I like to use DNS as an ally since the information is freely available and, if done correctly, it is relatively quiet.
I've written a couple small bash script to automate the process of collecting this information which can be a handful if done manually.
The first thing required is a text file called 'dns.txt' which will store a list of well known host names. This file will be called by the script when it attempts to enumerate available hosts. Entries in this file will include expected values for publicly available hosts. Listed below are my values, but your mileage may vary.
www
www1
www2
web
dns
dns1
dns2
ns
ns1
ns2
ns3
mail
mailhost
smtp
outlook
imap
pop
webmail
vpn
extranet
portal
proxy
secure
cisco
router
gateway
fw
fwsm
firewall
ftp
tftp
news
portal
news
blog
test
honeypot
backup
linux
oracle
unix
search
forum
In the same directory create a new file named DNSGrab.sh and give it executable rights if desired "chmod 755 DNSGrab.sh"
#!/bin/bash
echo -e "\nThis script will allow you to look for publically available hosts"
echo "You can perform a query either by selecting a target domain or /24 network"
echo "Would you like to [domain] scan or [subnet] enumerate?"
read answer
if [ $answer = "domain" ]; then
echo "What domain would you like to scan?:"
echo "example 'domain.com'"
read domain
echo -e "\n"
for name in $(cat dns.txt);do
host $name.$domain | grep "has address"
done
elif [ $answer = "subnet" ]; then
echo "Please enter Class C Subnet which you'd like to enumerate:"
echo -e "example 192.168.20\n"
read subnet
for octet in `seq 1 254`;do
host $subnet.$octet | grep "name pointer" | cut -d" " -f1,5
done
else
echo -e "\nExpected 'domain' or 'subnet' as input, script exiting..."
fi
This script will simply do one of two things based by the user input of "domain" or "subnet". If "domain" is chosen it will quickly scour DNS looking for any hosts matching those in the dns.txt file. For example, if you chose google.com then it would try resolving ns.google.com, ns1.google.com, and on down the line. This can be a great for spotting discontinuous subnets and discovering information about network topologies, etc.
If "subnet" is chosen then it will do a lookup of all hosts on a given /24. Examples of each are listed below:
# ./DNSGrab.sh
This script will allow you to look for publically available hosts
You can perform a query either by selecting a target domain or /24 network
Would you like to [domain] scan or [subnet] enumerate?
domain
What domain would you like to scan?:
example 'domain.com'
hp.com
www.hpgtm.nsatc.net has address 15.201.49.22
www.hpgtm.nsatc.net has address 15.216.110.22
ns1.hp.com has address 15.219.145.12
ns2.hp.com has address 15.219.160.12
ns3.hp.com has address 15.203.209.12
mail.hp.com has address 15.192.0.152
smtp.hp.com has address 15.201.24.91
webmail.hp.com has address 16.230.34.78
extranet.hp.com has address 16.110.176.200
extranet.hp.com has address 16.228.52.17
extranet.hp.com has address 16.230.58.17
extranet.hp.com has address 16.234.58.17
extranet.hp.com has address 16.236.203.17
extranet.hp.com has address 16.238.58.17
portal.hp.com has address 16.232.36.204
ftp.hpgtm.nsatc.net has address 15.192.45.27
ftp.hpgtm.nsatc.net has address 15.216.110.132
usenet01.boi.hp.com has address 15.8.40.106
portal.hp.com has address 16.232.36.204
usenet01.boi.hp.com has address 15.8.40.106
linux.hp.com has address 192.6.234.9
linux.hp.com has address 192.151.53.86
oracle.hardingmarketing.com has address 66.35.221.168
www.hpgtm.nsatc.net has address 15.216.110.22
www.hpgtm.nsatc.net has address 15.201.49.22
search.hpgtm.nsatc.net has address 15.192.0.84
# ./DNSGrab.sh
This script will allow you to look for publically available hosts
You can perform a query either by selecting a target domain or /24 network
Would you like to [domain] scan or [subnet] enumerate?
subnet
Please enter Class C Subnet which you'd like to enumerate:
example 192.168.20
16.232.36
1.36.232.16.in-addr.arpa vip-iba-16-236-36-0-gw.houston.hp.com.
2.36.232.16.in-addr.arpa cce01gwdc509-vlan265.houston.hp.com.
3.36.232.16.in-addr.arpa cce01gwdc510-vlan265.houston.hp.com.
4.36.232.16.in-addr.arpa cce01swdclb511-265.houston.hp.com.
5.36.232.16.in-addr.arpa cce01swdclb512-265.houston.hp.com.
6.36.232.16.in-addr.arpa cce01swdclb511-265-alias.houston.hp.com.
7.36.232.16.in-addr.arpa vip2-g3w1945c.houston.hp.com.
8.36.232.16.in-addr.arpa vappnestpro3.houston.hp.com.
9.36.232.16.in-addr.arpa gvu3727.houston.hp.com.
10.36.232.16.in-addr.arpa oispro-llb3.houston.hp.com.
11.36.232.16.in-addr.arpa gvu4394.houston.hp.com.
12.36.232.16.in-addr.arpa gvu4395.houston.hp.com.
13.36.232.16.in-addr.arpa gvu4442.houston.hp.com.
16.36.232.16.in-addr.arpa cce01-c509-nat265.houston.hp.com.
21.36.232.16.in-addr.arpa g3w0266.houston.hp.com.
(/snip)
If you want to test out the configuration of the DNS servers on a given domain, I've written an automated method to do that too. Follow the same steps as above and call this file "ZTransfer.sh". Here is the script:
#!/bin/bash
echo "Please enter domain:"
read domain
for ns in $(host -t ns $domain | cut -d" " -f4);do
host -l $domain $ns | grep "has address" > $domain.txt
done
if [ ! -s "$domain.txt" ]; then
echo "Zone Transfer Failed!"
rm "$domain.txt"
else
echo "Zone Transfer Completed Successfully!"
fi
Simply put, this will attempt a zone transfer on a user inputted domain name. It goes without saying that you shouldn't do this unless you have permission to do so. It would be appropriate for pen testers and DNS admins looking to test the security of their configurations.
These were written and tested on a BT4 distro, feel free to modify as needed...
No comments:
Post a Comment