, , , ,

Penetration Testing – DNS reconnaissance

Penetration Testing With Kali Linux – DNS reconnaissance

Kali Linux – DNS reconnaissance

Once a tester has identified the targets that have an online presence and contain items of interest, the next step is to identify the IP addresses and routes to the target : DNS Reconnaissance.

DNS reconnaissance is concerned with identifying who owns a particular domain or series of IP addresses (whois-type information), the DNS information defining the actual domain names and IP addresses assigned to the target, and the route between the penetration tester or the attacker and the final target.

This information gathering is semi-active—some of the information is available from freely available open sources, while other information is available from third parties such as DNS registrars. Although the registrar may collect IP addresses and data concerning requests made by the attacker, it is rarely provided to the end target. The information that could be directly monitored by the target, such as DNS server logs, is almost never reviewed or retained.

Because the information needed can be queried using a defined systematic and methodical approach, its collection can be automated.

Note that DNS information may contain stale or incorrect entries. To minimize inaccurate information, query different source servers and use different tools to cross-validate results. Review results, and manually verify any suspect findings. Use a script to automate the collection of this information. The script should create a folder for the penetration test, and then a series of folders for each application being run. After the script executes each command, pipe the results directly to the specific holding folder.

Penetration Testing – WHOIS

The first step in researching the IP address space is to identify the addresses that are assigned to the target site. This is usually accomplished by using the whois command, which allows people to query databases that store information on the registered users of an Internet resource, such as a domain name or IP address.

Depending on the database that is queried, the response to a whois request will provide names, physical addresses, phone numbers, and e-mail addresses (useful in facilitating social engineering attacks), as well as IP addresses and DNS server names.

An attacker can use information from a whois query to:

• Support a social engineering attack against the location or persons identified in the query

• Identify a location for a physical attack

• Identify phone numbers that can be used for a war dialing attack, or to conduct a social engineering attack

• Conduct recursive searches to locate other domains hosted on the same server as the target or operated by the same user; if they are insecure, an attacker can exploit them to gain administrative access to the server, and then compromise the target server

• In cases where the domain is due to expire, an attacker can attempt to seize the domain, and create a look-alike website to compromise visitors who think they are on the original website

• An attacker will use the authoritative DNS servers, which are the records for lookups of that domain, to facilitate DNS reconnaissance

Note that there is an increase in the usage of third parties to shield this data, and some domains, such as .gov and .mil, may not be accessible to the public domain.

Requests to these domains are usually logged. There are several online lists available that describe domains and IP addresses assigned for government use; most tools accept options for “no contact” addresses, and government domains should be entered into these fields to avoid the wrong type of attention!

The easiest way to issue a whois query is from the command line. The following screenshot shows the whois command run against the domain of Digital Defence:

The returned whois record contains geographical information, names, and contact information—all of which can be used to facilitate a social engineering attack.

There are several websites that automate whois lookup enquiries, and attackers can use these sites to insert a step between the target and themselves; however, the site doing the lookup may log the requester’s IP address.

DNS reconnaissance – Penetration Testing

The Domain Name System (DNS), is a distributed database that resolves names (www.digitaldefence.ca) to its IP addresses (

Attackers use the DNS information in the following ways:

• Using brute-force attacks, allows attackers to identify new domain names associated with the target.

• If the DNS server is configured to permit a zone transfer to any requester, it will provide hostnames and IP addresses of Internet-accessible systems, making it easier to identify potential targets. If the target does not segregate public (external) DNS information from private (internal) DNS information, a zone transfer might disclose the hostnames and IP addresses of internal devices. (Note that most IDS and IPS systems will trigger an alarm if a zone transfer request is triggered).

• Finding services that may be vulnerable (for example, FTP) or are otherwise interesting (remote administration panels and remote access).

• Finding misconfigured and/or unpatched servers (dbase.test.target.com).

• Service records (SRV), provide information on service, transport, port, and order of importance for services. This can allow an attacker to deduce the software.

DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records are used to control spam e-mails. If these records are identified, the attacker knows that:

°° They are more security conscious than most organizations.
°° This may impact phishing and other social engineering attacks.

