Posted on

Complete guide to DNSrecon

Hello, aspiring ethical hackers. This is a complete guide to dnsrecon tool. In our previous blogpost on DNS enumeration, you read what DNS is, what are the various types of DNS records, what is the information about the network can DNS enumeration reveal to a pen tester or a Black Hat Hacker. DNSrecon is one such tool used for enumerating DNS.

DNSrecon is written by Carlos Perez. He wrote it initially in Ruby to learn about that programming language and about DNS way back in 2007. As time passed by, he wanted to learn python and he posted dnsrecon tool to python.

The features of DNSrecon tool are,

  1. Checks all NS Records for Zone Transfers.
  2. Enumerates general DNS Records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  3. Performs common SRV Record enumeration.
  4. Top Level Domain (TLD) expansion.
  5. Checks for Wildcard resolution.
  6. Brute forces subdomains and host A and AAAA records given in a domain and a wordlist.
  7. Performs PTR record lookup for a given IP Range or CIDR.
  8. Checks a DNS server’s cached records for A, AAAA and CNAME.
  9. Records provided a list of host records in a text file to check.

Let’s see how to enumerate DNS with DNSrecon. DNSrecon is installed by default in Kali Linux. To use DNSrecon, all we have to do is use the command below.

dnsenum -d <domain>

–name_server (-n)

By default, DNSrecon will use SOA of the target server to enumerate DNS. You can use a different server, you can use it using this option.

-a

This option is used to do a zone transfer along with standard enumeration performed above.

As expected it failed.

-y, -b, -k

Similarly, you can perform yandex (-y), bing(-b), crt.sh (-k) enumeration along with standard enumeration.

-w

This option is used to perform deep whois record analysis and reverse lookup of IP ranges found when doing standard enumeration.

-z

This option is used to perform a DNSSEC zone walk along with standard enumeration.

–dictionary (-d)

This option is used to use a dictionary file containing subdomains and hostnames to use for brute force.

–range (-r)

Specify a IP range to perform reverse lookup.

–type (-t)

This option is used to perform a specific type of enumeration only. The various possible types of enumeration that can be performed using dnsrecon are,

  • Std: all SOA, NS, A, AAAA, MX and SRV.
  • rvl: reverse lookup
  • brt: brute force using a given dictionary
  • srv: SRV records.
  • axfr: zone transfer from NS server.
  • bing: Bing search for hosts and subdomains.
  • Yand: Yandex search for hosts and subdomains.
  • Crt: crt.sh enumeration for subdomains and hosts.
  • Snoop: cache snooping argument at NS server.
  • tld: test against all TLD’s registered with IANA.
  • Zonewalk: perform DNS sec Zone using NSEC records.

Saving results

You can save the results of the found records to a database (-db), XML (-X), CSV (-c) and Json(-j) files.

–lifetime

This option is used to set the time the tool has to wait until the target server responds. The default time is 3 seconds.

–threads

This option is useful to specify the number of threads to be used while performing reverse lookup, forward lookup, brute force and SRV record enumeration.

That’s all about DNSrecon.

Posted on

Complete guide to DNSenum

Hello, aspiring ethical hackers. In the previous blogpost on DNS enumeration, you learnt what DNS service is used for, different types of records it has, what information can DNS enumeration reveal to hackers or pentesters. In this blogpost you will learn about a tool named DNSenum that can be used to enumerate DNS. DNSenum is a multithreaded perl script that is used to gather information from target DNS servers.

The features of DNSenum are,

  1. Get the host’s address (A record).
  2. Get the nameservers (NS).
  3. Get the MX record (MX).
  4. Perform axfr queries on nameservers and get BIND VERSION.
  5. Get extra names and subdomains via google scraping (google query = “-www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records.
  7. Calculate C class domain network ranges and perform whois queries on them.
  8. Perform reverse lookups on netranges (C class or/and whois netranges).

