GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SUSE Security Announcement - dhcp-server (SuSE-SA:2004:019)
US-CERT Technical Cyber Security Alert TA04-174A -- Multiple Vulnerabilities in ISC DHCP 3
Gentoo Linux Security Advisory - IPsec-Tools: authentication bug in racoon (GLSA 200406-17)
Conectiva Security Announcement - kernel (CLA-2004:845)
SGI Security Advisory - SGI Advanced Linux Environment 2.4 security update #22 (20040605-01-U)
Latest Vulnerabilities
DLink 704 Script Injection Vulnerability
DLink 614+ Script Injection Vulnerability
ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability
Netgear FVS318 Web-Based Administration Denial of Service Vulnerability
Microsoft MN-500 Wireless Router Web-Based Administration Denial of Service Vulnerability
Latest Security News
Tips for removing spyware from your PC
MasterCard tackles phishing
US Robotics on the route to improved security
HackNotes Network Security Portable Reference
IM worms could spread in seconds
Home About Services Knowledge WebPortal Contact Download Forum

DNS Zone Transfers

The Basics


This tutorial is not meant to promote unlawful activity, but rather to make aware of how allowing untrusted users to make DNS zone transfers can lead to a world of trouble.

Ok lets say for example johnny hax0r (yeah, i made that name up ALL by myself) wants to enumerate www.thevictim.com . Well, of course there are the usual host queries, trace route, etc. but all of these methods more or less give you information regarding a single target. And the more targets you have the greater the chance of finding a weakness. This is where DNS zone transfers come in. A zone transfer allows a secondary master server to update its zone database from the primary master. Generally a DNS zone transfer only needs to be performed by secondary master DNS servers. Alot of DNS servers however, are misconfigured and provide a copy of the zone to anyone who asks.

Now that we've covered that lets move on.

A simple way to perform a zone transfer is to use the 'nslookup' client. It is standard on most NT and *nix machines, but if for some reason you dont have access to it then go get yourself a free *nix shell account and continue.Now lets take a look at 'nslookup' in action. 

[JeiAr]$ nslookup             <--- Enter the nslookup command
Default Server: dns.hi.net    <--- It tells you the default
                                   nameserver its using which
Address: xx.10.40.20          <--- is usually provided by your ISP
>> xx.20.10.5                 <--- Here you enter the primary
                                   DNS server to query. You
                                   can get this information
                                   by performing a 'whois'
                                   query on the domain
                                   (www.thevictim.com) you are
                                   trying to enumerate
>> set type=any               <--- Now we set the record type
                                   to any. This allows you
                                   to pull any DNS records
                                   available.
>> ls -d thevictim.com.       <--- The 'ls' option lists all
                                   associated records of the
                                   domain. The 'd' switch is
                                   used to list all records
                                   for the domain. The '.' is
                                   to signify the fully 
                                   qualified domain name ..
                                   you can leave that part
                                   off if you like. And you
                                   can also pipe the output
                                   to a file for later
                                   examination using the
                                   >> yourfile.txt option

Now that you know pretty much how to perform a basic DNS zone transfer lets have a look at a small snippet of real life output from a large coorporate website that will not be named for obvious reasons but instead renamed to thevictim.com A full zone transfer may be 10 times bigger than this small snippet or only half as big ...

NOTE: names and ip's have been altered, and some minute details have been left out to increase readability. This will not affect anything that you are learning ... 

ls -d thevictim.com. 
[sca07.auth.dns.exodus.net]  
 thevictim.com.                 SOA   sca03.auth.dns.exodus.net 
hostmaster.exodus.net. 
 thevictim.com.                 NS    sca03.auth.dns.exodus.net     
 thevictim.com.                 NS    sca04.auth.dns.exodus.net     
 thevictim.com.                 MX    10   mta.onebox.com
 thevictim.com.                 A     ***.79.152.11
 smtp                           MX    10   smtp03-in.thevictim.com
 smtp                           MX    20   smtp04-in.thevictim.com
 smtp                           MX    40   smtp02-in.thevictim.com
 smtp                           A     ***.79.152.47
 www1                           A     ***.79.152.11
 ads                            A     ***.79.152.23
 staging                        A     ***.208.135.36
 smtp01-in                      A     ***.79.152.45
 lists                          A     ***.79.152.48
 drugs                          A     ***.79.152.19
 mailer                         MX    10   mailer-in.thevictim.com
 mailer                         A     ***.79.152.61
 kodak                          A     ***.79.152.26
 store                          NS    ns1.thevictim.com                  
 smtp03-in                      A     ***.79.152.47

Ok, lets see what we have. From the output we now know the following domains and subdomains likely exist. For example: 

smtp01-in.thevictim.com
smtp02-in.thevictim.com
smtp03-in.thevictim.com
smtp04-in.thevictim.com
www1.thevictim.com
ads.thevictim.com
staging.thevictim.com
lists.thevictim.com
drugs.thevictim.com
mailer-in.thevictim.com
mailer.thevictim.com
kodak.thevictim.com
store.thevictim.com
and so forth and so on ...

Now we have greatly increased our chances to gain access to the target by giving ourselves alot more options and by now having a better idea of the way the domain is mapped out. Before i draw the first part of this to a conclusion i would like to point out the letters contained within the output. A is typically a subdomain or domain etc MX is a mail exchange server and NS is a name server. I will write more later about how to get the most out of your Zone Transfer results and may even include some advanced DNS related issues/techniques.

Remember : Make sure you do not allow zone transfers to be made by unauthorized users as it greatly increases the chances that an attacker will compromise your system's security. A quickfix for this is to configure your firewall , IDS , or whatever to not allow unauthorized incoming traffic on TCP 53

Thanks for reading :)

JeiAr




© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers