Time
3 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This lessons explores DNS Reconnaissance which starts by establishing communications between the target and client system. You'll learn screen set-up advantages to maximize all your views, how to test for connectivity and vulnerabilities, and a host of other skills. More importantly, you'll learn from both the defensive and offensive perspective how to ID and prevent an extreme vulnerability, and the importance of when and how to use the IP vs. Domain name in penetration testing. And finally, you'll learn how to set a query type, read vulnerabilities, confirm output for your SOA (Start of Authority) record for your DNS Region, the difference between Windows, Unix outputs, and how to quick capture screenshots for your scanning documentation.

Video Transcription

00:04
okay, in this video, I want to talk about D. N s reconnaissance and some of the basic that goes in the D. N s. First thing I want to do is basically get my clients that talk to each other.
00:17
So I'm gonna start by basically checking some basic activity here. Gonna do. And I have config on the client side
00:26
to make Ethernet interface, and I'm gonna see that I'm on the 1 90 to 1 68 92.1 28 network. Next thing I'm gonna do is pop over to another server, VM. This just happens to be an unpatched server, and I am going to look at the different properties from an arcade after car just to make sure that I'm on the same network
00:46
and I can talk to each other.
00:48
You want to do that by going to my local hero, Never properties and check a my I P address. Now, this is a statically assigned I p address to a server on the same network. We know that because it's all 255 here. So anything with one, then to 1 68 92 is all in the same network I'm gonna point to myself is the default gateway I'm also gonna use
01:07
myself is myself, Deanna Server and then everything else I'm gonna Ford on to Google. TN s on the service. So basically, I have a client on my left. I have served my right on double Windows 2000 server just for the sake of showing vulnerabilities and things like that.
01:23
Um,
01:25
and then I want a testicle activity. So we're gonna go ahead, and it's convenient to have your screens like this, because that way you can see you know, your i p address on the right over here. Um, while I'm typing it on the left, right, So just released. Make it really easy for yourself. Scatter your windows Have been your i P. Address. 1 92 1 31
01:45
Go ahead. Paying it. Make sure you got two basic thio connectivity, and I'll just cancel it there. And, um then we can go into interactive en esa Ennis. Look up mode. Okay,
01:57
Now we can do some basic things over here. Um,
02:00
three
02:01
from A from A units terminal. Okay. You could do get different results. Is assuring a second from a Windows terminal. So we're gonna kind of compare apples here, left to right. So I'm gonna simultaneously work this exactly the same thing. Both Windows
02:15
and unit. So, Ping on that 1 68 That 92 1 31
02:22
and make sure I got connectivity. So now I know all three are talking to each other, and that's fine. Clear the screen for simplicity.
02:30
All right, now and then I can get an interactive mode just to make sure once a page, let's look up. Okay, great.
02:38
So let's go back over to the Cali client. Virtual. First thing I'm gonna do is a client is I'm gonna set my server to specifically talk with this vulnerable version of Windows 2000 and Active Directory because this isn't also a d. N s, but it's also an active directory, integrated de NS.
02:59
And I'm gonna show you an extreme vulnerability here
03:01
when your server is configured as such, I'm also going to show you the exact opposite side the defensive side and had to secure this to prevent this type of reconnaissance from happening.
03:12
So let's go. So I'm going to set my server
03:16
to the server that we want to interrogate. So in this case, it's from attitude at 1 68 That 92 1 31 They specifically want to use the i p. Address here, Not the fully qualified domain name or the domain name of server.
03:32
Okay, um, and then we're just gonna just basically test. Ah ah, basic. Larry. So the servers domain name happens to be Vernet
03:43
dot com,
03:45
and I want to make sure that I get local addresses here. If I were to get something, like, you know, a public address, you know, non. You know, basically what I'm looking for his 10 networks 1 72 16 networks and one that need to 1 68 network. That proves to me that it's internal. Um,
04:01
also, anything outside of that would be public. So I know I'm talking to the internal server as opposed to the external server out on the internet somewhere, so I'm speaking to the right serve. Same thing happens over here on the window. Side star for many to 1 68 That 92 duck 1 31 is our address. We said it and we do a Vernet
04:21
that, uh
04:23
and I get 1 90 to 1 60 results. So I know I'm talking to the internal now back to the Cali client.
04:30
All right, so now we're going to look for specific record types, so I'm gonna set the type
04:35
is equal to M X.
04:39
And if you get your your
04:42
return back, nothing errors out. I mean, you have typed it correctly. There's only one space in here. That's it. And it's tight equals MX and MX is, um, for your mail records. Okay, so now if I do a Vernet
04:57
dot com Okay, don't tell me what it confined basically for male record, and we can compare that simultaneously over here on the Windows client game set tight, is equal to M X
05:11
and Vernet calm Now, in this case, what you're actually getting is not the mail server, but actually the start of authority record. This specific piece right here's looks just like the start of authority, and I can prove this by just setting the type
05:28
equals to the S o a record and basically doing the same thing for net dot com.
05:34
Okay, and you'll see that the results are pretty much identical. So here's what it looks like for the, um,
05:44
male record
05:46
after I said it
05:47
pretty much looks exactly the same.
05:49
