Saturday, March 29, 2014

How To Hack: Using dnsdict6 to Enumerate DNS Records (IP, NS, MX, Sub domains, etc)



INTRODUCTION

If you want to gather information about a target’s DNS, you should probably use a tool like dnsdict6 to help you to enumerate many of the details which are not easily apparent for your average user or websurfer.
With dnsdict6 you find information such as:
·      Subdomain info
·      Enumerate all ipv4 and ipv6 addresses.
·      You can also enumerate details of srv records.
·      Also you can enumerate details of Name Server and Mail Exchanger records.
So, now we will jump into dnsdict6 on Kali Linux, your best option for a penetration testing distribution.

HOW TO OPEN DNSDICT6 ON KALI LINUX

To open dnsdict6 goto > Kali Linux > Information Gathering > DNS Analysis > dnsdict6
See the below image:

DNSDICT6 OPENED

Once you opened dnsdict6, you will find various options on your screen.
A good Pen Tester will always read and understand all options at his disposal.
So lets see what kind of options we have, and some examples:
  • -4 : dump ipv4 addresses : Try this example on your terminal > Example > dnsdict6 -4 [url]
  • -t [#] : specify the number of threads.  Remember default is set to 8 and max threads you can use is 32. Ex : dnsdict6 -d -t 18 [url]
  • -d : it displays ipv6 info on NS, MX DNS domain information. Example : dnsdict6 -d [url]
  • -S : perform SRV service records. Example : dnsdict6 -S -t 21 [url]
  • -[smlx] : This options is for choose size of the inbuilt dictionary -s : small, -m medium, -l : large, -x: xtreme
For more information you can see the below image:

DNSDICT HELP OPTION

If you need help you can use the help option.
Command is :
dnsdict6 -h
See the result of this command in the below image:

EXAMPLE 1 : ENUMERATION WITH DEFAULT SETTINGS

This example shows the DNS entries of a given url.
Command is :
dnsdict6 facebook.com
When you run this command with options it automatically takes the default no of threads i.e 8 and dictionary size -m(eduim=796).
And in this command, it takes 1 – 2 minutes to complete this process.
See the below image:

EXAMPLE OUTPUT

Here is the output of the command which we just performed. It shows the different DNS entries on your screen with their Ipv6 addresses.
This tool shows you big list of entries if you are enumerating a larger web domain, such as facebook, google, etc…
See the below image:

EXAMPLE: ENUMERATING DNS RECORDS

In this example, you will find the nameserver (NS) and Mail exchange (MX) records.
To see the NS & MX records, you have to use “-d ” option. As we have used in our example.
After running the command, it shows the dns records of google.com with ipv4 addresses.
Why Ipv4 addresses? Because we used the -4 option with the command which dump all the ipv4 addresses.
Remember: If we dont specified any threads and dictionary size, it takes it default threads(8) and dictionary size (medium).


EXAMPLE 3 : ENUMERATE  IPV4 IPV6, NAME SERVER, MAIL SERVER  WITH OPTIONS

This example is same as above in case of enumerating NS and MX records but the mail difference is we are going to set the number of threads and dictionary size manually.
Command is :
dnsdict6 -d46 -t 32 -z google.com
This command will display the NS and MX records with their ipv4 and ipv6 addresses and the number of threads we use is 32 and dictionary file size we used is xtreme.
So try this example and you will be able to gather as much information as you can


EXAMPLE 4 : ENUMERATE SRV SERVICE RECORDS

Finally, we will take a look at an SRV Record example.
First, we should understand what an SRV Record actually is: (according to Wikipedia)
A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services.
It is defined inRFC 2782, and its type code is 33. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements.
An SRV record has the form:
_service._proto.name. TTL class SRV priority weight port target
Now see the example and analyse SRV records.
  • service: the symbolic name of the desired service.
  • proto: the transport protocol of the desired service; this is usually either TCP or UDP.
  • name: the domain name for which this record is valid, ending in a dot.
  • TTL: standard DNS time to live field.
  • class: standard DNS class field (this is always IN).
  • priority: the priority of the target host, lower value means more preferred.
  • weight: A relative weight for records with the same priority.
  • port: the TCP or UDP port on which the service is to be found.
  • target: the canonical hostname of the machine providing the service, ending in a dot.
CONCLUSION
This tool is used for enumerating DNS records.
Now that you have the basics, you can try more on your own!
This tool will help you better understand the workings and compartmentalization of domains as well as how a the target business network is organized. This information is for educational and legal Pen Testing utilization. Do not do things that are evil and bad.

No comments:

Post a Comment

Contact Form

Name

Email *

Message *