-
August 18th, 2006, 05:46 PM
#1
Junior Member
DNS wildcard ?????
I'm currently trying to all the host records for a practice assessment. i'm using the usual lookup tools and various sites (www.dnsstuff.com is fantastic) and i'm trying various combinations such as:
www.target.com
mail.target.com
webmail.target.com
apps.target.com
etc...........
Does anyone know if there is a wildcard out there that might automate this to search DNS for all the entries that target.com has????????
Many thanks.
Thatch
-
August 19th, 2006, 04:20 AM
#2
Sort of...
Depending on how well the dns server is configured, you might be able to do a zone transfer from it.
I'll leave it up to you to google how one does a zone transfer...
Ammo
Credit travels up, blame travels down -- The Boss
-
August 19th, 2006, 09:18 AM
#3
Junior Member
Thanks for the suggestion, i hadn't thought to try that as i know zone transfers are disabled. i did however find a tool after re-reading the footprinting section in my book 'Open Source Tools for Penetration Testers' (absolutely brilliant book) and it suggests Netcraft as a tool that would allow wildcard searches. Although it does it still doesn't produce the answers i know are out there. The reason being is that i'm the administrator of the domain i'm testing and i know i have an apps server and OWA server out there as well as my web server, but i can only find these A records if i explicitly define them. What i'm trying to do is see what i could find if i had no knowledge of the servers out there. So at the moment i know my footrinting skills are lacking.
Thee only way around this that i can think of is to compile a list of standard names used such as:
mail.target.com
www.target.com
owa.targat.com
etc...........
and go through them in that way.
thanks for the reply.
Thatch.
-
August 20th, 2006, 08:24 AM
#4
DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.
-
August 20th, 2006, 11:40 AM
#5
DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.
Thats correct.. the DNS name have little to do with security.. but I think if some one was mounting an attack against you (for what ever end result). they would want to use any tools at their disposal to find ALL servers, that includes main and sub-domains, then use that information in planning the attack.. vis:
What i'm trying to do is see what i could find if i had no knowledge of the servers out there.
He may have locked all the doors he knows of, now is looking for the doors he wasnt aware of.. Trying to think like the potential attacker..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 21st, 2006, 05:39 AM
#6
Originally posted here by Net2Infinity
DNS names have nothing to do with security, they are merely a friendly name to IP address mapping. If your server has a vulnerable service then it is open to attack.
I would disagree 100%...
compare these two names...
exchange2k3-w2k3.newyork.domain.com
teddyruxpin.domain.com
With the first host... you no longer have to fingerprint the basics.. You can now infer that it's Exchange 2k3 Running on Windows 2K3.. .You can also infer that it's running out of an office in New York..
With the second one... it means nothing to somebody outside the business... some stupid name.. but if people inside the corp know that Teddy Ruxpin is the mail server... it's enough info for them.
Or even the classic..
exchange.domain.com
I now know it's an exchange server. which means I instantly try exchange.domain.com/exchange
What if www.domain.com points to ii6-1.toronto.domain.com and iis6-2.toronto.domain.com. I can infer that they have two machines in a round robin answering requests for www.domain.com. And if one of them was neglected after last months updates I now know that.. but just pointing at www.domain.com I may not have noticed that..
However, as has been mentioned... there's no way (other than bruteforcing every value) to determine every host in DNS if Zone Transfers have been disabled...
Peace,
HT
-
August 21st, 2006, 10:42 AM
#7
If there are PTR RR you might get lucky and reverse lookup the IP range (gotten via whois info).
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|