makes enumeration thru brute force more time consuming since false positives must be cleared and check. The accuracy of the results of DNS enumeration varies a lot depending on the Name Server being queried. A target network may have different domain name spaces that they employ and prior enumeration thru metadata, email headers and other methods reveal this domain names so as to be able to enumerate and take advantage of this service. Also a UDP and TCP portscan with fingerprinting is also a very good idea so as to find any NS server that might be part of a test system or internal exposed DNS server.

For DNS enumeration I wrote Metasploit Module to aide in enumeration of targets, the module is called dns_enum. Below you will be able to see how the module can be loaded and list its options inside msfconsole:

msf > use auxiliary/gather/dns_enum 
msf auxiliary(dns_enum) > info

       Name: DNS Enumeration Module
    Version: $Rev: 7500

License: Metasploit Framework License (BSD)

ided by:
rlos Perez <[email protected]>

c options:
me         Current Setting                                 Required  Description
--         ---------------                                 --------  -----------
MAIN                                                       yes       The target domain name
UM_AXFR    true                                            yes       Initiate a zone Transfer against each NS record
UM_BRT     false                                           yes       Brute force subdomains and hostnames via wordlist
UM_RVL     false                                           yes       Reverse lookup a range of IP addresses
UM_SRV     true                                            yes       Enumerate the most common SRV records
UM_STD     true                                            yes       Enumerate standard record types (A,MX,NS,TXT and SOA)
UM_TLD     false                                           yes       Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
RANGE                                                      no        The target address range or CIDR identifier
                                                           no        Specify the nameserver to use for queries, otherwise use the system DNS
OP_WLDCRD  false                                           yes       Stops Brute Force Enumeration if wildcard resolution is detected
RDLIST     /Users/cperez/msf3/data/wordlists/namelist.txt  no        Wordlist file for domain name brute force.

ription:
is module can be used to enumerate various types of information 
out a domain from a specific DNS server.

rences:
tp://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0532

As it can be seen in the options there are several ways one can enumerate a targeted domain, the methods are:

• Zone Transfer

• Hostname and Subdomain Dictionary Brute Force

• Reverse Lookup

• Service Record

• Standard Record Query

•Top Lever Domain Name Expansion

The module will print the results to the screen and if a database is configured in Metasploit it will save the results in the database, when using the module I highly recommend the use of MySQL or Postgres as the database to be used to save the results since this module uses multi-threading and might cause locks if using SQLite as the database, if you still choose SQLite for portability and simple management I recommend that the advanced option of THREADS to 1, this will mean a slower enumeration.

The recommended use of the module is to execute a combination of the Standard Record enumeration and the SRV enumeration so as to get a feel of all the domains found. Also testing each NS server that is found thru port scanning for the domain names found thru other methods of enumeration. The module will default to the SOA Server of the DNS name for the domain specified, to override this method and have it test against a specific DNS Name Server set the NS option value to the IP of the DNS server to test against.

The first enumeration is what I call a Standard Record Lookup where the module queries:

· SOA Start of Authority Record

· NS Name Server Records

· MX Mail Exchange Records

· TXT Text Record

From this query we can determine the Main name server for the zone, all other domain name servers, mail servers and with the TXT record the main thing to look for is the SPF1 record, it is used to specify what IP addresses are allowed to send emails on behalf of the domain.

Another lookup to execute is a check for all common SRV or service records, this returns the service type, the port, priority and A or AAA record for the service. Microsoft Active Directory and many Unified Communications solutions use these services.

