Results 1 to 7 of 7

Thread: DNS wildcard ?????

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    18

    DNS wildcard ?????

    I'm currently trying to all the host records for a practice assessment. i'm using the usual lookup tools and various sites (www.dnsstuff.com is fantastic) and i'm trying various combinations such as:

    www.target.com
    mail.target.com
    webmail.target.com
    apps.target.com

    etc...........

    Does anyone know if there is a wildcard out there that might automate this to search DNS for all the entries that target.com has????????

    Many thanks.

    Thatch

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Sort of...

    Depending on how well the dns server is configured, you might be able to do a zone transfer from it.

    I'll leave it up to you to google how one does a zone transfer...


    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Junior Member
    Join Date
    Jul 2006
    Posts
    18
    Thanks for the suggestion, i hadn't thought to try that as i know zone transfers are disabled. i did however find a tool after re-reading the footprinting section in my book 'Open Source Tools for Penetration Testers' (absolutely brilliant book) and it suggests Netcraft as a tool that would allow wildcard searches. Although it does it still doesn't produce the answers i know are out there. The reason being is that i'm the administrator of the domain i'm testing and i know i have an apps server and OWA server out there as well as my web server, but i can only find these A records if i explicitly define them. What i'm trying to do is see what i could find if i had no knowledge of the servers out there. So at the moment i know my footrinting skills are lacking.

    Thee only way around this that i can think of is to compile a list of standard names used such as:

    mail.target.com
    www.target.com
    owa.targat.com
    etc...........

    and go through them in that way.

    thanks for the reply.

    Thatch.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.
    Thats correct.. the DNS name have little to do with security.. but I think if some one was mounting an attack against you (for what ever end result). they would want to use any tools at their disposal to find ALL servers, that includes main and sub-domains, then use that information in planning the attack.. vis:
    What i'm trying to do is see what i could find if i had no knowledge of the servers out there.
    He may have locked all the doors he knows of, now is looking for the doors he wasnt aware of.. Trying to think like the potential attacker..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by Net2Infinity
    DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.
    I would disagree 100%...

    compare these two names...

    exchange2k3-w2k3.newyork.domain.com
    teddyruxpin.domain.com

    With the first host... you no longer have to fingerprint the basics.. You can now infer that it's Exchange 2k3 Running on Windows 2K3.. .You can also infer that it's running out of an office in New York..

    With the second one... it means nothing to somebody outside the business... some stupid name.. but if people inside the corp know that Teddy Ruxpin is the mail server... it's enough info for them.

    Or even the classic..

    exchange.domain.com

    I now know it's an exchange server. which means I instantly try exchange.domain.com/exchange

    What if www.domain.com points to ii6-1.toronto.domain.com and iis6-2.toronto.domain.com. I can infer that they have two machines in a round robin answering requests for www.domain.com. And if one of them was neglected after last months updates I now know that.. but just pointing at www.domain.com I may not have noticed that..

    However, as has been mentioned... there's no way (other than bruteforcing every value) to determine every host in DNS if Zone Transfers have been disabled...

    Peace,
    HT

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If there are PTR RR you might get lucky and reverse lookup the IP range (gotten via whois info).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •