Showing posts with label dns. Show all posts
Showing posts with label dns. Show all posts

DNS Basics | Footprinting Methods and Tools


Let take at least a couple of minutes to go over some basics—mainly because you’ll see this stuff on the CEH exam. The simplest explanation of DNS I can think of follows. DNS is made up of servers all over the world. Each server holds and manages the records for its own little corner of the globe, known in the DNS world as a namespace. Each of these records gives directions to or for a specific type of resource. Some records provide IP addresses for individual systems within your network, whereas others provide addresses for your e-mail servers. Some provide pointers to other DNS servers, which are designed to help people find what they’re looking for. 

Port numbers are always important in discussing anything network-wise. When it comes to DNS, 53 is your number. Name lookups generally use UDP, whereas zone transfers use TCP.  

Big, huge servers might handle a namespace as big as the top-level domain “.com,” whereas another server further down the line holds all the records for “mheducation.com.” The beauty of this system is that each server only has to worry about the name records for its own portion of the namespace and to know how to contact the server “above” it in the chain for the top-level namespace the client is asking about. The entire system looks like an inverted tree, and you can see how a request for a particular resource can easily be routed correctly to the appropriate server. For example, the server for anyname.com in the third level holds and manages all the records for that namespace, so anyone looking for a resource (such as their website) could ask that server for an address. 



at 7:16 AM 12 comments
Labels: , ,

DNS Footprinting | Footprinting Methods and Tools


I hate getting lost. Now, I’m not saying I’m always the calmest driver and that I don’t complain (loudly) about circumstances and other drivers on the road, but I can honestly say nothing puts me on edge like not knowing where I’m going while driving, especially when the directions given to me don’t include the road names. I’m certain you know what I’m talking about—directions that say, “Turn by the yellow sign next to the drugstore and then go down half a mile and turn right onto the road beside the walrus-hide factory. You can’t miss it.” Inevitably I do wind up missing it, and cursing ensues.

Thankfully, negotiating the Internet isn’t reliant on crazed directions. The road signs we have in place to get to our favorite haunts are all part of the Domain Naming System (DNS), and they make navigation easy. DNS, as you’re no doubt already aware, provides a name-to-IP-address (and vice versa) mapping service, allowing us to type in a name for a resource as opposed to its address. This also provides a wealth of footprinting information for the ethical hacker—so long as you know how to use it.   

Although DNS records are easy to obtain and generally designed to be freely available, this passive footprinting can still get you in trouble. A computer manager named David Ritz was successfully prosecuted in 2008 for querying a DNS server. It was truly a ridiculous ruling, but the point remains that legality and right versus wrong seem always in the eye of the beholder—so be careful. 


at 7:14 AM 7 comments
Labels: ,

Windows 2000 DNS Zone Transfer



In a Windows 2000 domain, clients use service (SRV) records to locate Windows 2000 domain services, such as Active Directory and Kerberos. This means every Windows 2000 Active Directory domain must have a DNS server for the network to operate properly.
A simple zone transfer performed with the nslookup command can enumerate lots of interesting network information. The command to enumerate using the nslookupcommand is as follows:
nslookup ls -d domainname
Within the nslookup results, a hacker looks closely at the following records, because they provide additional information about the network services:
  • Global Catalog service (_gc._tcp_)
  • Domain controllers (_ldap._tcp)
  • Kerberos authentication (_kerberos._tcp)
As a countermeasure, zone transfers can be blocked in the properties of the Windows DNS server.
An Active Directory database is a Lightweight Directory Access Protocol (LDAP)-based database. This allows the existing users and groups in the database to be enumerated with a simple LDAP query. The only thing required to perform this enumeration is to create an authenticated session via LDAP. A Windows 2000 LDAP client called the Active Directory Administration Tool (ldp.exe) connects to an Active Directory server and identifies the contents of the database. You can find ldp.exe on the Windows 2000 CD-ROM in the Support\Reskit\Netmgmt\Dstool folder.
To perform an Active Directory enumeration attack, a hacker performs the following steps:
  1. Connect to any Active Directory server using ldp.exe on port 389. When the connection is complete, server information is displayed in the right pane.
  2. On the Connection menu, choose Authenticate. Type the username, password, and domain name in the appropriate boxes. You can use the Guest account or any other domain account.
  3. Once the authentication is successful, enumerate users and built-in groups by choosing the Search option from the Browse menu.
at 9:19 AM 1 comments
Labels: , ,

Identifying Types of DNS Records



The following list describes the common DNS record types and their use:
  • A (Address) Maps a hostname to an IP address
  • SOA (Start of Authority) Identifies the DNS server responsible for the domain information
  • CNAME (Canonical Name) Provides additional names or aliases for the address record
  • MX (Mail Exchange) Identifies the mail server for the domain
  • SRV (Service) Identifies services such as directory services
  • PTR (Pointer) Maps IP addresses to hostnames
  • NS (Name Server) Identifies other name servers for the domain
at 8:58 AM 1 comments
Labels: ,
Subscribe to: Posts (Atom)

Popular Posts

  • The Phases of Ethical Hacking
    The process of ethical hacking can be broken down into five distinct phases.  An ethical hacker follows processes similar to those of a mal...
  • Scanning Methodology
    As you’re probably aware by now, EC-Council is in love with methodology. Sure, in the real world you may not follow the steps blindly in or...
  • Understanding Email Tracking & Web Spiders
    Understanding Email Tracking Email-tracking programs allow the sender of an email to know whether the recipient reads, forwards, modifies, ...
  • nmap Command Switches
    Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address dete...
  • Network Footprinting | Footprinting Methods and Tools
    Discovering and defining the network range can be another important footprinting step to consider. Knowing where the target’s IP addresses...
  • Search Engines | Footprinting Methods and Tools
    When I was a kid and someone asked me how to do something I’d never done, to define something I’d never heard of, or to comment on some hi...
  • How to Be Ethical
    Ethical hacking is usually conducted in a structured and organized manner, usually as part of a penetration test or security audit. The de...
  • Preventing Session Hijacking
    To defend against session hijack attacks, a network should employ several defenses. The most effective protection is encryption, such a...
  • Google Hacking | Footprinting Methods and Tools
    A useful tactic in footprinting a target was popularized mainly in late 2004 by a guy named Johnny Long, who was part of an IT security te...
  • Banner Grabbing and OS Fingerprinting Techniques
    Banner grabbing and operating system identification—which can also be defined as  fingerprinting  the TCP/IP stack—is the fourth step in...