In order to facilitate the research of the security industry skills in your spare time, we have compiled a series of web penetration tests to help the friends who wander outside the security circle to enter the security circle faster. Welcome everyone to come and communicate.
01-Collect DNS information
WHOIS (domain name database query)
The owner of a domain name can be found by querying the WHOIS database; for most root name servers, the basic WHOIS is maintained by ICANN, while the details of the WHOIS are maintained by the domain registrar that controls that domain.
For more than 240 country code top-level domains (ccTLDs), the domain name registration authority is usually responsible for maintaining WHOIS. For example, China Internet Network Information Center is responsible for WHOIS maintenance of .CN domain names, Hong Kong Internet Registration Corporation Limited is responsible for WHOIS maintenance of .HK domain names, and Taiwan Network Information Center (Taiwan Network Information Center) Information Center) is responsible for the WHOIS maintenance of the .TW domain name.
Dns server query
In addition to whois query, we can also query the dns server through the host command, the command format is:
host -t ns domainName
A record query
A (Address) record is used to specify the IP address record corresponding to the host name (or domain name). Users can point the web server under this domain name to their own web server. At the same time, you can also set the subdomain of your domain name. Generally speaking, the A record is the IP of the server. The domain name binding A record tells DNS that when you enter the domain name, it will guide you to the server corresponding to the A record set in the DNS.
host -t a domainName
mx record query
MX records are also called mail routing records. Users can point the mail server under the domain name to their own mail server, and then they can control all mailbox settings by themselves. You only need to fill in the IP address of your server online, and all mails under your domain name will be forwarded to the corresponding mail server set by yourself.
Simply put, by operating the MX record, you can get the post office ending with your domain name.
Domain name enumeration
After getting the main domain name information, if we can get all the subdomain information through the main domain name, we can query the corresponding host IP through the subdomain name, so that we can get a relatively complete information.
dnsmap
Reverse address resolution
There are two areas in the DNS server that we often use, namely "forward lookup zone" and "reverse lookup zone". The forward lookup zone is what we usually call domain name resolution, and the reverse lookup zone is referred to here. The function of reverse IP resolution is to obtain the domain name pointed to by the IP address by querying the PTR record of the IP address. Of course, to obtain the domain name successfully, the PTR record of the IP address is required. PTR record is a kind of mail exchange record. There are A record and PTR record in the mail exchange record. The A record resolves name to address, and the PTR record resolves address to name. The address refers to the IP address of a client, and the name refers to the fully qualified domain name of a client. Through the inquiry of PTR records, the purpose of counter-checking is achieved.
The function of Reverse DNS ensures that proper mail exchange records are valid. Reverse domain name resolution is the opposite of normal forward domain name resolution and provides the correspondence between IP addresses and domain names. IP reverse analysis is mainly used in mail servers to block spam, especially in foreign countries. Most spammers use dynamically allocated or unregistered IP addresses to send spam to avoid tracking. After using domain name reverse resolution, the amount of spam can be greatly reduced.
For example, you use [email protected] to send a letter to my mailbox [email protected]. The 163 mail server will check the header file of this letter when it receives this letter. The header file of this letter will show which IP address the letter was sent from. Then perform reverse analysis based on this IP address. If the domain name corresponding to this IP is http://name.com, then accept the email. If reverse analysis finds that the IP does not correspond to http:// name.com , then reject this email.
Since in the domain name system, an IP address can correspond to multiple domain names, it is theoretically necessary to traverse the entire domain name tree to find a domain name from IP, but this is not realistic on the Internet. In order to complete the reverse domain name resolution, the system provides a special domain, which is called the reverse resolution domain in-addr.arpa. In this way, the IP address to be resolved will be expressed as a displayable string form like a domain name, and the suffix will be used to reversely resolve the domain.
The name "in-addr.arpa" ends.
For example, an IP address: 222.211.233.244, its reverse domain name expression is: 244.233.221.222.in-addr.arpa
The order of the IP address part in the two expressions is exactly the opposite, because the domain name structure is bottom-up (from subdomain to domain), while the IP address structure is top-down (from network to host). In essence, reverse domain name resolution is to express the IP address as a domain name, with the address as the indexed domain name space, so that a large part of the reverse resolution can be included in the forward resolution.
The commonly used reverse analysis tools are nslookup and dig.
The command format for reverse analysis using dig is:
dig -x ip @dnsserver #Use dig to view reverse analysis
The dnsserver does not need to be specified. By default, the domain name server configured on the machine will be used for reverse query. An example of specifying a dsn server is as follows:
But the actual situation is not satisfactory. The searched server is different, and the completeness of the result obtained is also different. For example, the two tests in the above figure did not get the desired result. In many cases, we go to a website that provides a reverse lookup, and the effect may be better.
The following is the query result at http://dns.aizhan.com/ :
So if you want to get complete information, you can try different tools and integrate the results. The reason why many tools cannot do reverse lookups is that the domain name owner does not add reverse resolution records.
About DNS zone transfer vulnerabilities
Many DNS detection tools will try DNS zone transfer first, and then brute force enumeration. So what is a DNS zone transfer vulnerability?
The zone transfer operation refers to a backup server refreshing its zone database with data from the main server. This provides a certain degree of redundancy for the running DNS service, and its purpose is to prevent the main domain name server from becoming unavailable due to unexpected failures and affecting the whole world. Generally speaking, DNS zone transfer operations are only necessary when there is a backup domain name DNS server in the network, but many DNS servers are incorrectly configured to provide a copy of the zone database to the other party as long as someone makes a request. . If the information provided is only related to a system that is connected to the Internet and has a valid hostname, then this misconfiguration is not necessarily a bad thing, although it makes it much easier for an attacker to spot potential targets. The real problem occurs when an organization does not use a public/private DNS mechanism to separate external public DNS information and internal private DNS information. At this time, the internal host name and IP address are exposed to the attacker. Providing internal IP address information to untrusted users on the Internet is like giving a complete blueprint or navigation map of a company's internal network to others.
It is recommended to use dnsenum here. This tool will automatically detect domain transmission loopholes when resolving domain names.
Find the IP address through DNS resolution.
ping command
nslookup
dig @8.8.8.8 http://testfire.net specifies the dns server
dig +trace http://testfire.net to obtain the detailed resolution process of the domain name
Use webmaster tools
http://tool.chinaz.com/dns/?type=1&host=testfire.net&ip=
The above are some methods and ideas for collating related DNS information collection.