The module is set by default to perform these queries plus try a Zone Transfer against all NS record returned by the SOA server. Zone Transfer enumeration is when one takes advantage of a miss configuration of the registered Name Servers for a given domain where they are set to share their zone file to anyone who request this information, typically NS servers are set to only share their zones with servers that form part of their infrastructure or probably with a service provider. These transfers are run thru TCP port 53. The module is set to first enumerate the SOA or start of authority of the domain we want to target and query it for list of NS servers it knows of and then goes one by one of this NS servers testing if they would send the entire zone for the given domain. The reason for why each NS server is tested even if one of them returns an answer is that the NS servers might not all be synchronizing with each other and we might get different records from each of the NS servers that are open to this technique, typically some servers are set for testing or staging while others run the production

environment. One thing to keep in mind about this test is that all IPS/IDS systems out there have rules to detect this method of enumeration, but it is one that if successful will give the largest amount of information with the least effort. Lets use google.com as a sample target domain:

msf auxiliary(dns_enum) > set DOMAIN google.com
DOMAIN => google.com
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Retrieving General DNS Records
[*] Domain: google.com IP Address: 74.125.53.100 Record: A 
[*] Domain: google.com IP Address: 74.125.45.100 Record: A 
[*] Domain: google.com IP Address: 74.125.67.100 Record: A 
[*] Start of Authority: ns1.google.com. IP Address: 216.239.32.10 Record: SOA
[*] Name Server: ns3.google.com. IP Address: 216.239.36.10 Record: NS
[*] Name Server: ns2.google.com. IP Address: 216.239.34.10 Record: NS
[*] Name Server: ns1.google.com. IP Address: 216.239.32.10 Record: NS
[*] Name Server: ns4.google.com. IP Address: 216.239.38.10 Record: NS
[*] Name: google.com.s9b2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9b1.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a1.psmtp.com. Preference: 10 Record: MX
[*] Text: v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all , TXT
[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Performing Zone Transfer against all nameservers in gmail.com
[*] Testing Nameserver: ns2.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns3.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns4.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns1.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Enumerating SRV Records for google.com
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk2.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk3.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk4.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk1.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk.l.google.com. Port: 5222 Priority: 5
[*] Auxiliary module execution completed

In this example we can see the Name Servers, Mail Servers and other standard records, as it can be seen the sfp records gives us the ip ranges for the mails servers, this ranges can later be examined by doing reverse lookups against them. Also on the SRV enumeration we can see all the jabber servers, their priority and ports, all of this very important information during a pentest when enumerating a target. Zone Transfer failed against all NS servers returned by our query. If examining a domain several of the ns servers enumerated do return the zone compare the results to make sure that one of those NS servers is not an orphan server not being updated or a possible test server.

The next method of enumeration is the Reverse Lookup, a typical DNS query where a name is resolved to an IP is known ad a Forward Lookup a reverse is just the opposite where we query is made for an IP and we get the FQDN (Fully Qualified Domain Name) for the IP, this method of enumeration tends to go un noticed by administrators and IPS/IDS systems. All hosts found thru this method must be verified since there might be old entries for none existing hosts and many times their name tends to give and idea of their purpose. Lets use PGP Corp. as an example, in the TXT record we see the spf1 entry with the ranges for host approved to send emails, lets enumerate on of this ranges:

[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Retrieving General DNS Records
[*] Domain: pgp.com IP Address: 209.237.226.39 Record: A 
[*] Start of Authority: ns1.pgp.com. IP Address: 216.112.104.3 Record: SOA
[*] Name Server: ns1.pgp.com. IP Address: 216.112.104.3 Record: NS
[*] Name Server: ns2.pgp.com. IP Address: 216.112.104.4 Record: NS
[*] Name Server: ns3.pgp.com. IP Address: 209.237.226.43 Record: NS
[*] Name: mx1.pgp.com. Preference: 10 Record: MX
[*] Name: mx2.pgp.com. Preference: 20 Record: MX
[*] Text: v=spf1 ip4:216.112.104.0/23 ip4:216.112.105.0/24 ip4:66.236.113.0/24 ip4:209.237.226.32/27 ip4:80.154.106.8 ?all , TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >

Know we choose the first IP range:

msf auxiliary(dns_enum) > set ENUM_AXFR false
ENUM_AXFR => false
msf auxiliary(dns_enum) > set ENUM_SRV false
ENUM_SRV => false
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > set ENUM_RVL true
ENUM_RVL => true
msf auxiliary(dns_enum) > set IPRANGE 216.112.105.0/24 
IPRANGE => 216.112.105.0/24
msf auxiliary(dns_enum) > run
[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Running Reverse Lookup against ip range 216.112.105.0-216.112.105.255
[*] Host Name: keys.testgeo.com. IP Address: 216.112.105.70
[*] Host Name: mail-out.pgp.com. IP Address: 216.112.105.68
[*] Host Name: gilda.pgp.com. IP Address: 216.112.105.67
[*] Host Name: gabriel.pgp.com. IP Address: 216.112.105.66
[*] Host Name: 216-112-105-64.pgp.com. IP Address: 216.112.105.64
[*] Host Name: mail-in.testgeo.com. IP Address: 216.112.105.69
[*] Host Name: chair-it.pgp.com. IP Address: 216.112.105.65
[*] Host Name: 216-112-105-71.pgp.com. IP Address: 216.112.105.71
[*] Host Name: dom01.mobile1.pgp.com. IP Address: 216.112.105.79
[*] Host Name: domeng.exchange.pgpeng.com. IP Address: 216.112.105.78
................
[*] Host Name: jrmobile.pgp.com. IP Address: 216.112.105.237
[*] Host Name: 216-112-105-238.pgp.com. IP Address: 216.112.105.238
[*] Host Name: cluster3.pgp.com. IP Address: 216.112.105.243
[*] Host Name: cluster1.pgp.com. IP Address: 216.112.105.241
[*] Host Name: cluster0.pgp.com. IP Address: 216.112.105.240
[*] Host Name: 216-112-105-239.pgp.com. IP Address: 216.112.105.239
[*] Host Name: cluster2.pgp.com. IP Address: 216.112.105.242
[*] Host Name: bletchley.pgp.com. IP Address: 216.112.105.244
[*] Host Name: mallen.pgp.com. IP Address: 216.112.105.245
[*] Host Name: mallenlaptop.pgp.com. IP Address: 216.112.105.246
[*] Host Name: mallenovid.pgp.com. IP Address: 216.112.105.247
[*] Host Name: 216-112-105-248.pgp.com. IP Address: 216.112.105.248
[*] Host Name: oakheaven.pgp.com. IP Address: 216.112.105.250
[*] Host Name: 216-112-105-253.pgp.com. IP Address: 216.112.105.253
[*] Host Name: 216-112-105-252.pgp.com. IP Address: 216.112.105.252
[*] Host Name: oak.pgp.com. IP Address: 216.112.105.249
[*] Host Name: pron.pgp.com. IP Address: 216.112.105.251
[*] Host Name: bubs.pgp.com. IP Address: 216.112.105.254
[*] Host Name: 216-112-105-255.pgp.com. IP Address: 216.112.105.255
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >

The output was abbreviated, new domain names that must be tested appeared and many of the host names give idea of their purpose and naming scheme. This is one of the mail reasons that even when a zone transfer is successful other enumeration methods must be executed so as to be able to detect this other domains that might have escaped the initial enumeration.

Another method of enumerations the brute force enumeration where a dictionary file is use to try to identify host or subdomains for a given domain. A wordlist is used for this, the success of this method is dependant on the wordlist used, some main points for a good wordlist are:

  • Words should follow the naming scheme of the target domain of one is found.
  • All words must have valid DNS name charectes

The use of a password list is not recommended. A simple one is included with Metasploit and configured by default. Lets execute one against google.com:

msf auxiliary(dns_enum) > set ENUM_BRT true
ENUM_BRT => true
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Host Name: academico.google.com IP Address: 74.125.47.105
[*] Host Name: academico.google.com IP Address: 74.125.47.103
[*] Host Name: academico.google.com IP Address: 74.125.47.106
[*] Host Name: academico.google.com IP Address: 74.125.47.147
[*] Host Name: academico.google.com IP Address: 74.125.47.99
[*] Host Name: academico.google.com IP Address: 74.125.47.104
[*] Host Name: ads.google.com IP Address: 74.125.159.112
[*] Host Name: alerts.google.com IP Address: 74.125.159.100
[*] Host Name: alerts.google.com IP Address: 74.125.159.101
[*] Host Name: alerts.google.com IP Address: 74.125.159.113
[*] Host Name: alerts.google.com IP Address: 74.125.159.102
[*] Host Name: alerts.google.com IP Address: 74.125.159.139
[*] Host Name: alerts.google.com IP Address: 74.125.159.138
[*] Host Name: ap.google.com IP Address: 74.125.47.105
[*] Host Name: ap.google.com IP Address: 74.125.47.103
[*] Host Name: ap.google.com IP Address: 74.125.47.104
[*] Host Name: ap.google.com IP Address: 74.125.47.106
[*] Host Name: ap.google.com IP Address: 74.125.47.147
[*] Host Name: ap.google.com IP Address: 74.125.47.99
[*] Host Name: apps.google.com IP Address: 74.125.159.101
[*] Host Name: apps.google.com IP Address: 74.125.159.139
[*] Host Name: apps.google.com IP Address: 74.125.159.113
[*] Host Name: apps.google.com IP Address: 74.125.159.138
[*] Host Name: apps.google.com IP Address: 74.125.159.100
[*] Host Name: apps.google.com IP Address: 74.125.159.102
[*] Host Name: asia.google.com IP Address: 66.249.89.103
[*] Host Name: asia.google.com IP Address: 66.249.89.99
[*] Host Name: asia.google.com IP Address: 66.249.89.147
[*] Host Name: asia.google.com IP Address: 66.249.89.104
[*] Host Name: blog.google.com IP Address: 74.125.47.191
[*] Host Name: calendar.google.com IP Address: 74.125.159.102
[*] Host Name: calendar.google.com IP Address: 74.125.159.113
[*] Host Name: calendar.google.com IP Address: 74.125.159.101
[*] Host Name: calendar.google.com IP Address: 74.125.159.139
[*] Host Name: calendar.google.com IP Address: 74.125.159.138
[*] Host Name: calendar.google.com IP Address: 74.125.159.100
[*] Host Name: catalog.google.com IP Address: 74.125.159.102
[*] Host Name: catalog.google.com IP Address: 74.125.159.113
..................................
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) >

One thing to remember is that depending on the size of the dictionary and the number of threads the time for performing this type of enumeration will vary.

Another type of DNS enumeration is TLD or Top Level Domain expansion where we look for other DNS registrations for our targets domain. There are 2 types of TLD the Country Code TLD or ccTLD to reflect a country and the gTLD the General TLD like for organization (org), information (info) and like wise, many company have servers deployed in different countries to provide faster service to users there and many times the updates and maintenance of this services are staged and done in a gradual process allowing for the possibility of finding vulnerable systems. One must take great care since the scope might limit one country and the understanding of the laws of that country must be understood before embarking on attacking this remote systems. The manner in the module works is that it will strip the TLD of the domain name and replace it with the most common one, many times companies and other DNS registrars have another level that they add that varies from registrar by registrar so a bit of Google enumeration might be needed to further enumerate any of them that might have been missed by the module. Here is a sample of doing a TLD Expansion against HP:

msf auxiliary(dns_enum) > set DOMAIN hp.co
DOMAIN => hp.co
msf auxiliary(dns_enum) > run

[*] Performing Top Level Domain Expansion
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.140 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.138 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.139 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.2.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.23 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.24 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.139 Record: A 
[*] Domain: hp.ag Name: hp.ag. IP Address: 217.26.48.101 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.21 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.22 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.138 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.139 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.2.21 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.30.21 Record: A 
.............................
[*] Auxiliary module execution completed

This has been a short introduction to DNS enumeration and what type of information can be gathered from this service.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.