12 minutes

Video Transcription

Hello, everyone. And welcome back to breaking stuff with Joe. I has always been your host, Joe Perry. You can call me a cybersecurity researcher and exploit developer of vulnerability analyst A nerd, whatever you want. But right now, you can also call me the Director of Research. Here it's cyber ery, And in today's video, we're gonna be talking about a really interesting tool called D. N s map.
And we've got a couple of objectives we're gonna go through.
The first is understanding what d. N s map is and how it works and how to use it for the second. And I think maybe even more important is understanding why D. N s map is a valuable red teaming tool and why D. N s information can be a valuable even if you can't modify and even you can't effect the records, why, it's important both to find insecure Deanna's and to secure your own Deanna. So
hopefully you're gonna learn a lot in this video. You're gonna come to understand why exactly D. N s map deserves a spot
on breaking stuff with Joe.
So, in order to understand why D. N s map is such a valuable tool. Understand how we can use it properly? We have to start by understanding exactly what the point of mapping D. N s actually is. Now I know that I said this as the second objective, but we're gonna talk about it first because it's going to kind of provide credence and understanding to the first objective. So
what we need to understand is that when you create its website
for example, site dot com, there's actually a lot more to it than just that one page. Even if that page is dynamic and does a lot of the hard work, there's gonna be a lot more to our site than just that one page. And so when we start performing Deanna's mapping, what we might find is that there this whole mess of other sub domains that are attached to that site
and it's really important to understand these and what they are
because some of these can actually expose and endanger your website so you can see here we have mail rsst VP Admin Dev marketing calendar log in repo and don't delete now all of those air valuable and interesting for some reason or another but they're three that I want to call it specifically because their three that I see very often and three there absolutely catastrophic
to be found by a security test or or even worse, by an actual hacker
going after a website. The first well, look at here is this dev dot site dot com, and the reason why this is a particularly bad page to expose to your users is this might include pre launch capabilities you might be using. Dev dot site dot com toe actually perform It made a test of some new feature Something function You wanna add your website that may not be ready for public launch yet,
and no one has access to that. They might be able to tear it apart.
They might be able to steal it. They might be able to break it to pieces. It might be able to do all sorts of things that compromise the integrity of your website by using something that you did not intend to be accessible yet, and I mentioned there they might be able to steal it. That's an incredibly huge danger. When you're talking about putting your death pages Web face, you're having them findable by this sort of tool
because what you're talking about someone's unsecured intellectual property
being able to steal that before, Maybe it's even been copyrighted before it's been given the correct protections. It's entirely possible, and I've seen it happen that people put up there Deb site with I P. That's not been properly protected or secured. And while you can certainly go back and sue to take control of I P that you know was stolen from you, that process could be incredibly challenging
and could involve a lot more costs than the cost of just
making sure that your site is secured in the first place. And, of course, just generally insecure implementations. I referenced when we're talking about pre launch capabilities. You might have a tool or something that exists on your death page that exposes admin access, exposes cookies that isn't intended to be seen by robots or anything searching your sight,
but is possibly accessible by using this sort of D. N s mapping tool. And so when you're doing that, it's really essential you make sure you're not going to be seen by that tool because they might find something that doesn't work, it isn't properly secured.
The next woman I want to look at is the report outside dot com. Now repo. For those of you who aren't, programmers aren't in dev ops or whatever you know. Particular industry term is being used for your shop. The short version is if you don't build stuff of the website, you may not know what repo is, but essentially the code repo is just a place where source code
or tools or help documents or read Mee's for your site are being stored. A lot of times is just to get up front end.
But what's really dangerous here is like I said, there could be source code exposed on this. You know, that may be important for people to be able to access from home, be able to work with. But having that repo available and particularly having it available with that particular name is incredibly dangerous. If you have a website that automatically pushes the sights every now and then, this is an easy way to take the whole thing down.
