Information Gathering (part 2) Domain Name Services

Video Activity

This video covers gathering information on Domain Name Services (DNS). A variety of commands are used for this. One of the things you can do is ping company servers (the instructor uses Cisco as an example). The video also talks about zone transfer for DNS, which allows a programmer to transfer information between different servers, for example fro...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15
Video Description

This video covers gathering information on Domain Name Services (DNS). A variety of commands are used for this. One of the things you can do is ping company servers (the instructor uses Cisco as an example). The video also talks about zone transfer for DNS, which allows a programmer to transfer information between different servers, for example from primary to secondary.

Video Transcription
00:04
All right, So we're gonna start with some open source. Intelligence gatherings were not going to directly talk to any of our other virtual machines. At this point,
00:12
I'm for the section you are allowed to run these exercises against any domain that you'd like. This part is perfectly legal. All we're really doing is searching
00:23
information that is available publicly on the Internet. So you don't have to just do the same ones I do. Any domain is finds who? Your domain, Your company's domain,
00:35
your worst enemy studying anything you like. But of course, when we do switch back and start talking to our virtual machines again, we will want to keep that within the lab because we will be actually performing attacks.
00:48
We need to keep that within the lab. But this open source intelligence gathering section, we can
00:54
do against
00:55
any company we like.
00:57
All right, so I'm gonna try a couple different ones. I'm gonna do bulb security, calm his That's my company, but it
01:04
naturally pretty small, so you won't get quite as interesting of results as we might
01:11
with some larger organization. So I might switch back and forth, but again feel free to run these exercises against anyone you like. In fact, it will be much more interesting for you if you d'oh!
01:23
The first thing I want to know is just a little bit of basics about it. Although who is Look up
01:30
on the demands. I'll start with both security thought calms. This is gonna give us information. Basically, from the registrar
01:38
of who owns this domain will not be able to get some interesting information out of this thing again. We might not.
01:49
Looks like a job security dot com is
01:55
go, Daddy Dewayne
01:57
People told me I should switch it, but I don't really have the time to go through all the trouble right now.
02:04
Um, but it is registered with domains by proxy to basically I pay a little bit extra to hide my information on who is look up. So you may find that this is true
02:15
with the organization's you work with.
02:16
They're just basically says the good out here, is it?
02:23
But I actually have another one. I started badly on purpose because you may find that you can find some interesting information with who is.
02:30
They got my name right dot com,
02:37
but the Who is Look up for this one
02:43
a little bit more interesting, like we haven't email address. That's not my primary email address dummy e mail address.
02:50
But this is actually where I used to live. It's not my apartment anymore, but at the time it waas so
02:57
kind of inviting on wide attention here that even how's the apartment number where I lived
03:01
at the time? And that was also in my phone number at one point as well. So none of this information is still true. So if you come and try and show up at my door, you will be sorely disappointed. But this is
03:14
that example of what it may look like if they don't use demanded by proxy than information about
03:21
the individual or organization is
03:24
theoretically available here.
03:27
Who you may find minor the same to the admin in the tech, but you may find some phone numbers, even addresses your location. So if you're going to do any fishing later to try and get people to click on links and emails or do some cold calling trying,
03:42
get more information, you might be able to find a good place to start here that was a valid number.
03:46
Female goes. I never check. It is still valid.
03:53
There's a little bit there.
03:54
Another thing I might be interested in is D. N s names or domain name. Service is probably this w divvy up bulb security that calm but wonder stares like maybe they'll hold a bowl of security that calm
04:11
or FTP doubled security, toe calm or any other obscurity dot coms.
04:16
So
04:18
that would be the next point I might want to take a look at.
04:26
So there's a few different tools built in for
04:29
DNF lookups.
04:30
There's big there's enough. Look up
04:34
the host command and do it all, too.
04:38
So let's start within us. Look up if you have one that you'd rather use well means. Just used that. But if I did like in us, look up on bulbs security dot com. Don't give me the I p address of bulbs security dot com. Don't beat every nut job security dot com Rather,
04:55
Blue Ivy Address A deuce Shared hosting. That's also the I P address
05:00
for several other
05:01
who says, Well, as we'll see a bit later,
05:04
it might also be interested in things like mail servers if I did like it s look up,
05:12
just hit, enter and then sit
05:15
hike
05:16
equals m Xed.
05:19
And then said full security dot com. Imax is short for basically mail server. Indiana speaks. It's gonna ask, What are the metal servers for Bob? Security out calm.
05:32
And they are all actually Google servers in this case, So those will probably be out of scope for your PIN test.
05:40
Chances are you won't be able to go after Google APS, but if your organization that you were testing boost their own mouth servers, those maybe in scoop
05:49
additional host, we might be able to attack. So
05:53
quote
05:55
on quits, not the right answer exit.
05:58
And so we're doing enough look up on set tight peoples in Max again
06:06
and say we want say, How about Cisco Doubt Tom for one of the big one that looks like they have their own mail servers. And again, I don't know. Let's just go dot com, but well, I'm doing is doing a basic query here, so I'm not
06:20
crossing the line of legality just by asking them what their mail servers are actually started. Attacking. The mail service is just get all calm. That would be that.
06:29
