Category: Enumeration

Posted on by

Complete guide to DNSrecon

Hello, aspiring ethical hackers. This is a complete guide to dnsrecon tool. In our previous blogpost on DNS enumeration, you read what DNS is, what are the various types of DNS records, what is the information about the network can DNS enumeration reveal to a pen tester or a Black Hat Hacker. DNSrecon is one such tool used for enumerating DNS.

DNSrecon is written by Carlos Perez. He wrote it initially in Ruby to learn about that programming language and about DNS way back in 2007. As time passed by, he wanted to learn python and he posted dnsrecon tool to python.

The features of DNSrecon tool are,

  1. Checks all NS Records for Zone Transfers.
  2. Enumerates general DNS Records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  3. Performs common SRV Record enumeration.
  4. Top Level Domain (TLD) expansion.
  5. Checks for Wildcard resolution.
  6. Brute forces subdomains and host A and AAAA records given in a domain and a wordlist.
  7. Performs PTR record lookup for a given IP Range or CIDR.
  8. Checks a DNS server’s cached records for A, AAAA and CNAME.
  9. Records provided a list of host records in a text file to check.

Let’s see how to enumerate DNS with DNSrecon. DNSrecon is installed by default in Kali Linux. To use DNSrecon, all we have to do is use the command below.

dnsenum -d <domain>

–name_server (-n)

By default, DNSrecon will use SOA of the target server to enumerate DNS. You can use a different server, you can use it using this option.

-a

This option is used to do a zone transfer along with standard enumeration performed above.

As expected it failed.

-y, -b, -k

Similarly, you can perform yandex (-y), bing(-b), crt.sh (-k) enumeration along with standard enumeration.

-w

This option is used to perform deep whois record analysis and reverse lookup of IP ranges found when doing standard enumeration.

-z

This option is used to perform a DNSSEC zone walk along with standard enumeration.

–dictionary (-d)

This option is used to use a dictionary file containing subdomains and hostnames to use for brute force.

–range (-r)

Specify a IP range to perform reverse lookup.

–type (-t)

This option is used to perform a specific type of enumeration only. The various possible types of enumeration that can be performed using dnsrecon are,

  • Std: all SOA, NS, A, AAAA, MX and SRV.
  • rvl: reverse lookup
  • brt: brute force using a given dictionary
  • srv: SRV records.
  • axfr: zone transfer from NS server.
  • bing: Bing search for hosts and subdomains.
  • Yand: Yandex search for hosts and subdomains.
  • Crt: crt.sh enumeration for subdomains and hosts.
  • Snoop: cache snooping argument at NS server.
  • tld: test against all TLD’s registered with IANA.
  • Zonewalk: perform DNS sec Zone using NSEC records.

Saving results

You can save the results of the found records to a database (-db), XML (-X), CSV (-c) and Json(-j) files.

–lifetime

This option is used to set the time the tool has to wait until the target server responds. The default time is 3 seconds.

–threads

This option is useful to specify the number of threads to be used while performing reverse lookup, forward lookup, brute force and SRV record enumeration.

That’s all about DNSrecon.

Posted on by

Complete guide to DNSenum

Hello, aspiring ethical hackers. In the previous blogpost on DNS enumeration, you learnt what DNS service is used for, different types of records it has, what information can DNS enumeration reveal to hackers or pentesters. In this blogpost you will learn about a tool named DNSenum that can be used to enumerate DNS. DNSenum is a multithreaded perl script that is used to gather information from target DNS servers.

The features of DNSenum are,

  1. Get the host’s address (A record).
  2. Get the nameservers (NS).
  3. Get the MX record (MX).
  4. Perform axfr queries on nameservers and get BIND VERSION.
  5. Get extra names and subdomains via google scraping (google query = “-www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records.
  7. Calculate C class domain network ranges and perform whois queries on them.
  8. Perform reverse lookups on netranges (C class or/and whois netranges).

Let’s see how to perform DNS enumeration with DNSenum. DNSenum is included by default in Kali Linux. If you want to enumerate a domain with DNSenum. all you have to do is supply a domain name as shown below.

dnsenum <domain>

When run in default mode, DNSnum first enumerates the host address, then the name servers, then MX records, ACFR queries, extra names and subdomains via google scraping, brute forces subdomains from them, calculates the class C IP network ranges from the results and performs whois queries on them and performs reverse lookup on these IP addresses.

–dnsserver

In some cases, the result from the enumeration can vary depending on the server that is queried. Using DNSenum, we can perform a query by using another DNS server as shown below.

When you first use dnsenum on a domain to perform enumeration, you will notice that there will be a considerable delay at some stages. The delay occurs while dnsenum is brute forcing the subdomain names and then while performing reverse lookup on the IP address range.

While brute forcing the subdomain names, there is a delay because the file used by DNSenum (“/usr/share/dnsenum/dns.txt”) has over 1506 entries. So, until the tool checks all the entries, there will definitely be a delay. Can we reduce this data? Yes, by using another file instead of the default one. For example, we can create our own “dns.txt” file with entries of subdomains gathered from other type of enumeration.