If you have a website that has you
poor implementation report encryption standards, people confined that by examining your source code and can inflict serious damage to not only the availability of the integrity but at the very confidentiality for website. So it's absolutely essential that you protect something like this. And then, of course, don't delete
dot site dot com. Now I find things like that all the time where I find shouldn't see this in production dot site dot com
or, you know, if you see this, it's bad. Anything like that. Any of those sort of colloquial, friendly, sort of joking names are just a goldmine for a security professional, be they the good guy or the bad guy? Because what a website named like this tells us is that this is not something that is intended to be exposed. It has no branding, no marketing.
You haven't had to sit through 15 meetings with your S e o people.
Just absolute insecure Garbage is facing the Internet, and for people who are looking for ways into your website, people who are looking for back adores. You didn't see that, but I did air quotes. This is the sort of thing they're actually looking for. Are these pages that were never ever intended to see the light of day that are being used for testing some functionality
that are being used just to throw some garbage up for somebody else. Just get access to real quick.
Anything like this, if it faces the Internet is extremely dangerous. And you can see here I specify unsecured log in lesser and curfew might be using some garbage hash because you're not implementing it because you don't think this touches the Internet yet you might be just allowing admin access through this page. I've seen many times that a page I want to just has admin access open. I have portals,
I have control. And I could do pretty much whatever I want to the site from that page.
So those are all the different possibilities that can happen all by just getting information about your domain names. I don't even need to know what kind of server it's running on. I don't need to know what your back end is. I don't need any fancy doctor escapes or VM tricks. All I need to do is say, Oh, hey, look at this RS s server. You have running, that's, you know,
10 years old that you haven't updated since that or like this don't delete page or look at any of these pages that are potentially dangerous.
You are unwittingly exposing to the Internet. So hopefully I have demonstrated you why it is dangerous to have d. N s exposed. And why have these Deanna's pages easily visible and why it's valuable to do a d. N s map? Why, it's valuable to see what all of the available sub domains are to a given website.
So with that, we're gonna go ahead. We're gonna jump in Orvieto, we're gonna see how D. N s map actually works.
So you may notice a slight difference in this VM compared to the other ones that I have used in previous breaking stuff videos normally work out of a new bunch of'em. And today we're gonna be in my Callie machine. There are a couple of reasons for that. The first is that D. N s map, unlike sort of Ida or GDP or windbag isn't really one of those tools that you're gonna use
in a ton of disciplines. It's a pretty red team focused tool, and it's pretty heavily oriented to red teaming and
security efforts. The second is that it comes preinstalled on Callie, which is always nice. It's one of the tools built in and the third, which is sort of related to that. Is that actually on cyber ery? We're in the process right now of putting up a Cali sandbox lab, where you'll be able to throw out this and all of the breaking stuff with Joe video tools, which is fantastic because most of our tools
from the next couple of months are gonna be from Cali because of your scaly is one of the great aggregators of security tools.
So we're working on bringing that up. It may be up a time of lunch for this video. It may not. If it is, it will be in a link right below this video. If not, don't worry. We'll keep you updated, and we'll be up very, very soon. So those are the reason working. Callie. Now let's work in Cali now. As I mentioned, Deanna's map comes preinstalled, which is absolutely fantastic.
And if we just run, the command by itself will get the help menu, which you can see here
is a pretty trivial list of options, which is great news Ah, lot of these security tools we work with have just an incredible amount of configuration built into them, which isn't a bad thing. But it can be kind of a difficult thing to run through and we're talking about, you know, 10 to 15 to 30 minute course. So the first option we wanna look at that, I think is pretty fascinating. Is this word list file
The reason why I think it's fascinating because Deanna's map isn't actually exploiting anything,
not really performing any attacks. You're not breaking into any systems. All you're doing is you're taking your list of domains sub domains,
and you're testing to see if they're valid. You're not. You're not breaking into some system not pulling any real hacker stuff. You're just looking down this iterative list of okay, These are all of the potential domains that I think might exist. Let's see which ones exist, and then from there, which ones are valuable. So below that, you've got your regular results file on your C S V results file.
