DNS - Domain Name System

This section will cover ways to attack Domain Name System (DNS).

Table of Contents

• Overview
• Enumeration
  • Nmap
  • DNS Zone Transfer
  • Subdomain Enumeration
• Exploitation
  • Domain and Subdomain Takeover
  • DNS Cache Poisoning

Overview

DNS is used to resolve (translate) human readable names to IP addresses. An example will be resolving mycorp.lan to 192.168.2.200.

By default, DNS uses TCP and UDP port 53. DNS is mostly UDP with TCP generally being used when the data size exceeds 512 bytes or for tasks such as zone transfers.

Enumeration

We can use several tools to enumerate DNS.

The following tools and methods will be covered here:

• Nmap
• DNS Zone Transfer
• Subdomain Enumeration

Nmap

We can target port 53 using Nmap to enumerate DNS while using flags such as -sV or -sC.

nmap -sV -sC -Pn -p 53 <Target IP>

Command breakdown:

• -sV - Specify to identify the version.
• -sC - Specify to use default NSE scripts.
• -p 53 - Specify the port to scan.
• <Target IP> - Specify the target IP address.

DNS Zone Transfer

We can attempt to perform a zone transfer (copying a portion of their database to another DNS server) to identify potential targets and hidden resources.

We can use dig to perform an AXFR zone transfer.

dig AXFR @<DNS FQDN or Target IP> <domain>

Command breakdown:

• AXFR - Specify to perform a zone transfer.
• @<DNS FQDN or Target IP> - Specify the DNS server Fully Qualified Domain Name (FQDN) or IP address.
• <domain> - Specify the target domain.

An example:

dig AXFR @ns1.mycorp.lan mycorp.lan

We can also use a tool called fierce to enumerate all DNS servers of the root domain and scan for a DNS zone transfer.

fierce --domain <domain>

Subdomain Enumeration

We can look for subdomains by using tools such as gobuster, Subfinder, and Sublist3r.

This information can be used to perform attacks such as domain takeovers during the exploitation section.

To use subfinder, we can use the following command.

subfinder -d <domain> -v

Command breakdown:

• -d <domain> - Specify the domain to enumerate.
• -v - Enable verbose mode.

To use sublist3r, we can use the following command.

sublist3r -d <domain>

To use gobuster, we can use the DNS module and specify our own wordlist.

gobuster dns -d <domain> -w /path/to/wordlist

Command breakdown:

• dns - Specify to use the DNS module.
• -d <domain> - Specify the domain to enumerate.
• -w /path/to/wordlist - Specify the wordlist to use.

Exploitation

There are different methods that DNS can be exploited.

This section will cover the following:

• Domain Takeover
• DNS Cache Poisoning

Domain and Subdomain Takeover

To perform a domain takeover, we will usually require a CNAME record pointed to another domain. A CNAME record is like an alias which is used to map different domains to a parent domain.

An example will be where a CNAME record called sub.mycorp.lan which points to internal.lan. If an attacker controls the internal.lan domain, they will have control over the sub.mycorp.lan subdomain until the DNS records are updated as any user navigating to sub.mycorp.lan will be redirected to internal.lan.

The below repository is a good reference for subdomain takeover.

https://github.com/EdOverflow/can-i-take-over-xyz

DNS Cache Poisoning

DNS Cache Poisoning is also referred to as DNS spoofing. This attack involves altering legitimate DNS records with false information so that attackers can redirect online traffic to a different site.

An example will be where an attacker is performing an Main-in-the-Middle (MitM) attack between a user and a DNS server. Another example will be where there is a vulnerability in the DNS server where it allows an attacker to modify DNS records.

We can use tools such as Ettercap or Bettercap to perform Local DNS Cache Poisoning.

Before starting, we can start a HTTP server on the attacker's machine using Python.

python3 -m http.server 80

To use Ettercap, we will first need to modify the /etc/ettercap/etter.dns file to map the target domain to the IP address that we want to redirect a user to. This example will use mycorp.lan as the victim domain.

mycorp.lan     A   <Attacker IP>
*.mycorp.lan   A   <Attacker IP>

Once mapped, we can start ettercap and scan for live hosts by navigating to Hosts > Scan for Hosts. Add the target IP address to Target1 and the default gateway IP address to Target2.

Once done, activate dns_spoof attack by navigating to Plugins > manage Plugins. This will send the target machine with fake DNS responses that will resolve mycorp.lan to the attacker's IP address specified in the ettercap.dns file.

After it is successful, attempt to navigate to the mycorp.lan. It should redirect to the attacker's IP address. Attempting to ping the domain will resolve in the attacker's IP address as well.