When it comes to web server’s penetration-testing, a DNS server is
always on the top of the list because DNS server is the core gateway of
an internal enterprise to the mighty internet. Information gathering,
as we all know is an important part of Penetration, so gathering
information about the DNS is just as important as the DNS server. Even
if an attacker can enumerate a DNS server it can prove very lethal to
the Organization whose information is stored on the server. In this
tutorial we will be looking at several tools and their usage by which we
can enumerate a DNS server in several ways.
For this we will open Terminal in BT/KALI and type cd /pentest/enumeration/dns
For this we will open Terminal in BT/KALI and type cd /pentest/enumeration/dns
Then type ls The list of DNS enumeration tools will appear and we will take a look at the use of all tools.
First we will use dnsenum tool.
It is very easy to use this tool, just type the command in the format perl dnsenum.pl
It will generate results as shown in below picture.
It provided us with the list of entire IPs used by the website including the mail servers.
Now the trick to extract information that we need for further phases of Pen-testing e.g if
you want to test the mail server you can telnet it and exploit it by
foot-printing (will be explained in upcoming tutorials). The next tool
that we will use is dnswalk.
It is also a very good tool for enumerating and provides with filtered information of the target.You can access it by cd dns command in dns folder. Only the difference in the input is In Dnswalk the target ends with a “.”
We got the results here, as we have mentioned earlier dnswalk only provides basic information like SOA server and warnings. It is a partial enumeration testing tool.
Next tool we will be digging is called dnsrecon, You can find this in the dns folder, It is a tool written python scripting.
Now
as you can see below that we have performed multiple operations with
dnsrecon which will be explained further. You can retrieve SRV records
of the target also query SOA etc.
For retrieving SRV records you have to type the command ./dnsrecon.py –t srv –d target name.
Now here is how the result of the srv records look like:
And here’s how we query the SOA, NS and MX of the servers using the command ./dnsrecon.py –t std –d And here how the result will look like:
By
DNS enumeration you can gather a lot of information about the target
and it can prove to be very helpful in a penetration test.