Penetration Testing with Kali Linux OffSec
host idontexist.megacorpone.com
|
|
host idontexist.megacorpone.com
Host idontexist.megacorpone.com not found: 3(NXDOMAIN) Listing 42 - Using host to search for an invalid host Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 134 In Listing 41, we queried a valid hostname and received an IP resolution response. By contrast, Listing 42 returned an error (NXDOMAIN 247 ) indicating a public DNS record does not exist for that hostname. Since we now understand how to search for valid hostnames, we can automate our efforts. Having learned the basics of DNS enumeration, we can develop DNS brute-forcing techniques to speed up our research. Brute forcing is a trial-and-error technique that seeks to find valid information such as directories on a web server, username and password combinations, or in this case, valid DNS records. By using a wordlist containing common hostnames, we can attempt to guess DNS records and check the response for valid hostnames. In the examples so far, we used forward lookups , which request the IP address of a hostname to query both a valid and an invalid hostname. If host successfully resolves a name to an IP, this could be an indication of a functional server. We can automate the forward DNS-lookup of common hostnames using the host command in a Bash one-liner. First, let’s build a list of possible hostnames. kali@kali:~$ cat list.txt www ftp owa proxy router Listing 43 - A small list of possible hostnames Next, we can use a Bash one-liner to attempt to resolve each hostname. kali@kali:~$ for ip in $(cat list.txt); do host $ip.megacorpone.com; done www.megacorpone.com has address 149.56.244.87 Host ftp.megacorpone.com not found: 3(NXDOMAIN) mail.megacorpone.com has address 51.222.169.212 Host owa.megacorpone.com not found: 3(NXDOMAIN) Host proxy.megacorpone.com not found: 3(NXDOMAIN) router.megacorpone.com has address 51.222.169.214 Listing 44 - Using Bash to brute force forward DNS name lookups Using this simplified wordlist, we discovered entries for “www”, “mail”, and “router”. The hostnames “ftp”, “owa”, and “proxy”, however, were not found. Much more comprehensive wordlists are available as part of the SecLists project. 248 These wordlists can be installed to the /usr/share/seclists directory using the sudo apt install seclists command. With the exception of the www record, our DNS-forward brute force enumeration revealed a set of scattered IP addresses in the same approximate range (51.222.169.X). If the DNS administrator 247 (Internet Engineering Task Force, 2016), https://tools.ietf.org/html/rfc8020 248 (danielmiessler, 2022), https://github.com/danielmiessler/SecLists Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 135 of megacorpone.com configured PTR 249 records for the domain, we could scan the approximate range with reverse lookups to request the hostname for each IP. Let’s use a loop to scan IP addresses 51.222.169.200 through 51.222.169.254. We will filter out invalid results (using grep -v) by showing only entries that do not contain “not found”. kali@kali:~$ Yüklə Dostları ilə paylaş:
|