78
◾
Ethical Hacking and Penetration Testing Guide
Reverse DNS
In a reverse DNS attack, we do the opposite. With the help of the IP ranges,
we try to guess valid
hostnames.
Reverse DNS Lookup with Dig
For performing a reverse DNS lookup, we would need to first write an
IP address in the reverse
order.
For example:
208.80.152.201 (Wikipedia’s IP)
201.152.80.208 (reverse order)
Next, we would append “.in-addr.arpa” to it, so it would become
201.152.80.208.in-addr.arpa
and finally make a DNS PTR query in dig.
So the whole command will look like this:
dig 201.152.80.208.in-addr.arpa PTR
As you can clearly see from this image, the query resolves to Wikipedia’s server.
Reverse DNS Lookup with Fierce
Alternatively, you can also perform a
reverse DNS lookup with fierce, where you would need to
input the network range and the DNS server.
./fierce.pl –range
-dnsserver
Here are a couple of websites that can perform reverse DNS lookup:
http://remote.12dt.com/lookup.php
http://www.zoneedit.com/lookup.html
Information Gathering Techniques
◾
79
Zone Transfers
A DNS server contains information such as host name and the IP address associated with it. DNS
security should never be ignored as it is a critical component. A zone transfer is used for replica-
tion of records. If an attacker can perform a successful zone transfer, he may be able to extract
some important hosts which are not available publically. However, you need to keep in your mind
that a successful DNS transfer does not immediately result in a server compromise, but it aids an
attacker in gathering some useful information about the infrastructure.
Most of the primary DNS servers won’t
allow zone transfers, but backup servers may be
vulnerable to it.
There are many tools for performing DNS zone transfer; let’s take a look at them one by one.
Dostları ilə paylaş: