82
◾
Ethical Hacking and Penetration Testing Guide
The status NOERROR tells us that our nonrecursive query was accepted. However, the query
did not return an answer. Therefore, we would conclude that no one had
visited the site on this
server. If we had received an answer, then we’ll know someone had visited rafayhackingarticles.net.
Recursive Method
Now let’s see how to use the recursive method to perform DNS cache snooping. This method is
not very accurate and is not recommended. Anyway, here is how we can accomplish it:
1. The first step would be to ask the DNS cache
for any given resource record, for example, A,
MX, and CNAME.
2. Next, we would set the query to be recursive instead of nonrecursive.
3. Next, we would examine the
TTL field, which will tell us how
long the DNS record stays
inside the cache. So we would examine the TTL in the answer section and compare it with
the TTL that was initially set. If the TTL field in the answer section is less than the initially
set TTL field, the record is most likely cached and someone on that domain name server
visited that website.
4. Now, if the record is not present in the cache, it will be present after the first query is made.
We
would use dig again, the syntax will be the same, and all we need to do is change from +nore-
curse to +recurse.
Information Gathering Techniques
◾
83
The status NOERROR shows us that our query was accepted by the server.
The Time to live
(TTL) is set to
14064
. Now, we would need to determine the TTL that was initially set. We
will do it by querying the name servers of our domain www.techlotips.com, which happen to be
ns2693.hostgator.com and ns2694.hostgator.com.
Command
:
dig @ns2694.hostgator.com www.techlotips.com A +recurse
You can see that the TTL is the same, which means that most likely
the website was not vis-
ited. Now as the first query is made, the website would be present in our cache. We will use the
same query again; we can see that the TTL is much lower now since it is present in our cache.
Here is an example:
The TTL has been lowered to “13660.” If this was the TTL field
the first time we performed
the query, it would’ve meant that someone on the server had visited that website.
Dostları ilə paylaş: 