–file(f)

We can specify this custom file with the (-f) option as shown below.

–subfile

We can also save the output of subdomain brute forcing in a file using the subfile option as shown below.

–noreverse

Coming to reverse lookup, while performing reverse lookup on 512 IP addresses (in this case) definitely takes time. But don’t worry. We can skip the reverse lookup by using the normal option.

–private

This option enumerates and saves the private IP addresses of a domain in the file named <domain_name>_ips.txt.

–timeout (-t)

The default timeout option of TCP queries and UDP queries for dnsenum is 10 seconds. The timeout option allows us to change it.

–threads (va)

This option is used to specify the number of threads to perform different queries.

–verbose (-v)

You already know what this option does. It reveals more information. See the differences.

–scrape (-s)

Used to specify the number of subdomains to be scraped from Google.

Here’s the result.

–page (-p)

While scraping the subdomain with dnsenum above, you should have noticed that it queries Google search pages for subdomains related to the domain. By default, it is 20 pages. Using this option, it can be changed. For example, lets set it to 10.

–recursion (-r)

This option can be used to perform recursion on subdomain gathering.

–whois (-w)

As you might have expected, this option is used to perform whois queries on class C network ranges. It can be time consuming. Use wisely. Learn what is whois footpriting.

–delay (-d)

This option is used to specify the maximum delay between each whois query. The default delay is 3 seconds.

That’s all about DNSenum.

Posted on by

LDAP enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important in pen testing and what are the various types of enumeration. In this blogpost, you will learn about LDAP enumeration.

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is a protocol that enables users to locate data about the organization, users and other resources like files and devices in a network. LDAP is also used as a central server for authentication. LDAP runs on port 389. Learn how LDAP works.

What information does LDAP enumeration reveal?

By enumerating LDAP, attackers can gather important information like valid usernames, addresses and other data about organization that can help as the hack progresses.

How to perform LDAP enumeration?

There are many tools that can be used to enumerate LDAP. For this article, let’s see how to perform it using a Nmap script. The script we use is “ldap and not brute”.

Posted on by

SNMP enumeration for beginners

Hello aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important and various types of enumeration. In this blogpost, you will learn about SNMP enumeration.

What is SNMP?

SNMP stands for Simple Network Management Protocol. It is a protocol that is used to monitor devices in the network. These devices include routers, switches, bridges, computers and printers etc. This protocol really helpful for organizations with thousands of devices in is network. Learn more about how SNMP works. SNMP contains 3 main components. They are SNMP manager, SNMP agent and Management Information Base (MIB). SNMP runs on UDP ports 161,162.

What information does SNMP enumeration reveal?

SNMP enumeration can reveal information about all the devices on the target network and user accounts on the target system with SNMP server running. Apart from this, SNMP enumeration reveals information about hosts, routers, network information, network interfaces, active TCP and UDP ports on the target system, services running on the network and network shares etc.

How to perform SNMP enumeration?

Simple Network Management Protocol (SNMP) consists of a manager and an agent. Agents are embedded on each and every network device and the manager is installed on a separate computer. SNMP consists of two passwords that are used to access and configure the SNMP agents from the management station. They are, Read community string, Read/write community string.

  1. Read community string: By default Public, it allows attackers to view device/system configuration.
  2. Read/write: It is private by default and allows remote editing of configuration.

Tools use these default community strings to extract information about the target. There are many tools that can be used to perform SNMP enumeration. Let’s see one of them.

1. snmp-check

SNMP-check is a tool that is installed by default in Kali Linux. Here’s how we can enumerate the default community string of “public” of SNMP.

Here are the user accounts on the target system.

Here the network information is revealed.

We can see that the target is a Dual-homed system.

Here are the active TCP and UDP ports.

It also reveals other system information about the target.

You can see that SNMP enumeration reveals a lot of information about the target system and network which can prove very helpful as the hack progresses.

Posted on by

NetBIOS enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is Enumeration, what are its uses, why it is used and types of enumeration. In this blogpost, you will learn about NetBIOS enumeration.

What is NetBIOS service?

NetBIOS stands for Network Basic Input/Output System. It is used to allow applications and programs on separate computers to communicate with each other and establish sessions. This can be used to access shared resources.

NetBIOS can be used to provide three distinct services. They are NetBIOS Name Service, (NetBIOS-NS), NetBIOS Datagram distribution services (NetBIOS-DGM) and NetBIOS Session service (NetBIOS-SSN). These services run on ports 137,138 and 139 respectively.

What information does NetBIOS enumeration reveal?

It can provide information such as list of computers belonging to a particular domain, list of shares on target systems and sometimes even policies and passwords etc.

How to perform NetBIOS enumeration?

There are many tools that can be used to perform NetBIOS enumeration. Let’s see some of them.

1. nmblookup

The nmblookup command in Linux allows users to query NetBIOS names and maps them to IP addresses in a network using NetBIOS over TCP/IP queries.

netbios_enumeration_1

2. NBTscan

NBTscan is a program that is used to scan IP networks for NetBIOS name information. It works by sending a NetBIOS status query to target system and lists received information in human readable form.