Let’s see how to perform DNS enumeration with DNSenum. DNSenum is included by default in Kali Linux. If you want to enumerate a domain with DNSenum. all you have to do is supply a domain name as shown below.

dnsenum <domain>

When run in default mode, DNSnum first enumerates the host address, then the name servers, then MX records, ACFR queries, extra names and subdomains via google scraping, brute forces subdomains from them, calculates the class C IP network ranges from the results and performs whois queries on them and performs reverse lookup on these IP addresses.

–dnsserver

In some cases, the result from the enumeration can vary depending on the server that is queried. Using DNSenum, we can perform a query by using another DNS server as shown below.

When you first use dnsenum on a domain to perform enumeration, you will notice that there will be a considerable delay at some stages. The delay occurs while dnsenum is brute forcing the subdomain names and then while performing reverse lookup on the IP address range.

While brute forcing the subdomain names, there is a delay because the file used by DNSenum (“/usr/share/dnsenum/dns.txt”) has over 1506 entries. So, until the tool checks all the entries, there will definitely be a delay. Can we reduce this data? Yes, by using another file instead of the default one. For example, we can create our own “dns.txt” file with entries of subdomains gathered from other type of enumeration.

–file(f)

We can specify this custom file with the (-f) option as shown below.

–subfile

We can also save the output of subdomain brute forcing in a file using the subfile option as shown below.

–noreverse

Coming to reverse lookup, while performing reverse lookup on 512 IP addresses (in this case) definitely takes time. But don’t worry. We can skip the reverse lookup by using the normal option.

–private

This option enumerates and saves the private IP addresses of a domain in the file named <domain_name>_ips.txt.

–timeout (-t)

The default timeout option of TCP queries and UDP queries for dnsenum is 10 seconds. The timeout option allows us to change it.

–threads (va)

This option is used to specify the number of threads to perform different queries.

–verbose (-v)

You already know what this option does. It reveals more information. See the differences.

–scrape (-s)

Used to specify the number of subdomains to be scraped from Google.

Here’s the result.

–page (-p)

While scraping the subdomain with dnsenum above, you should have noticed that it queries Google search pages for subdomains related to the domain. By default, it is 20 pages. Using this option, it can be changed. For example, lets set it to 10.

–recursion (-r)

This option can be used to perform recursion on subdomain gathering.

–whois (-w)

As you might have expected, this option is used to perform whois queries on class C network ranges. It can be time consuming. Use wisely. Learn what is whois footpriting.

–delay (-d)

This option is used to specify the maximum delay between each whois query. The default delay is 3 seconds.

That’s all about DNSenum.

Posted on

Beginners guide to footprinting websites: Part 2

Hello aspiring ethical hackers. In Part-1 of website footprinting, you learnt how to gather information about a website by using methods like grabbing banners, directory scanning and spidering. In this Part-2, you will learn about some more techniques for footprinting websites.

4. Website mirroring

Either you are directory scanning or spidering, you are sending a lot of requests to the website (especially if the website is very large) which may raise suspicions or on the target side or you will be blocked. What if there was an effective workaround for this. Actually, there is. Instead of sending requests to the target website, we can download the entire website to your local device. This is known as website mirroring. For example, let’s mirror a website using wget as shown below.

5. Footprinting websites using online services

A website is constantly updated. The information that is displayed on the website last year may not be there today. What if there was a way to go back in time to view the past versions of a website for gathering information. Actually, there is a way for this. By using the website archive.org. Archive.org collects the snapshot of the website at different points in time from the time the website existed and stores it. So, you can go there and view how the website looked 10 years back ago or three years ago. For example, this is how our website looked way back in 2018.

Better, you can constantly monitor the updates being made to the websites using a website known as website watcher.

Website watcher automatically checks webpages for any updates and changes.

Posted on

Beginners guide to Cloud security

Hello, aspiring ethical hackers. In this blogpost, you will learn about cloud security. Before you learn about cloud security, you need to have a basic idea about what is cloud computing or cloud. Let me give you an example. Have you ever used Gmail or any other email service? What do you do to check your email? You open a browser or email client and go to the URL of the email service, enter your credentials and finally read your mails or start composing an email. Have you ever thought where all the mails are stored? Definitely not on your own system. They are stored elsewhere. Well, this is exactly how cloud computing works.

