5,6,7 Flashcards
Domain Name System
Type of hierarchical database
Most orgs have DNS and have more than one authoritative dns server which publishes the basic information about the domain and name servers subordinate to it
Any dns server that contains a complete copy of the zone file is considered to be authoritative for that domain only
it will contain soa record which is a special resource record found in all dns files and supplies other basic information about the zone and valid name server records for the domain
Zone File also contains all the resource records for a domain which is the mappings between IP addresses and domain names
DNS types of records
DNS types of records
A - Address record which maps the domain name to ip address
NS - name server which shows the name servers associated with a given domain
SRV - service record which identifies the services present like directory services
PTR - pointer for inverse lookups records indicates ip addr to domain name mapping
MX - mail exchange record which shows the email servers that are being used
CNAME - canonical name record that is has aliases and alternate names for that host
SOA - start of authority record which states the authoritative dns server for that zone
Nslookup
Available in all 3 servers
Can be used in 2 ways
Interactive mode
Can find authoritative name servers using set q=ns
Find mail servers using set q=mx
Recon tools
Whois database
Search the fine web
Email harvesting
numeration
Low technology
Describe DNS forward lookup and forward lookup brute force
Resolve a given name
Use method to guess the names of servers that are live or if they exist
Done by using host followed by IP address
Complete DNS names in /pentest/enumeration/dnsenum/dns.txt or /usr/share/dnsenum/dns.txt
Automate this process by using a bash shell script and loop through dns names and find out which servers are alive within the domain
Describe DNS reverse lookup and reverse lookup brute force
Relies on the existence of PTR as mail server requires PTR verification before accepting mail
Reverse lookup is similar to forward lookup but except of using domain name as input use ip address
Return the FQDN of the ip address provided
Host names will give away certain clues about the use of specific servers
DNS enumeration
Locate all the DNS servers on a network and retrieve all their records
ip addresses, source functions and server addresses
DNS zone transfer
Zone transfer can be compared to a “database replication“
act between related DNS servers.
– Changes to zone files are made on the Primary DNS server
– These files are replicated to the secondary servers by zone
transfer.
* If misconfigured DNS servers, a hacker can perform a zone
transfer to obtain the zone information.
– Equivalent to telling the hacker what is the network topology.
– Countermeasure: Configurations should separate internal DNS
namespace and external DNS namespace into different
unrelated zones.
* Successful zone transfer might not result in penetration.
– However, it aids the hacker.
dig cocmmand
The dig command will query name servers for
information about the target.
– Can perform zone transfers unlike the nslookup command.
– Syntax: dig @[server] [name] [type]
* Type can be ANY, A, MX, etc.
* Default is A records.
– With –t flag, zone transfer can be performed.
* Full zone transfer: -t AXFR
* Incremental zone transfer: -t IXFR=N
– N is an integer refering to the serial number of a SOA record.
– Provides records changed since SOA serial number was N.
* e.g. dig @10.10.10.60 target.tgt –t AXFR
Scanning
Learn more about targets and find openings
by interacting with the target.
* Hacker continues to gather information
regarding the target network and its individual
hosts.
* Information gathered in this phase help
hacker to determine which exploit to use.
Type of Scanning
Network Sweeping
* Send probe packets to all addresses in target range.
* Identify live hosts in the target network.
Network Tracing
* Determine the topology of target network.
* Draw a network map using results from network sweeping.
Port Scanning
* Find openings by looking for listening TCP & UDP ports.
* Specific port numbers gives hints to what services are running in
machines
OS fingerprinting
* Determine the operating system based on their network behaviours.
* Using specially crafted test packets designed to measure the operating system
behaviours.
* Sniffing traffic from the target to determine the kind of operating system.
Version Scanning
* Determine the version of services and protocols by interacting with open TCP and UDP
ports.
* Note that administrator may put services on alternative ports.
Vulnerability Scanning
* Determine a list of potential vulnerabilities in the target environment based on
findings.
* e.g. Misconfigurations or unpatched services.
Scanning Tips for Penetration Testing
Scan target using IP address not domain
name.
– Many networks use DNS to perform load
balancing and traffic distribution.
– Results might not be accurate.
* Unknowingly, multiple hosts are scanned
simultaneously.
* Results merged as if they are from one machine.
* Expected service derived from results may not exist on
target machine
Dealing with large scans
1. Sample a subset of machines.
* Choose sample targets with typical configurations that is
similar to the other systems.
* Downside: These sample targets may not accurately
represent the other systems.
1. Sample a subset of target ports.
* Only scan the most interesting ports.
– e.g. 21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), etc.
– http://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.xhtml
* Downside: Other ports are not tested and may be
vulnerable.
3. Review network firewall ruleset and scan only
those ports that is not protected by firewall.
* Overcomes the downside of sampling targets and
specific ports.
* Downside: Does not measure potential bugs in the
firewall.
– Effort required by target organisation personnel.
– No longer black box testing.
4. Use hyper-fast port scanning methods.
* Use multiple machines to scan.
* Lower timeouts of each scan.
* Increase number of scan (Eg. # of scan sockets per scan, parallel
scans etc.)
* Use fast scanning tools such as masscan and ScanRand.
* https://www.sans.org/security-resources/idfaq/what-is-
scanrand/3/20
* Downside: Denial of service attack may occur.
* Run sniffer while scanning.
– Verify scanning tool is functioning properly by monitoring network
activity.
– tcpdump is ideal as it is small, flexible and fast.
Scanning tools
War Diallers
– Spots badly secured external connection using THC-Scan, PhoneSweep
and TeleSweep etc.
* War Driving
– Scan for wireless access points using Kismet etc.
* Network mappers
– Ping sweeps, traceroute, Cheops-ng (an automated tool), Maltego etc.
* Port Scanners
– Scanning for open ports at targeted systems using nmap, zenmap etc.
* Vulnerability Scanners
– Scan for known vulnerabilities using tools such as Nessus.
* Misconfigurations
* Unpatched systems with known vulnerabilities
* Other weaknesses
War dialling
A technique of dialing telephone numbers to find an open
modem connection that provide remote access to a network
– Remote access to a system or internal network allows attacks to be
launched against target.
* Dial up modem connection usually have weaker security than
the main Internet connection.
– Many remote-access systems use the Password Authentication
Protocol (PAP) which sends passwords in clear.
– Many companies do not control dial-in ports as strictly as the firewall.
– Machines with modem attached can be anywhere even if these
modems are no longer required.
– Many servers still have modem with phone lines connected as backup
in case the primary Internet connection fails.
War dialer programs
– THC-Scan, PhoneSweep and TeleSweep.
* After locating modems, tools can:
– Determine the type of line discovered
including carriers, tones, voice mail boxes (VMB).
– Send nudging sequences to determine the known
remote admin tools running on target machine like
pcAnywhere and then use client application to log in.
– Look for systems that don’t require a password.
– Pass-guess systems that need password using tools
like THC-LoginHacker.
16
War Dialing
Network mapping
IP-based attack rather than phoneline-based
attack.
* Scan Internet and organisation’s internal network.
* Determine target network topology.
– Determine which addresses have live machines.
– Develop a map of the target network.
* Manual tools like ping or traceroute.
* Automated tools like Cheops-ng on Unix-
based machines.
