6.DNS

I. DNS Basics

  • Function: Translates domain names to IP addresses.

  • Ports:

    • UDP/53 (default)

    • TCP/53 (for zone transfers and large packets)

  • Importance: Critical for network applications.

  • Attack Vectors:

    • DNS zone transfers.

    • Domain/subdomain takeovers.

    • DNS spoofing/cache poisoning.

II. Enumeration

  • Nmap:

nmap -p53 -Pn -sV -sC <target_IP>

III. DNS Zone Transfers

  • Function: Copies DNS zone data between servers.

  • Vulnerability: Misconfigurations allow unauthorized transfers.

  • Tools:

dig AXFR @<nameserver> <domain>
fierce --domain <domain>

IV. Domain/Subdomain Takeovers

  • Domain Takeover: Registering expired domains.

  • Subdomain Takeover: Claiming subdomains pointing to expired services (via CNAME records).

  • Subdomain Enumeration Tools:

./subfinder -d <domain> -v
# Sublist3r can be used similarly.
git clone https://github.com/TheRook/subbrute.git
cd subbrute
echo "<nameserver>" > ./resolvers.txt
./subbrute <domain> -s ./names.txt -r ./resolvers.txt

  • CNAME Record Enumeration:

host <subdomain>
nslookup <subdomain>

  • Subdomain Takeover Verification:

    • Check for "NoSuchBucket" errors (AWS S3).

    • Use can-i-take-over-xyz repository.

V. DNS Spoofing/Cache Poisoning

  • Function: Injecting false DNS records.

  • Methods:

    • Man-in-the-Middle (MITM) attacks.

    • Exploiting DNS server vulnerabilities.

  • Local DNS Cache Poisoning (MITM):

# Ettercap Setup:
# 1. Edit /etc/ettercap/etter.dns and add spoofed domain/IP.
# 2. Start Ettercap, scan hosts.
# 3. Add target IP to Target1, gateway IP to Target2.
# 4. Enable dns_spoof plugin.

# Bettercap can also be used for similar purposes.

VI. Latest DNS Vulnerabilities

  • Subdomain Takeover (CNAME Records):

    • Exploiting forgotten CNAME records pointing to expired third-party services.

    • Risks: Phishing, cookie stealing, CSRF, CORS abuse, CSP bypass.

Key Commands Summary

  • Nmap:

nmap -p53 -Pn -sV -sC <target_IP>

  • dig:

dig AXFR @<nameserver> <domain>

  • Fierce:

fierce --domain <domain>

  • Subfinder:

./subfinder -d <domain> -v

  • Subbrute:

./subbrute <domain> -s ./names.txt -r ./resolvers.txt

  • host:

host <subdomain>

  • nslookup:

nslookup <subdomain>

  • Ettercap:

    • Edit /etc/ettercap/etter.dns.

    • Use Ettercap GUI (scan, targets, plugins).

Previous5.RDPNext7.SMTP

Last updated