What is cloud computing?

Cloud computing is providing of computer system resources like data storage, computing power, networking, servers and software etc over the internet on demand.

Types of Cloud computing

Services in cloud can be provided as per anyone’s need with customization. However, there are three models of cloud computing that are generally preferred.

1. Infrastructure as a Service (IaaS):

In this model of cloud service, customers rent the building blocks of computing like servers (physical or virtual), storage and networking. It is usually rented by those organizations which want to have complete control over their cloud. The needed software and applications are installed by the organization.

2. Platform as a Service (PaaS):

What if organization or users don’t have the technical know how about installing everything on their rented hardware on cloud. The PaaS model comes to their rescue. This model comes with the installation of required tools and software along with basic computing resources provided in IaaS. For example, imagine you want to rent a WAMP server on cloud. Along with the basic computing resources, it comes with a Windows 10 machine with WAMP server installed on it. You still have to create the websites to be hosted on the WAMP server.

3. Software as a service (SaaS):

The most popular cloud model, it provides just all the resources and software you need. For example, let’s just say you rented a WordPress website on cloud for you. All you have to do is login into the WordPress website on your browser and upload blogposts. Rest all the cloud provider takes care for you.

What is Cloud Security?

Cloud security is the concept of providing security to the cloud-based systems from all the usual threats and dangers of cyber security. Cloud security is the responsibility of both the cloud service provider and the end user.

What are some cloud security threats?

Systems in cloud are vulnerable to all threats usual networks do like zero-day-vulnerabilities, DoS, phishing and malware etc.

Posted on

Beginners guide to Bluetooth hacking

Hello, aspiring ethical hackers. In this blogpost, you can learn about Bluetooth hacking. Bluetooth is a short-range wireless technology standard used for exchange of data between devices.

Bluetooth is mainly used as an alternative to exchange of data using wires. The range of Bluetooth is very short may be over 10 meters.

What is Bluetooth hacking?

Exploitation of vulnerabilities in Bluetooth technology standard to hack Bluetooth enabled devices is known as Bluetooth hacking.

Modes of Bluetooth

A Bluetooth device can be set in two modes. Discoverable and Non-Discoverable.

  1. Discoverable: In discoverable mode, the Bluetooth device is visible to other Bluetooth enables devices.
  2. Non-discoverable: As you should have guessed by now, in this mode, the device is not visible to other Bluetooth enabled devices.

Pairing modes

Similarly, Bluetooth has two pairing modes. They are Pairable mode and Non-pairable mode.

  1. Pairable mode: In this mode, the Bluetooth device accepts the pairing request upon requested.
  2. Non-pairable mode: In non-pairable mode, the Bluetooth device rejects the pairing attempt.

Various Bluetooth based attacks

There are various Bluetooth based attacks. Some of them are,

1. Bluejacking:

Bluejacking is the attack in which an attacker can send messages to other users from the victim’s phone using Bluetooth.

2. Blue snarfing:

In this attack, an attacker can exploit Bluetooth to steal sensitive data from the target mobile phone.

3. Bluesmacking:

Similar to Ping of Death DoS attack, in this attack, attacker sends a oversized ping packet using Bluetooth to the victim’s device causing a buffer overflow attack.

4. Bluebugging:

In this attack, the attacker gains access to the target’s device using Bluetooth without target user being aware of it.

5. Blueprinting:

In this attack, the attacker tries to printout the data information of the target user’s mobile phone.

6. MAC spoofing attack:

: In this attack, just like any MAC spoofing attack, the attacker spoofs the MAC address of the target user’s mobile phones.

7. Man in the Middle (MitM) attack:

The attacker places himself between two Bluetooth devices.

Impact of Bluetooth hacking

Bluetooth attacks can lead to various threats. These include,.

  1. Leak of calendars and address book.
  2. Sending spurious SMS messages.
  3. Bugging devices.
  4. Sending premium messages.
  5. Social engineering
  6. Installing malicious code