My first post here, I will add a article I wrote special to GovernmentSecurity, hope it be useful to someone.
Extract hosts in DNS Servers that disallow zone transfers.
Everybody know that the first step in a attack is recognize the target, in the following sequence:
- List machines that is part of the target.
- Identify services and versions in each of this machines.
It's essential, because if a attacker can't list what machines is part of the target, he doesn't have what to attack.
List machines that is part of the target is very useful to attackers when they intend to attack a network well protected, since the main servers would be hardened and constantly monitored, so if an attacker find machines less important probability he will:
- Find machines that aren't so protected as main servers.
- Find machines less monitored.
- As much more machines a attacker find, big is the chance of find a vulnerability.
In the old and good times attackers used DNS zone transfer to list all machines in a domain they plain to attack, however DNS zone transfers have been more rarely to work because the enhance of security.
Just to illustrate, let's try a DNS zone transfer from microsoft.com:
FatalFury:~/tmp# dig microsoft.com axfr
; <<>> DiG 9.2.3 <<>> microsoft.com axfr
;; global options: printcmd
; Transfer failed.
As we expected to see the DNS Zone transfer failed, however exist a way to extract this hosts, it's called DNS host brute force, which basically brute-force common names of hosts via DNS query and based on response from DNS server it identify if the host exist or not.
To explain in details how it work, let's suppose that an attacker want to list hosts in the domain microsoft.com, so the following steps will be followed:
1) The program open a wordlist of common hostname and read one by one.
2) Each hostname entry in this file will be concatenated with the domain, for example auth.microsoft.com, database.microsoft.com, ftp.microsoft.com, etc.
3) Each one of this FQDN (fully qualified domain name) generated will be requested to the DNS server.
4) DNS server will response to client saying "auth at microsoft.com is a non-existent host", so based in this response the program know that this host doesn't exist.
5) DNS server will response to client saying "database at microsoft.com is a non-existent host", so based in this response the program know that this host doesn't exist.
6) DNS server will response to client saying "ftp at microsoft.com point to IP adrress A.B.C.D", so based in this response the program know that the host exist and have the respective IP address A.B.C.D and save it in the list of found hosts.
THE TOOL OF THE TRADE:
To illustrate the use of DNS host brute force we will use a tool called WS-DNS-BFX, that in my opinion is the best since it:
- Is very fast because use multi-threads.
- Support IPv4 and IPv6.
- Extract multiple IPs for unique domains (Domains with Network Load Balance).
- Runs on Linux or Windows with cygwin.
This tool can be downloaded from http://ws.hackaholic.../WS-DNS-BFX.tgz
Install is very easy, just untar like this:
FatalFury:~/tmp# tar -xvzf WS-DNS-BFX.tgz
Now, we just need to compile like this:
FatalFury:~/tmp# gcc -o WS-DNS-BFX WS-DNS-BFX.c -lpthread -D_REENTRANT -D_THREAD_SAFE
Let's run the compiled program to test if all worked:
DNS Brute Force eXtract by: Clube Dos Mercenarios & Front The Scene
./WS-DNS-BFX <domain> <brute force file> <simultaneous conn>
Now that we have the tool compiled, we will use a syntax like this:
./WS-DNS-BFX microsoft.com dict-file.txt 14
WS-DNS-BFX - is the name of the tool.
microsoft.com - is the domain name we will extract hosts.
dict-file.txt - is a dictionary file contain common host names that is included in the tool.
14 - is the number of parallel threads that will be used.
NOTE: You should create and use a more robust dictionary file to have better results.
NOTE: The number of parallel threads should be choose based in your connection speed, see README-en.txt for more details.
Let's test the tool to see if it really works:
FatalFury:~/tmp# time ./WS-DNS-BFX microsoft.com dict-file.txt 14
In my case with 14 parallel connections it probed 361 hosts in less than 4 seconds!
It generated a report file called hosts-microsoft.com.txt, let's check it:
FatalFury:~/tmp# cat hosts-microsoft.com.txt
-= DNS Brute Force eXtract by Clube Dos Mercenarios e Front The Scene =-
As we can see, it extracted 10 different host names, and several distinct IPs to the some host name which indicate that they are over a Network Load Balance.
Even with the restrictions of DNS Zone Transfers, attackers with WS-DNS-BFX and a GOOD dictionary file can extract much hosts, that can be very useful for attackers.
The best method to detect this kind of attack is to monitor the requests to your DNS Server and check for a high amount of requests in sequence from a unique IP and with many replys that say "hosts non-existent".
Obs: I have compiled a good wordlist to this kind of test, if someone have intersting in it I can upload in some place.