So I know I'm getting the equivalent. Okay, so in this case, I don't have a mail server connected to this. Ah, but there's other bird Constance we could do to try to find out if and where mail was being integrated.
06:01
So the same thing over here, I'll do it. Set
06:06
type is equal to eso es
06:10
Burnett That come, and I basically yet
06:15
he started authority record.
06:15
Okay, now, let's translate this. The origin is 23 a t t de Vernet dot com. That's actually the server name. And I could prove that just real quick if I exit out of interactive, moved into a host name game.
06:30
Um, actually, that's the Windows client s. Oh, that's how I know it's wrong, because that's as Obi Wan Kenobi and we want to check in on the servants. Let's actually just do it the right place.
06:39
Open up the command prompt ho's name
06:43
a 23 a t t. So servers configured for the hosting correctly. All right, The mail address the email address at a specific domain with serial number.
06:57
The refresh rate. This is how many How often in seconds does the secondary server query the primary server? And if that proud, if that queer he goes wrong,
07:08
we should re try every 600 seconds from their own after up into a period of 86,000 seconds, and then it will stop answering names of requests.
07:17
Okay, so that's basically how to translate the start of authority record. Also, be able to convert, you know, seconds, the minutes, the hours. Because if you compare this over here to the to the Windows client,
07:32
uh, let's look off.
07:35
Set type
07:38
is equal to eso es Vernet dot com.
07:44
Okay, notice this is slightly different. They actually have in parentheses that it's 15 minutes or 900 seconds or 10 minutes or 86,400 seconds, which is always a great number because that's the number of seconds in a day. One whole day right there. So you next doesn't tell you that when kind parentheses Windows does
08:03
okay also says that you're connected via the start of the server dressed record, specifically right here at the act. Now that's all good, and we can continue to poke around in look at different record types. So if I do help over in the Cali side, I don't get any typical other options Would be something like
08:24
Tak es
08:26
That doesn't work here. Uh, question Mark. Okay, so in this case, we don't get too much help on the unit side, but we do Over here, Um, on the window side.
08:39
All right. So I'm just gonna use the help over on the window side. There's differently. I gotta clearly look at the manual page for the units to find out how they actually use the command and just demonstrate that right quick, you would basically do a manual space and look off.
08:54
You can see you can go into that. And then you can Colin Cue to get out of that and then get back into and look up. So it's there. If you wanted Thio access it, but that's not the purpose here.
09:05
So over here to look at the help file here. Here was the set
09:11
type is equal to. But one of the things that I like is that actually tells you all of the actual record names in this particular terminal right. And that's pretty. That's pretty helpful in the in the grand scheme of things. Because you can see I'm trying to move the window here. You can see that you got your your, uh,
09:31
host record here,
09:31
which is you're a record. You have your mail record, which we looked at the primary name servers or the person responsible for the domain that point a record, which is the reverse named I P. This is I p d. Name, start of authority, which I just covered, or any sort of service record.
09:48
So one of the things that I would be looking at specifically is the service record,
09:52
right? So I would set the tight is equal to S R. V and then do the same thing again Burnett dot com and see if anything comes up here. Ah, and it does say annex domain here, but not really that great of a result.
10:09
Uh, so as you, as you consider So let's try it over here and see how the difference.
10:13
So it would be set type is equal to srv
10:20
and then see if I can't Resize is for you.
10:26
Okay.
10:28
And then Vernet back home and you can see that I don't really get too much in terms of service records here, but that's not the end of the game yet, so it just looks like a regular server from basically this side up life. But let's see how far we can push the envelope. So let's do in L s Dash D,
10:46
which is list the domain for Vernet dot com.
10:50
But look what I get here.
10:52
Look at all this stuff that just jumped to the screen,
10:54
okay? These are all of the internal active directory records. Even from the outside, it may appear to be just the regular, you know, named Query and just getting some basic, you know, records like eso es and host name and, ah, service record things like that for male record or whatever you're looking for. When I actually trains, try to transfer the zone.
11:13
I actually get the complete client
11:16
mapping here. I get all of the host records. So the reason why this is such a powerful exploit in terms of reconnaissance is instead of doing setting the tight and getting one record at a time and trying to enumerate one record at a time by transferring the whole domain to yourself. You literally get Pandora's box. I get all the server records.
11:35
I get all of the host records and more Whose records?
11:37
I can tie that to different priorities and waits. And this is specifically for the Global Cattle Active Directory Global catalog. Curb rose for logging on K password. Um, the L DAP directory information
11:52
eso cover. So I clearly am getting internal active Directory service is just great.
11:58
Are can also see some additional host records that they're basically bogus records that I created. Basically, for the purposes of the demonstration, I also get the, um,
12:09
I p addresses off these records and you notice these are actually on another network. I've actually questioned that. Make sure that I document this. Um, would, Speaking of documentation, you can easily, if you're in edit mode at Mode is, um, over here and the console properties Quick edit mode.
12:26
You're quick at a boat. Then you can just basically, um, click in here, hit, enter, open up, no pad
12:33