But just for this part again, you're welcome to try. Different organizations
06:34
can maybe also want, like, name servers. I could say such type equals in s for name, server
06:44
and
06:46
full security dot com.
06:50
I just I don't hurt My own domain controller is either.
06:55
That's just a main control that calm. But again, if I just get out calm
07:01
looks like they in fact, do post their own name server. So again, this would be
07:05
additional hosts that might be in scope for our pin test.
07:14
Oh, I said hear. So naturally, my question would be kind. I get all of the hosts that are owned by such and such a domain would be possible for me to just get a list. Hopefully, the answer to that is no,
07:28
there is something called a zone transfer for D. N s, which, as the name implies, it involves taking the zone for Germaine and transferring it
07:39
well. It's theoretically between
07:42
different name servers. The primary would transfer to the secondary other slaves, but you could actually just get it. If it's set up to do so, get it to send his own file to you as well. So if you get a complete list of all of the domain names and their associate ID
08:00
I P addresses
08:01
for a certain domain,
08:03
but hopefully this should be turned off. It is definitely a best practice, and if I ever see it on any of my clients, always test for this. But I have seen it come up.
08:13
Go on a rare occasion, and I definitely let them know that they should turn that off. But typically, you'll see that this has turned off
08:22
close to the host command for this one. Again, there's different ways to do this. First thing I need to know is this Type his name server to dash T in this case,
08:33
and I'll tell it, I want the names overs for job security that come
08:41
so again, those are my two domain controllers.
08:45
And then, if I try and do a domain transfer domain zone, transfer
08:52
the crutch. Syntax is Dash L
08:56
and in the domain that I want that job security dot com
09:01
And then I tell it, the names over to try and transfer from
09:05
my guess would be
09:07
to main control dot coms not allow zone transfers
09:18
try the other one as well.
09:24
Indeed, it doesn't allow me to do his own transfer,
09:30
but an example
09:31
of a domain that is set up to allow the and transfers is so transfer.
09:41
Not in a
09:43
So here's the
09:46
name service for his own. Transferred out of me against that does t. And enough
09:52
the after the name servers like to do post does. Oh,
09:56
you asked for this urn transfers if it's available, tell that I want information about zone transferred All there May
10:05
on Let's start with the 1st 1 s in
10:07
her in Astro Other z t is too
10:11
got
10:13
you thought ninja
10:18
And there we have it
10:22
we have
10:24
It's like they have an office in Australia
10:28
on Do you see
10:28
did be email, internal office I p v six, Ooo
10:35
male client VPN
10:37
All TCP ports open. The different I P address is there
10:43
and their associate ID fully qualified domain name. So this would give us additional potential targets
10:50
if we were pinned Testing zone transferred off me.
10:56
But of course this should be turned off, but it's something I always check for.
11:01
But if we can't do that,
11:03
our question is, can we still find additional
11:07
political? If I domain names additional hosts, we could attack
11:11
on Dhe. Naturally. Same way we deal with everything else. We can always just let Computer
11:18
basically check four hours. I mean, we could sit there and asked for, you know, what is?
11:22
How about tennis? Look up. Say SPP doubled security dot com.
11:28
Well, there is an ftp dot bulb security dot com.
11:33
What about mailed a bold security? Come.
11:41
Okay, It looks like it at least gives
11:43
somewhere.
11:45
How about law? The security guys home? Nothing there. So we could just go through every possible domain name we could think of, or we could take it and let the computer do it for us. This is
11:58
pretty typical in anything. Computer science really is computer. You're really good at doing
12:03
repetitive tasks that really boring to people. So we could
12:09
Yeah, but a list of domains
12:13
on and then have it basically cycle through and do it in s look up or equivalent on all of them
12:20
and see what comes back with an answer. And what doesn't? Naturally, people were some tools from that.
12:26
One of them is fierce.
12:33
So it is a Pearl Squid script. It has DNA switch with the domain after it does. Seeing us on
12:41
globalsecurity dot com won't come up with very much about Microsoft dot com for this one, the one that has a few wars every names, then
12:50
minders
12:54
who tries his own transfer. It doesn't work
12:56
now, going through and basically the first part of the silly, qualified domain name.
13:03
It's basically running through a file, and you can give it a different file for that. But it's using it.
13:09
Bissell file
13:11
And indeed, there quite a lot of post for my yourself. Don't call.
13:16
I was just putting like ex dot Microsoft dot com, probably a four loop where X is
13:22
something from that file, and it just loops through. So fairly typical is letting Computer do it for us
13:30
like we did when we did our scripting examples earlier in the class.
13:35
So then it's finding a lot of stuff for my yourself dot com probably won't have quite as many.
13:41
We did just scared. All come home
13:43
should decoys May.
13:48
Microsoft is trial pretty large, so a little bit smaller here.
13:52
Looks like Microsoft had one to toe like a zillion not quite as many, but still, we're getting a lot of results. But if you're working with a small company
14:03
might be much smaller, like job security, that calm doesn't really come up with much at all.
14:09
I could just sit here like this for a while and then come up with think it'll find FTP
14:16
to read every dart. But there's just not that many hosts in that case, so
14:20
nothing to be alarmed about ist smaller organization. If you do like small local banks and local businesses, they probably don't have that many hosts,
14:31
so that gives us some additional target. You may or may not even need to do this. I typically do unless my client tells me not to give them an idea of what their Internet presence is. But typically your class will say these of the I P addresses you need to test, but you may find yourself doing a complete
14:50
black box. Tash, really,
14:52
we're so and so dot com have at it, in which case something like this would
14:56
be very useful
Up Next