środa, 10 kwietnia 2013

[EN] DNS missing allow-transfer

Ten Post wyjątkowo będzie napisany w języku angielskim. Z góry przepraszam. :-)

Before we start pentesting it's always good to gather some information about our target. One thing which we'd like to know are additional resources - SQL servers, developers and test machines, backups, etc. For example, we can check PTR records (revDNS) for IP class (manually or using this tool). Sometimes, our target configures his zone without allow-transfer option, so anybody can download zone file in the same way as secondary DNS does.

There are multiple ways to do this. Using default available tools:

zoczekj@cojapache:~$ host -l tesco.pl ns4.czart.pl
Using domain server:
Name: ns4.czart.pl
Address: 194.8.14.2#53
Aliases: 

tesco.pl name server ns1.czart.pl.
tesco.pl name server ns2.czart.pl.
tesco.pl name server ns3.czart.pl.
tesco.pl name server ns4.czart.pl.
tesco.pl name server one.czart.pl.
tesco.pl name server crimson.czart.pl.
tesco.pl name server czartux.czart.pl.
tesco.pl has address 194.8.14.16
100sposobow-1.tesco.pl has address 193.221.122.60
100sposobow-2.tesco.pl has address 193.221.122.60
(...)
xfiles.tesco.pl has address 194.8.14.16
xfiles2.tesco.pl has address 194.8.14.29
zwierzaki.tesco.pl has address 194.8.14.16
admin.zwierzaki.tesco.pl has address 194.8.14.16

zoczus@jano:~$ dig @pri.authdns.ripe.net. ripe.net axfr | wc -l # this baby is huge one! ;-)
19626

..or using my perl script:

zoczus@jano:~$ zone wikipedia.org
Checking ns2.wikimedia.org... OK!
wikipedia.org. 86400 IN SOA ns0.wikimedia.org. hostmaster.wikimedia.org. (
     2013030122 ;serial
     43200      ;refresh
     7200       ;retry
     1209600    ;expire
     3600   ) ;minimum
wikipedia.org. 3600 IN A 208.80.152.201
wikipedia.org. 86400 IN NS ns0.wikimedia.org.
wikipedia.org. 86400 IN NS ns1.wikimedia.org.
wikipedia.org. 86400 IN NS ns2.wikimedia.org.
wikipedia.org. 3600 IN MX 50 lists.wikimedia.org.
wikipedia.org. 3600 IN MX 10 mchenry.wikimedia.org.
wikipedia.org. 3600 IN AAAA 2620:0:860:ed1a::1
aa.wikipedia.org. 3600 IN CNAME wikipedia-lb.wikimedia.org.
aa.m.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
aa.m.mobile.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
aa.m.wap.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
(...)
zu.wap.wikipedia.org. 3600 IN CNAME mobile-lb.eqiad.wikimedia.org.
zu.zero.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
zu.zero.mobile.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
zu.zero.wap.wikipedia.org. 3600 IN CNAME m.wikimedia.org.




It seems to be quite simple. Lot of servers are still configured in this way. It's neither a new method nor my discovery. This technique is widely known.

Ok - how about trying this with TLDs? I've used this list and small bash script:

zoczus@jano:~/tld$ cat check.sh 
#!/bin/bash
#
# (C) ZoczuS
###
if [ $# -lt 1 ]; then
        echo "Usage $0 tld-file-name";
        exit
fi

l=`cat $1 | wc -l`;
i=1;
while [ $i -le $l ]; do
        tld=`head -n $i $1 | tail -n 1`;
        echo "Checking for $tld";
        zone "$tld." > $tld
        i=$[i+1];
done
zoczus@jano:~/tld$ ./check.sh tld.txt
Checking for aero
Checking for asia
Checking for biz
Checking for cat
Checking for com
Checking for coop
Checking for info
Checking for int
Checking for jobs
Checking for mobi
Checking for museum
Checking for name
Checking for net
(...)
Checking for xn--q7ce6a
Checking for xn--mgbb7fyab
Checking for xn--kgbechtv
Checking for xn--hgbk6aj7f53bba
Checking for xn--0zwm56d
Checking for xn--g6w251d
Checking for xn--80akhbyknj4f
Checking for xn--11b5bs3a9aj6g
Checking for xn--jxalpdlp
Checking for xn--9t4b11yi5a
Checking for xn--deba0ad
Checking for xn--zckzah
Checking for xn--hlcj6aya9esc7a
Checking for arpa

zoczus@jano:~/tld$ grep 'OK!' * | awk -F: '{ print $1 }'
aero
an
ao
arpa
bb
bd
bi
bv
ci
cy
do
er
fo
ge
gp
gq
gt
gy
int
iq
kw
mc
mg
mo
mp
mw
ni
np
pf
pg
sj
sl
sv
to
uk
xn--9t4b11yi5a
xn--fzc2c9e2c
xn--j1amh
xn--jxalpdlp
xn--xkc2al3hye2a
xn--ygbi2ammx
xn--zckzah
ye
zw

zoczus@jano:~/tld$ grep "IN" * | wc -l
257202

Pretty cool, huh?

5 komentarzy:

  1. you're right, I've already written about it:
    http://www.marcinrybak.com/2010/04/axfr-shouldnt-be-public.html
    the problem is still current, but few dns administrators replied like this one:
    "The vast majority of information in the DNS can be obtained by enumerating the reverse zones or using Google. Services named in the DNS are intended to be publicly accessible or are protected in various ways."

    OdpowiedzUsuń
    Odpowiedzi
    1. Like "It's only DNS zone, who cares?" ;-) and fact is that not all uses reverse DNS and also not all resources are indexed by Google.

      Usuń
    2. enumerating dns zones is easier with public axfr :), sometimes it's also easier to enumerate local network with this zones, cause many records points to local ip addresses.

      Usuń
  2. KISS: domain=$1;for dns in $(host -t ns $domain | awk '{print $4}');do dig @$dns axfr $domain;done

    OdpowiedzUsuń
  3. Hi!
    do you happen to have those zonefiles? I am trying to "reconstruct" something and I am looking for all kind of old zone files. more if you contact me - nmmm@nmmm.nu

    OdpowiedzUsuń