DNS Enumeration with Backtrack Tutorial
When it comes to web server’s penetration-testing, a DNS server is always on the top of the list because DNS server is the core gateway of an internal enterprise to the mighty internet. Information gathering, as we all know is an important part of Penetration, so gathering information about the DNS is just as important as the DNS server. Even if an attacker can enumerate a DNS server it can prove very lethal to the Organization whose information is stored on the server. In this tutorial we will be looking at several tools and their usage by which we can enumerate a DNS server in several ways. For this we will open CMD shell in BT and type cd /pentest/enumeration/dns
Then type ls The list of DNS enumeration tools will appear and we will take a look at the use of all tools.First we will use dnsenum tool.It is very easy to use this tool, just type the command in the format perl dnsenum.plIt will generate results as shown in below picture.It provided us with the list of entire IPs used by the website including the mail servers.Now the trick to extract information that we need for further phases of Pen-testing e.g if you want to test the mail server you can telnet it and exploit it by foot-printing (will be explained in upcoming tutorials). The next tool that we will use is dnswalk.It is also a very good tool for enumerating and provides with filtered information of the target.You can access it by cd dns command in dns folder. Only the difference in the input is In Dnswalk the target ends with a “.”We got the results here, as we have mentioned earlier dnswalk only provides basic information like SOA server and warnings. It is a partial enumeration testing tool.Next tool we will be digging is called dnsrecon, You can find this in the dns folder, It is a tool written python scripting.Now as you can see below that we have performed multiple operations with dnsrecon which will be explained further. You can retrieve SRV records of the target also query SOA etc.For retrieving SRV records you have to type the command ./dnsrecon.py –t srv –d target name.Now here is how the result of the srv records look like:And here’s how we query the SOA, NS and MX of the servers using the command ./dnsrecon.py –t std –d And here how the result will look like:By DNS enumeration you can gather a lot of information about the target and it can prove to be very helpful in a penetration test.