Both Windows and Unix support basic command-line tools such as nslookup, and Unix systems support additional command-line options such as dig. Unfortunately, these commands usually interrogate one server at a time, and require interactive responses to be effective.

Kali features several tools designed to iteratively query DNS information for a particular target. The selected tool must accommodate the Internet Protocol versio that is used for communications with the target—IPv4 or IPv6.

Penetration Testing – IPv4

The IP, or Internet Protocol address, is a unique number used to identify devices that are connected to a private network or the public Internet. Today, the Internet is largely based on version 4, IPv4.

Kali includes several tools to facilitate DNS reconnaissance, as given in the following table:



Dnsenum, Dnsmap, and Dnsrecon

These are comprehensive DNS scanners—DNS record enumeration (A, MX, TXT, SOA, wildcard, and so on), subdomain brute-force attacks, Google lookup, reverse lookup, zone transfer, and zone walking. dsnrecon is usually the first choice—it is highly reliable, results are well parsed, and data can be directly imported into the Metasploit Framework.



This determines where a given Domain Name System gets its information from, and follows the chain of DNS servers back to the servers which know the data.



This DNS debugger checks specified domains for internal consistency and accuracy.


This locates non-contiguous IP space and hostnames against specified domains by attempting zone transfers, and then attempting brute-force attacks to gain DNS information.


During testing, most investigators run fierce to confirm that all possible targets have been identified, and then run at least two comprehensive tools (for example, dnsenum and dnsrecon) to generate the maximum amount of data and provide a degree of cross validation.

In the following screenshot, dnsrecon is used to generate a standard DNS record search, and a search that is specific for SRV records. An excerpt of the results is shown for each case.

DNSrecon allows the penetration tester to obtain the SOA record, name servers (NS), mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework (SPF), and the IP address ranges in use.


Penetration Testing – IPv6

Although IPv4 seems to permit a large address space, freely available IP addresses were exhausted several years ago, forcing the employment of NAT and DHCP to increase the number of available addresses. A more permanent solution has been found in the adoption of an improved IP addressing scheme, IPv6. Although it constitutes less than five percent of Internet addresses, its usage is increasing, and penetration testers must be prepared to address the differences between IPv4 and IPv6.

In IPv6, the source and destination addresses are 128 bits in length, yielding 2128 possible addresses, that is, 340 undecillion addresses!

The increased size of the addressable address space presents some problems to penetration testers, particularly when using scanners that step through the available address space looking for live servers. However, some features of the IPv6 protocol have simplified discovery, especially the use of ICMPv6 to identify active link-local addresses.

It is important to consider IPv6 when conducting initial scans for the following reasons:

• There is uneven support for IPv6 functionality in testing tools, so the tester must ensure that each tool is validated to determine its performance and accuracy in IPv4, IPv6, and mixed networks.
• Because IPv6 is a relatively new protocol, the target network may contain misconfigurations that leak important data; the tester must be prepared to recognize and use this information.
• Older network controls (firewalls, IDS, and IPS) may not detect IPv6. In such cases, penetration testers can use IPv6 tunnels to maintain covert communications with the network, and exfiltrate the data undetected.

Kali includes several tools developed to take advantage of IPv6 (most comprehensive scanners, such as nmap, now support IPv6), some of which are as follows; tools that are particular to IPv6 were largely derived from the THC-IPv6 Attack Toolkit.

Application Description
Dnsdict6 Enumerates subdomains to obtain IPv4 and IPv6 addresses (if present) using a brute force search based on a supplied dictionary file or its own internal list.
Dnsrevenum6 Performs reverse DNS enumeration given an IPv6 address.

The execution of the dnsdict6 command is shown in the following screenshot:

If you have encountered a problem or you have any questions or remarks please feel free to set a comment.

If this article helped you to solve your problem please feel free to share it with your friends … with love and prosperity K4LINUXTEAM.

With Love and Prosperity K4LINUX-TEAM.

What do you think?

0 points
Upvote Downvote

Total votes: 0

Upvotes: 0

Upvotes percentage: 0.000000%

Downvotes: 0

Downvotes percentage: 0.000000%


Don't worry, we don't spam

Leave a Reply

Your email address will not be published. Required fields are marked *