DNS Information Gathering for Penetration Testers using NSLOOKUP
For Penetration testers Information gathering during a web application penetration test is one of the most important phases . DNS (Domain Name System) is very helpfull for gathering valuable information of your target. It is not unknown that NSLOOKUP is one of the Best OPEN SOURCE tools that come to a penetration testers rescue for DNS information gathering . Lets start with a practical analysis of a domain using NSLOOKUP .
What is nslookup ?
Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.
DNS Records : Resource Records and the Zone file
A Zone file is basically a text file present on the server hosting the domain that contains entries for different resource records. Each line is represented by a different record .In some cases these records may exceed one line and hence must be enclosed within a parantheses. Each zone file must start with a Start of Authority (SOA) record containing an authoritative nameserver for the domain (for e.g. ns1.google.com for google.com ) and an email address of someone responsible for the management of the nameserver.
Types of DNS RECORDS
SAMPLE DNS ZONE FILE
This file (pri.example.com) is the standard sample zone file .
Here are main components of the DNS Zone File :
- Two name servers are used one internal (ns1) and one external (ns2) to the domain
- The mail service is external to the domain (provided by a third party)
- FTP and WWW services are provided by the same host
- There are two hosts named bill and fred
- The host addresses are all in the class C private address range 192.168.0.0 (a slightly artificial case)
Different types of Resource Records exist within a Zone file.
However we are going to discuss some of the important ones .
- A Records– Maps an IP Address to a hostname.For e.g. 184.108.40.206 for google.com.
NS Records-Delegates a given zone to use the given authoritative nameserver. For e.g. ns1.google.com is an authoritative nameserver for google.com
- MX Records-This basically tells us which server is responsible for receiving mails sent to that domain name.
- TXT Records-This consists of arbitrarily human readable text in a record.
- CNAME Records– Gives an alias of one name to another.
DNS Information Gathering Using NSLOOKUP :
Using nslookup from commnd line
In windows just open the command prompt and type nslookup
In *nix bsed systems open the terminal window and type nslookup
I am more of an Open Source Lover so I ll engage on *nix systems for my tutorial .
Default Server: scitsc.ser.ac.uk Address: 220.127.116.11
> set q=A > ccub.ser.ac.uk. Server: scitsc.ser.ac.uk Address: 18.104.22.168
Name: ccub.ser.ac.uk Address: 22.214.171.124
> set q=CNAME > www.ser.ac.uk. Server: scitsc.ser.ac.uk Address: 126.96.36.199
www.ser.ac.uk canonical name = ccuf.ser.ac.uk > set q=MX > ser.ac.uk. Server: scitsc.ser.ac.uk Address: 188.8.131.52
ser.ac.uk preference = 1, mail exchanger = ser.ac.uk ser.ac.uk inet address = 184.108.40.206 > set q=HINFO > ccub.ser.ac.uk. Server: scitsc.ser.ac.uk Address: 220.127.116.11
ccub.ser.ac.uk CPU=SUN 690MP OS=Solaris 2.4 > set q=PTR > 18.104.22.168.in-addr.arpa Server: scitsc.ser.ac.uk Address: 22.214.171.124 126.96.36.199.in-addr.arpa host name = ccug.ser.ac.uk
Please Post in the comments section for any doubts .