Command :  dig @ns1.toltbbs.com rafayhackingarticles.net A +norecurse 82

82
◾ 
Ethical Hacking and Penetration Testing Guide
The status NOERROR tells us that our nonrecursive query was accepted. However, the query 
did not return an answer. Therefore, we would conclude that no one had visited the site on this 
server. If we had received an answer, then we’ll know someone had visited rafayhackingarticles.net.
Recursive Method
Now let’s see how to use the recursive method to perform DNS cache snooping. This method is 
not very accurate and is not recommended. Anyway, here is how we can accomplish it:
1. The first step would be to ask the DNS cache for any given resource record, for example, A, 
MX, and CNAME.
2. Next, we would set the query to be recursive instead of nonrecursive.
3. Next, we would examine the TTL field, which will tell us how long the DNS record stays 
inside the cache. So we would examine the TTL in the answer section and compare it with 
the TTL that was initially set. If the TTL field in the answer section is less than the initially 
set TTL field, the record is most likely cached and someone on that domain name server 
visited that website.
4. Now, if the record is not present in the cache, it will be present after the first query is made.
We would use dig again, the syntax will be the same, and all we need to do is change from +nore-
curse to +recurse.

Information Gathering Techniques
◾ 
83
The status NOERROR shows us that our query was accepted by the server. The Time to live 
(TTL) is set to 
14064
. Now, we would need to determine the TTL that was initially set. We 
will do it by querying the name servers of our domain www.techlotips.com, which happen to be 
ns2693.hostgator.com and ns2694.hostgator.com.
Command
: 
dig @ns2694.hostgator.com www.techlotips.com A +recurse
You can see that the TTL is the same, which means that most likely the website was not vis-
ited. Now as the first query is made, the website would be present in our cache. We will use the 
same query again; we can see that the TTL is much lower now since it is present in our cache. 
Here is an example:
The TTL has been lowered to “13660.” If this was the TTL field the first time we performed 
the query, it would’ve meant that someone on the server had visited that website.

Yüklə 22,44 Mb.

Dostları ilə paylaş: