OSINT: DNS Module Type: Basic Method Module Number: 0x06

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
IT:Network:Apps.  Hosts  Root Servers  Zones  Name Resolution  Reverse and forward Lookups  CName  MX Records  NSLookup  IPconfig.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
The Domain Name System (DNS)
Configuring and Managing the DNS Server Role Lesson 4.
DNS and Active Directory Integration
Domain Name Service (DNS) at Colorado State University
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.
Deploying a Web Application Presented By: Muhammad Naveed Date:
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Internet and Intranet Protocols and Applications Lecture 5 Application Protocols: DNS February 20, 2002 Joseph Conron Computer Science Department New York.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Module 2 Zone Files. Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Configuring Name Resolution and Additional Services Lesson 12.
1 Domain Name System (DNS). 2 3 How DNS Works Application Transport Internet Network Application Transport Internet Network DNS Resolver Name Server.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
Linux Operations and Administration
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Web Server Administration Chapter 4 Name Resolution.
1 CMPT 471 Networking II DNS © Janice Regan,
NT1330 Client Server Networking 2
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Configuring and Managing the DNS Server Role Lesson 4.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
DNS and Inbound Load Balancing
Ip addressing: dhcp & dns
Penetration Testing Reconnaissance 2
Understand Names Resolution
Domain Name System (DNS)
Networking Applications
Everything You need to know
DNS zones and resource records
Module 5: Resolving Host Names by Using Domain Name System (DNS)
Implementing TCP/IP.
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
Linux Ubuntu Network Commands 3 A.S.
LINUX ADMINISTRATION 1
Configuring and Managing the DNS Server Role
Working at a Small-to-Medium Business or ISP – Chapter 7
Chapter 19 Domain Name System (DNS)
Working at a Small-to-Medium Business or ISP – Chapter 7
FootPrinting CS391.
Managing Name Resolution
Domain Name System (DNS)
Working at a Small-to-Medium Business or ISP – Chapter 7
RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison
DNS and DHCP Configuration
Acknowledgement Content from the book:
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Ip addressing: dhcp & dns
05 | Planning DNS and Exchange Migration
Windows Name Resolution
Presentation transcript:

OSINT: DNS Module Type: Basic Method Module Number: 0x06 Last Updated: 2017-03-28 Author: Hermit

Topics What is OSINT? What is DNS? What Can We Learn From DNS? Zone Transfers Mail Server Enumeration Points of Contact Subnets Third Party Providers Security Posture

What is OSINT? Open Source Intelligence = OSINT Information from public sources Often involves directly connecting to a target Analysis of publicly available data

What is DNS? Domain Name System = DNS Simple lookup mechanism for public records Commonly, a human-memorable name to an IP address Both generic (TXT) and specific (MX, A, NS, SOA) records Both IPv4 (A) and IPv6 (AAAA) records Hierarchical system in a tree structure

What Are DNS Record Types? A = Address mapping (name -> IPv4) AAAA = Address mapping (name -> IPv6) CNAME = Canonical Name (alias) DNAME = Subtree lookup MX = Mail server NS = Name server (DNS resolution) SOA = Start of Authority (top level domain information) SRV = Generic service record (e.g. instead of MX) TXT = Generic text record (e.g. SPF, DKIM, DMARC, etc) HINFO = Host information (CPU, OS, etc.), but not commonly available CAA = CA Authorization (CAs for a domain) IPSECKEY = An IPSec key  PTR = Address mapping (reverse lookups) DNSSIG = DNSSEC signature NSEC/NSEC3 = DNSSEC Non-existence

What Can We Learn From DNS? Internal server names Security Posture Deployed Services Points of Contact Third Party Service Providers Tools Present Infrastructure Maturity Infrastructure layout (IP addresses, network schema, etc) Mail servers

Zone Transfers A zone transfer allows for replication of an entire DNS structure. We like this because full replication lets us see ”hidden” names that may not typically be tried (e.g. X41KALCN081KS.HIDDENS.EXAMPLE.COM) but which are publicly resolvable. Unfortunately for pentesters, it’s normally disable by default, and seldom found.

A Quick Note About dig You might want to script things, or just avoid all the extra output each time you run a command. The dig tool allows you to modify output using “+” commands. For instance, adding “+noall” to the end of a command drops everything except global settings. And adding “+answer” includes the DNS response. Combine the two for cleaner output, e.g. “+noall +answer” Those trailings have been left out of the following slides for brevity.

Zone Transfers: Try It! Using dig: Using nslookup: dig axfr @{DNS_SERVER} {DOMAIN} dig axfr @nsztm1.digi.ninja zonetransfer.me Using nslookup: nslookup > server {DNS_SERVER} > set type=any > ls -d {DOMAIN}

Mail Service Enumeration: Try It! Using dig: dig {DOMAIN} MX dig {DOMAIN} TXT Using nslookup nslookup > set type=mx > {DOMAIN} > set type=txt

Points of Contact: Try It! Using dig: dig {DOMAIN} SOA Using nslookup nslookup > set type=soa > {DOMAIN}

Subnet Enumeration: Try It! Using nmap: nmap --script dns-brute {DOMAIN} nmap --script dns-brute --script-args dns-brute.domain={DOMAIN},\ dns-brute.threads={#},dns-brute.hostlist={FILE} Using dnsrecon: dnsrecon -d {DOMAIN} -D {FILE} -f -t std dnsrecon -d {DOMAIN} -D /usr/share/wordlists/dirb/small.txt -f -t std Using theharvester: theharvester -d {DOMAIN} -b all -n -c -t

Third Party Providers/Services Looking through results we’ll often see indicators of third parties, for example in MX records: MS O365 has “mail.protection.outlook.com” Symantec Security.Cloud has “cluster_.__.messagelabs.com” Google App Suite has “aspmx._.google.com” ProofPoint has “mx_-________.gslb.pphosted.com” Or we’ll see indicators in TXT records: Adobe: adobe-idp-site-verification Or we’ll see indicators in CNAME records: Look for resolutions to external network names Look for non-standard IP address ranges

Security Posture Just like third party providers, we can learn about security postures through DNS records, e.g.: Look for TXT records that contain SPF/DKIM/DMARC records Look for DNS brute-forcing that contains common tool names: epo.{DOMAIN} paloalto.{DOMAIN} siem.{DOMAIN} etc. Look for IPSECKEY, DNSSIG, NSEC/NSEC3 records Be creative!

Additional Resources DNS RFCs Hermit RFC 1035 RFC 1101 RFC 4025 https://twitter.com/hermit_hacker https://www.cryptolingus.net/ https://www.stackattack.net/blog/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.