I have actually found that depending on the version of this, it has for some reason, it runs into errors outputting the files
so if you're trying to output, it's probably easier just to pipe it directly into a file. But it's not a huge deal one way or the other. DeLay in milliseconds is important. If you're targeting either assistant has good security in place, or just a system that maybe can't stand a huge amount of traffic to it very quickly. This is just going to set a delay between requests so that you're not spamming, you know, with
a 1,000,000 requests a second or anything like that.
This is something that's important both from a perspective of getting around security countermeasures. You know, there are a lot of sites that are built in that you can only make, say, 16 requests a second or something like that. This is a great way of getting around that. Additionally, as I mentioned, when your pen testing a lot of times you're gonna be pen testing against
relatively small targets. People who don't have a ton of bandwidth
and when you start sending these huge piles of requests through, it's actually entirely possible that you might overload what they're able to handle, which, while denial of service is always a valid attack vector It's kind of a rough move to do against a small organization that's asking you to check their security.
So delay in milliseconds is a valuable option that's worth looking at. The last one is eyepiece to ignore. This is just if you had I p is, you know, either are no longer interesting or valid or for some reason, or giving you useless results, you can just choose to ignore that. Ignore those I. P's and I do have a word list. Install or download it already. I pulled this off. Get up is just 10,000 common sub domains.
You can go with fewer. You can go with Maur. Generally speaking, 10,000 is gonna be a pretty good number in terms of sub domains. You'll probably find everything you're looking for,
but obviously it's a possibly perfectly exhaustive.
So we've got d N A s. Matt. Well, wrong command, Clear. There we go. We've got d N s map. We understand what its options are Now. We're gonna just get a quick demonstration of what it looks like to run and running. It is just about as simple as any tool you're ever gonna find on Callie you're going to invoke the tool, you're gonna give it a site. Name the target.
We're going to use Google for two reasons. One, I am confident that ghoul security is such that we won't actually be exposing any dangerous functionality,
which means we're not going to cause any security problems. And more importantly, I'm not going to get sued on. And to Google is a pretty large website. We can send a lot of requests to it without getting in any trouble or without causing them any trouble. So Dennis maps Google and they're going to give it tak W and given our sub domain Lis,
we're just gonna run this for a couple of seconds and get a look at just how many responses we get. How quickly
you can see here. We've got some mail servers. We have blawg news support, mobile calendar. You can see there's a ton of functionality being exposed very, very quickly now again because this is Google and there are particularly secure website. All of the things we're looking at here, things that you would expect to see if you just typed it in some might be new to you. You might not be familiar with them,
but generally speaking, these are all going to be sites that were intended to be exposed. But we re targeting a smaller site. Then we would totally have the option here. The possibility that we saw some depth page or some personal, you know something? It was not intended to be exposed to the Internet,
so that's actually gonna wrap it up. Everybody. I know this was a pretty short video. That's totally okay. It's a pretty small tool with a very specialized use. Hopefully, you found it valuable. Hopefully the idea of D. N s mapping makes a little bit more sense. You understand it sort of from both the security and a defensive from an offensive in the defense of perspective.
And hopefully you feel a little bit more comfortable tools like D. N s map
for the future. Thank you, as always for watching. I really appreciate all of people who come out and check out our videos. Psy berry is a wonderful crowd sourced effort. We do. Most of the videos on the site are made by people like you who are hoping to learn about cyber security. So if you're one of those people and you want to teach. If you have something you think is valuable for the community to know,
by all means reach out to us and we will find a way to get you up on the site.
So thank you all for watching. As always, you've been seeing breaking stuff with Joe with me, Your host, Joe Perry on. I'll see you back on Cyber Eri on demand.

How to Use DNSMap (BSWJ)

DNS Map is a reconnaissance and evaluation tool used to identify all subdomains of a given domain. It allows an attacker to find potentially insecure and poorly-implemented pages attached to a given site.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc