środa, 10 kwietnia 2013

[EN] DNS missing allow-transfer

Ten Post wyjątkowo będzie napisany w języku angielskim. Z góry przepraszam. :-)

Before we start pentesting it's always good to gather some information about our target. One thing which we'd like to know are additional resources - SQL servers, developers and test machines, backups, etc. For example, we can check PTR records (revDNS) for IP class (manually or using this tool). Sometimes, our target configures his zone without allow-transfer option, so anybody can download zone file in the same way as secondary DNS does.

There are multiple ways to do this. Using default available tools:

zoczekj@cojapache:~$ host -l tesco.pl ns4.czart.pl
Using domain server:
Name: ns4.czart.pl
Address: 194.8.14.2#53
Aliases: 

tesco.pl name server ns1.czart.pl.
tesco.pl name server ns2.czart.pl.
tesco.pl name server ns3.czart.pl.
tesco.pl name server ns4.czart.pl.
tesco.pl name server one.czart.pl.
tesco.pl name server crimson.czart.pl.
tesco.pl name server czartux.czart.pl.
tesco.pl has address 194.8.14.16
100sposobow-1.tesco.pl has address 193.221.122.60
100sposobow-2.tesco.pl has address 193.221.122.60
(...)
xfiles.tesco.pl has address 194.8.14.16
xfiles2.tesco.pl has address 194.8.14.29
zwierzaki.tesco.pl has address 194.8.14.16
admin.zwierzaki.tesco.pl has address 194.8.14.16

zoczus@jano:~$ dig @pri.authdns.ripe.net. ripe.net axfr | wc -l # this baby is huge one! ;-)
19626

..or using my perl script:

zoczus@jano:~$ zone wikipedia.org
Checking ns2.wikimedia.org... OK!
wikipedia.org. 86400 IN SOA ns0.wikimedia.org. hostmaster.wikimedia.org. (
     2013030122 ;serial
     43200      ;refresh
     7200       ;retry
     1209600    ;expire
     3600   ) ;minimum
wikipedia.org. 3600 IN A 208.80.152.201
wikipedia.org. 86400 IN NS ns0.wikimedia.org.
wikipedia.org. 86400 IN NS ns1.wikimedia.org.
wikipedia.org. 86400 IN NS ns2.wikimedia.org.
wikipedia.org. 3600 IN MX 50 lists.wikimedia.org.
wikipedia.org. 3600 IN MX 10 mchenry.wikimedia.org.
wikipedia.org. 3600 IN AAAA 2620:0:860:ed1a::1
aa.wikipedia.org. 3600 IN CNAME wikipedia-lb.wikimedia.org.
aa.m.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
aa.m.mobile.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
aa.m.wap.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
(...)
zu.wap.wikipedia.org. 3600 IN CNAME mobile-lb.eqiad.wikimedia.org.
zu.zero.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
zu.zero.mobile.wikipedia.org. 3600 IN CNAME m.wikimedia.org.
zu.zero.wap.wikipedia.org. 3600 IN CNAME m.wikimedia.org.




It seems to be quite simple. Lot of servers are still configured in this way. It's neither a new method nor my discovery. This technique is widely known.

Ok - how about trying this with TLDs? I've used this list and small bash script:

zoczus@jano:~/tld$ cat check.sh 
#!/bin/bash
#
# (C) ZoczuS
###
if [ $# -lt 1 ]; then
        echo "Usage $0 tld-file-name";
        exit
fi

l=`cat $1 | wc -l`;
i=1;
while [ $i -le $l ]; do
        tld=`head -n $i $1 | tail -n 1`;
        echo "Checking for $tld";
        zone "$tld." > $tld
        i=$[i+1];
done
zoczus@jano:~/tld$ ./check.sh tld.txt
Checking for aero
Checking for asia
Checking for biz
Checking for cat
Checking for com
Checking for coop
Checking for info
Checking for int
Checking for jobs
Checking for mobi
Checking for museum
Checking for name
Checking for net
(...)
Checking for xn--q7ce6a
Checking for xn--mgbb7fyab
Checking for xn--kgbechtv
Checking for xn--hgbk6aj7f53bba
Checking for xn--0zwm56d
Checking for xn--g6w251d
Checking for xn--80akhbyknj4f
Checking for xn--11b5bs3a9aj6g
Checking for xn--jxalpdlp
Checking for xn--9t4b11yi5a
Checking for xn--deba0ad
Checking for xn--zckzah
Checking for xn--hlcj6aya9esc7a
Checking for arpa

zoczus@jano:~/tld$ grep 'OK!' * | awk -F: '{ print $1 }'
aero
an
ao
arpa
bb
bd
bi
bv
ci
cy
do
er
fo
ge
gp
gq
gt
gy
int
iq
kw
mc
mg
mo
mp
mw
ni
np
pf
pg
sj
sl
sv
to
uk
xn--9t4b11yi5a
xn--fzc2c9e2c
xn--j1amh
xn--jxalpdlp
xn--xkc2al3hye2a
xn--ygbi2ammx
xn--zckzah
ye
zw

zoczus@jano:~/tld$ grep "IN" * | wc -l
257202

Pretty cool, huh?

10 komentarzy:

  1. you're right, I've already written about it:
    http://www.marcinrybak.com/2010/04/axfr-shouldnt-be-public.html
    the problem is still current, but few dns administrators replied like this one:
    "The vast majority of information in the DNS can be obtained by enumerating the reverse zones or using Google. Services named in the DNS are intended to be publicly accessible or are protected in various ways."

    OdpowiedzUsuń
    Odpowiedzi
    1. Like "It's only DNS zone, who cares?" ;-) and fact is that not all uses reverse DNS and also not all resources are indexed by Google.

      Usuń
    2. enumerating dns zones is easier with public axfr :), sometimes it's also easier to enumerate local network with this zones, cause many records points to local ip addresses.

      Usuń
  2. KISS: domain=$1;for dns in $(host -t ns $domain | awk '{print $4}');do dig @$dns axfr $domain;done

    OdpowiedzUsuń
  3. Hi!
    do you happen to have those zonefiles? I am trying to "reconstruct" something and I am looking for all kind of old zone files. more if you contact me - nmmm@nmmm.nu

    OdpowiedzUsuń

  4. The even then duration on the proper is almost certainly with the truckload of along with young females, Most of in several reports attached to bare skin, Have been filled with through to any truck by just beaming, Gawking Sri Lankan troopers that also jeered regarding utilizing raped themselves. As much as quite a few women in film on her behalf resolution full of serious nevertheless in existence.Fantastic loss of every Vietnamese MonkJournalist Malcolm Browne's pic of ThchQung c's conscious immolation. WikipediaThe the demise of a particular Vietnamese Mahayana Buddhist mtok in which used by his own within an active at vehicle Saig intersecti 11 June 1963, Created a agonizing opinion on the actual western and in addition sector criminal

    tags: Cheap Yeezy Shoes, Discount Jordan Shoes Wholesale, Yeezy Boost 350 V2 Zebra For Sale, Jordan Shoes For Sale Cheap, Real Yeezy Shoes

    .

    OdpowiedzUsuń

  5. https://www.onlinedocumentarys.com/

    https://www.onlinedocumentarys.com/buy-passports.html

    https://www.onlinedocumentarys.com/buy-id-cards.html

    https://www.onlinedocumentarys.com/buy-drivers-license.html

    https://www.onlinedocumentarys.com/buy-visa.html

    OdpowiedzUsuń

  6. يؤدي انسداد المكثفات في الوحدة الداخلية لمكيف الهواء إلى تسرب المياه بسبب تجمع الطحالب أو الفطريات عليها، وتتسبب هذه المشكلة في رجوع المياه إلى داخل الأنبوب، وقد تتسرب المياه بسبب وجود عطل في مضخة التكثيف، وعندها يتطلب الإصلاح استبدالها بمضخة تكثيف أخرى. وتعد مشكلة تسرب المياه من المشاكل الشائعة التي تتعرض لها مكيفات الهواء؛ إلا أنّه يمكن إصلاحها منزلياً، أو يمكن الاستعانة بأحد فنيي الصيانة المعتمدين، ويمكن إصلاحها بفك مضخة التكثيف، والاستعانة بمكنسة كهربائية جافة أو رطبة لتنظيفها وفتح التصريف، أو يمكن استخدام الخل بمقدار 170 جراماً ووضعه في خط التصريف لتطهيره وقتل الفطريات، والتخلص من الطحالب المتراكمة، وينصح بأخذ الحذر عند استخدام الخل فأغلب أنابيب التصريف تكون رفيعة

    شركة تصليح مكيفات بالكويت

    OdpowiedzUsuń
  7. The Kisan credit card loan scheme is among the oldest government schemes in India. The KCC scheme was established in 1998 (22 years ago) by NABARD (National bank of Agricultural and rural development). KCC Apply Online The scheme has benefited thousands of farmers in India by providing short-term loans for their farming activities. Farmers can access the credits during any season or crop cycle, thus reducing the risk of crop failure due to lack of finances. The loans cover agriculture, fisheries, and animal husbandry.

    OdpowiedzUsuń