The idea behind this method is to try to guess valid names of organizational servers by trying to resolve a given name. If the name resolves, the server exists. Here’s a short example using the host command:
root@bt:~# host www.checkpoint.com
www.checkpoint.com has address 216.200.241.66
root@bt:~# host idontexist.checkpoint.com
Host idontexist.checkpoint.com not found: 3(NXDOMAIN)
root@bt:~#
Notice that the DNS name www.checkpoint.com resolved and the host command (which acts as a DNS client) returned the IP address belonging to that FQDN. The name idontexist.checkpoint.com did not resolve and you received a “not found” result.
Taking this idea a bit further, with a bit of bash scripting you can automate the process of discovery. Next, compile a short list of common server names and enter them into a file: dns-names.txt (a more complete list of DNS names is available in /pentest/enumeration/dnsenum/dns.txt):
www
www2
firewall
cisco
checkpoint
smtp
pop3
proxy
dns
…
You can now write a short bash script (dodns.sh) that will iterate through this list and execute the host command on each line:
#!/bin/bash
for name in $(cat dns-names.txt);do
host $name.checkpoint.com
done
The output of this script is raw and not terribly useful:
root@bt:~# ./dodns.sh
www.checkpoint.com has address 216.200.241.66
Host www1.checkpoint.com not found: 3(NXDOMAIN)
www2.checkpoint.com is an alias for www.checkpoint.com.
www.checkpoint.com has address 216.200.241.66
Host firewall.checkpoint.com not found: 3(NXDOMAIN)
Host cisco.checkpoint.com not found: 3(NXDOMAIN)
Host checkpoint.checkpoint.com not found: 3(NXDOMAIN)
smtp.checkpoint.com is an alias for michael.checkpoint.com.
michael.checkpoint.com has address 194.29.32.68
pop3.checkpoint.com is an alias for michael.checkpoint.com.
michael.checkpoint.com has address 194.29.32.68
Host proxy.checkpoint.com not found: 3(NXDOMAIN)
Host dns.checkpoint.com not found: 3(NXDOMAIN)
Host dns1.checkpoint.com not found: 3(NXDOMAIN)
ns.checkpoint.com has address 194.29.32.199
root@bt:~#
Try cleaning up the output to show only the lines that contain the string “has address”:
#!/bin/bash
for name in $(cat dns-names.txt);do
host $name.checkpoint.com |grep “has address”
done
The output of this script looks much better and shows only hostnames that have been resolved:
root@bt:~# ./dodns.sh
www.checkpoint.com has address 216.200.241.66
www.checkpoint.com has address 216.200.241.66
michael.checkpoint.com has address 194.29.32.68
ns.checkpoint.com has address 194.29.32.199
root@bt:~#
To get a clean list of IPs, you can perform further test manipulation on this output. Cut the list and show only the IP address field:
#!/bin/bash
for name in $(cat dns-names.txt);do
host $name.checkpoint.com |grep “has address”|cut -d” ” -f4
done
The output is now limited to a list of IP addresses:
root@bt:~# ./dodns.sh
216.200.241.66
…
194.29.32.68
194.29.32.68
root@bt:~#
0 comments:
Post a Comment