and then control paste and you can see it tasted exactly what I just copy. So that's a great place Toe Thio store. All of your notes that you would need for your documenting any sort of penetration testing report, whether white hat, right hat or black hat.
12:50
Make sure that you, doctor, and take it that you do your documentation,
12:54
you know, as a trainer. One of the things that I look for is one. Can you actually, you know, do a skill like this? But as a professional employees, if I task you with this task to go bring me back this reconnaissance, you also need the ability to write a report and basically document this yourself, captured that documentation and supply it to somebody else. So please don't forget the document and document as you go.
13:13
Because every step here I would record and document in that way when I were gonna write my report, I have all of the copy and paste stuff that I need to basically move forward and illustrate the purpose of, for the purpose of of old ability scan or, uh, or penetration test guy.
13:31
Now, let's compare that to what we get over in unit side l s dash de Vernet
13:35
dot com and it says, Oh, the L S command is not implement. So what that tells us is that you're not gonna be able to actually just transfer the zone as easily with, um, with regular and its look up as implemented in Cali. But don't
13:56
you know, don't kid yourself. Yeah,
13:56
There is still other tools you can use. There's that dig utility. So I just ate the manual space. D i g opened up this file, and it's just for the d. N s bind version nine and you can get an idea. And please, you know, get used to self learning this stuff. Read this stuff yourself one time, get the idea. So dig just real quick Is
14:16
domain information, groper. It's flexible tool for interrogating D. N s name shirts, and it's about
14:22
all we need to highlight here. So if you want to know what specific instances of the commands or used like, here's the server command. Okay, here's the tight command, and and if you're lucky and most ah, manuals, they actually give you Ah, how do you actually use it? So this case is just type equals any
14:39
in any other additional options that you possibly could include,
14:43
Um and you know, this is gonna get advanced you want to start learning some of the immense stuff, you certainly could go through and look at some of the specialized circumstances. So I just want to point out that there, there ah, and several of them at that right? And you control the way down. Or you could do a control cue to basically get back Thio Terminal.
15:03
So that's a basic configuration offensively as a penetration test or what you would be looking for if you were trying to integrate or interrogate Ah Deanna server. More importantly, one that's tied to active directory.
15:16
So let's think defensive for a second. Let's figure out how well we actually, um, solve this problem and shut this off from the planet.
15:26
Well, one of the things you can do is just go right to administrative tools. Open up the n s
15:33
again. We're thinking defensively here, open up your, uh, your domain, right. Click the domain, go to properties and look a zone transfer information. And in this case, because this is a vulnerable server with several default settings which should have never been allowed to off to be authorized operate,
15:50
efface, ordinate has never been staying or has never been hardened.
15:52
Um, which is likely do what you would see in some environments, necessarily care that this is the Windows 2007 room just realistically using that purpose for the illustration. If you have the latest and greatest servant still configured the same way you are, motile. So I'm gonna shut off zone transformer. Or I could have selected to
16:11
only in the servers listed on the
16:14
name service tab, so I'd have to have that server here or only to the following i p address. Um, like another d N s arbor or something that needs replication. Otherwise, for the purpose of the frustration, I could just turn it off completely.
16:29
Turn it off. Let's go back to our terminal into an L S dash de Vernet dot com and you can see query refused. So it's the Queary refused, which is really the takeaway here, because basically that means administratively refused.
16:48
It means there's a setting in place that's actually your strict to me. It's not that Ah, you know what results that get back where they really the right results?
16:55
In this case, I'm specifically being told you've been administratively blocked
17:00
and that's how I basically shut this vulnerability off and hard in the server for anything that would be, you know, Dean s integrated or active directory integrated, Um, and how I would prevent just a row client from interrogating those records on a network and basically being able to pull
17:17
at the end of the day, the whole client table
17:19
from the server, you know, again, because all the records
17:23
both excuse server records and client records.
17:29
So what we did here to summarize is we made sure our clients were on the same network we use to separate client shells to connect a one vulnerable server. We've been to do the same commands side by side from the client. We interrogated the server
17:45
on, and we basically got got to the point where we could transfer the whole active directory, integrated Deanna's table down to a client and basically have a complete map of an internal network. And we did that relatively easy. I didn't have to run and map. I didn't have to run the whole scan. The whole network,
18:02
I didn't have to use advanced pen testing tools. I basically have only used
18:06
traditional network administrative tools on and then a Cali client, which is probably one of the most well known pen testing clients out there. I will give him side by side. I queried the server. I pulled down the zone table and then I switched defensively. Thio show you how I could have stopped this. So hope you enjoyed the video.
18:26
Lots more to come.
18:26
Don't forget to check us out on Facebook. Lengthen YouTube and Twitter and I'll see you in the next video.

Up Next

Strategic DNS Ops and Security

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor