4.2 DNS Enumeration

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

14 hours 43 minutes
Video Transcription
Hello, everybody. And welcome to the episode number 12 off the RCP cores, the NS and admiration.
My name is Alejandro Ginna, and I'll be your instructor for today's session.
Learning operatives of the session is to understand some D. N s in admiration techniques and understand the most common Thean s and admiration tools.
Well, let's get down to business.
Ah, the admiration is the process of locating all the servers on their corresponding records off. You know, for an organization being said that this is not a passive information gathering technique anymore, this is actually considered inactive information gathering tunic. So, uh,
if you don't have the permissions of the victim or, you know, a server that you will be doing this executed disc amends,
you shouldn't do it. I mean, um,
as this is an active, passive information. I'm sorry, enacting information gathering technique. This means that you will be facing, you know, kind of a face to face modality against the server. You will actually be getting information That is not supposed to be now.
I mean, I know that the hackers around the world don't care about this. They actually as we speak, even if you actually work in a business that has a name for itself? I do believe that the hackers are actually executed. Disc amends Signature, sir, Against your server. But if you know we're the good guys and wear the white hat Hackers,
so you should get for the permission off the server owner to do this. I mean, maybe even if you work, I mean, if you already work in a business, this doesn't give you the permissions to do that. I mean, you should go to ask them and tell them if they actually give you permission to do that. You know, maybe you're part
off our red team or you're actually and penetration tester.
Maybe we're good to go with their business. But, you know, in other inning other scenarios, you should first consult with your boss and, you know, maybe you're CEO or whoever runs the business and ask them if they actually give you permission to do that.
Having said that, let's continue with the Dennison Admiration session. Ah, there's an operation will deal. Use range, computer names, our I p addresses. You know, from from a target system the least of the day's record provides or not review off types. You know, records store, You know,
in a domain name system or the name main server.
Uh, invite await. Bien s owns zone transfer. Now that we're at the subject. Dennison strong for I used to replicate in his data across a number of Deanna's asked kind of about a backup. I mean, do you have your primary T and s and your secondary? Dennis?
So that secondary Deanna's will constantly. Well, it depends on the configuration, but let Ze use the word constantly
will constantly be asking for information on new information, old information or, you know, they replicated information from the frame of the N s is called sewn transferred. Now, some Deanna servers by the fall don't have these confident to be secure. I mean, they don't ask for
credentials, they don't check. Actually, if they want that the server request the zones transfer, it's actually someone that he was a bust supposed to be asking for that information, or it's just when.
But if it is a malicious guy operations malicious hacker trying to actually get that information. So if you're actually going to use his own transfer, I would highly recommend you to applied security encryption, if possible. Two factor authentication, you know,
But your security kind of measures in your d n a server. We'll also avoid another attacks. Other attacks like Dennis poisoning, for example. So yeah, putting secure and your d n A server is always a good idea.
But, you know, uh,
let me just show your son commands you can use. For example, the host commanded the host tool. The host command is at the N s look up utility. You confined at P address off a domain name. It also performs reverse lookups finding, you know, the domain name associated to an I p address.
But let's let's start with this really simple man is type post
and put that there
the name server and, well, you know, yield some information, some good information. But what happens if you want to actually find the name servers for that? The main, for example, just have to type dash t and s,
and it will, you know, get the information you want. This is, you know, just in case, because there's options to get all the information. But we are looking for a specific information remember, this is quite know. We see and some the end as well deals. And I'm sorry will complain about this traffic being generated. So
maybe you you want to stay under the greed and
I want to make nice. You can use different options. For example, what happens if you want to find out the canonical names? Well, can Uncle names or C name ab? You know, the record is a type of, uh,
record, which maps Wonder me name were now and then an alias to another. For example, if you have something called my example or my domain that come maybe Dustin alias for something that just just say the main dot coms on flight that I don't know. But you get the idea.
So for daddies have
change from N s to see me. And, you know, at this case doesn't have any canonical name record. But, you know, that's the command you can use to do that.
For example, you can actually also get T X T records, which is just text records as the names just This is just to get to see if there's
kind of a human readable data attach or associate id to the main record you're actually acquiring. So, for example, if I type this, they will tell me that the information is related to the domain. So that's that, for example, of you?
I don't care about being nicey or not. You can
just type
dash a will query all off them off the records or any record associated to this domain. And you can see it's a lot of information.
Okay. Ah, what happens if you actually went to get the time, So leave information T l just have to type
dash B
and you will get some of that information. You know, some information will deal with Gail exceptions and some of them not. So don't worry about it. You will see other commands in these sessions. So
you also you can even tell it to go to an I p V Ford
y p B six protocol just by typing that number.
Another tool? I guess
that's the one I like the most.
Not because that simple to use because, as you can remember, all you have to do is Dusty and the name of the record. That's all but another tool that I like the most is and let's look up, you know, I don't know why, but I've been using that for a long time. And it just it's like that too.
But as you will see, it will it will
show you, or it will get you the same information. So
you know, there's no wrong way with this. So
this this index of this Ennis look up and for example, dash type
I'm sorry
Equals in s and
just the name of the server. Some information don't mean nothing has changed here, for example, another record is the start off authority or eso es. The record defines the beginning off off off the authority the N s ah, son, and specifies the global parameters for this own
so speaking
that can heal some very useful information. So
type, ah, start of authority
and you know
more of the information
can say you help how often refreshed information how, how many, how often every tries south inspires was the minimum. I mean, they can show you some useful information. But what happens, for example, other other, um,
type of records, the mail exchange, you know, male exchanger. But you can also use the hash query non necessarily get dash type
and continue to send information just f y I,
um Yeah, that's that. Those air, the domains other used to exchange email. So there's that and of course, it has the option to get any record you want. And again, there's no difference with when we type Remember. This is when we type
when we use the host command.
And this is when we use the n s look up command. So as you can see, not that different. And if for some reason you actually went to grab this, you can also do that. For example, grab MX, get me all on Lee things The saints. That's a male exchange record. So
there you go. Not that fancy resolved, but you know it gets the job down. That's the point
on. And the final tool that I would like to mention here is a dig, too.
just like that, you can again said simple command separate that common will get some information you can get. For example, you can a Tama sewn transfer
a X far. I will not do that because that's really intrusive, and it's really noisy Isa really knows the approach. I will not do that. But you can do that. I mean, a simple is that And of course, you can get all the wreckers a
We'll get more information. Ah, really change?
Um I don't know.
Example On s
name server and the state of authority, for example. S Oh yeah, you can. You can quit e all of that in a force you can do any
again. Same results, nothing fancy nothing to be worried about it. But remember, they grab a result.
It's calm a little bit, Gleaner, when you used aches so again you will get you this information maybe in a different output. So whatever you wanna use or whatever tool you when I use it all depends on your taste and whatever you know, again,
a more familiar familiarized with Dennis. Look up. But I don't say *** is
is not better or you know his words, that and it's look up. I'm just saying that it's whatever works best for you. And for example, in this case, if you want to actually perform and not so intrusive approach, you can just type short
and we'll give you a limited information. What I do like about Jake is that you can easily upload at least off the mains. And you can actually, just like they were to, for example, route that stop files
Onda Manes. He doesn't exist, but you know
the 60 and it will query all this. Although the mains that included in this file. So maybe you have a long list of the mains?
I don't know. 2050 remains. I don't want to go one by one. You can just do this, execute this command and and
actually performed load all the all the all the remains from that, and that's it.
Other tools are you know, I don't want to show you this video. Is everyone a bit too long to be long? Not necessary. I mean, I don't see the point of showing you that excite. You will get you some information. But, you know, I think that they deserve a mention Eyes, for example, D. N s and
Aah These one tool. The other tool is the n s. Reckon
And, you know,
as you probably know, I'm not so much of a graphic user interface guy because, you know, I have again As you go further into penetration testing career, you will see that most of the time you will end up using the terminal. So
I tried to not get familial familiarise
with graphic user interface because I I get I get is tempted. I'm tempted all the time to go to the easy way and just get, you know, a graphic user interface and just click here and click during and get a really cool result. You know,
that's up to you. I mean, I'm not saying that it is bad. I'm just saying that most of the time you will end up using
the terminal. So if you're not familiarized with the terminal commands, you might and having problems, but they're multi go. Is the application the graphic user interface that it can actually perform
other stuff. But, you know, you can actually perform also the n s enumeration. There's a paid vacation. I mean, yeah, this is pretty embarrassing this refrigeration, but I know I haven't activated any of them, but that it will It will show you a really cool map
off all the information that you just gather
from the from your d n s and admiration it will put you. You will put it in a really cool graphic user interface. But you know, Then again, it's up to you. I just I'm just telling you the my process on penetration, testing and most of the time
I don't. And abusing for Africa user interface tools
to hack is not. And by the way, is not because I didn't I don't want you. You took us most of the time,
As you will see in in this course we do. What you get is a reverse shell from from from the remote,
um, victim. So you don't get I kind of remote desktop, you can able it and connected later. But, you know, most of the time you end up with a river shell, which is all terminal commands.
So that's that.
Okay, uh, both assessment questions
Is this information gathering technique consider passive or active? Well, as I told you at the beginning, it's considered to be active because you're actually interacting with the victim's system. So, yeah, if you again. If you don't have permissions to do that, police don't do it.
I get that hackers around the world don't care about days, and they're actually doing that as I asked to speak.
Ah, but, you know, we the good guys or the white hat hackers will have to get a permission first. From from from from, you know, the business We're trying to help.
Um, so we can implement this technics
What is performed by the command host Dasht E and s. Well, that's kind of the simplest command you can use in from the host
option host tool. Uh, and it will get that the name service is associate ID Teoh domain name. So, yeah, that's that. What is performed by the command *** Dash f. And you know this documents at least a t X T fire where this actually used to, uh, load.
Ah, list of the main names from a text e file or from you know, any other
text file. So you cannot You don't have to go one by one and typing with my wife. And you just have that option to do that in dig.
Ah, it is video. We saw the most common the NS enumeration options to gather information, and we executed some d. N s and admiration tools on commands to see their results. Supplemental materials and the N s enumeration Chichen I mean, you can even search for specific ***. Ditch it
for the tools with, ah, host. And as luck optic another, the incineration told you one.
There's no actually good grade to go here
looking forward in the next video, we'll cover port scanning.
Well, that's it for today, folks, I hope in your d video and talk to you soon.
Up Next
Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By