So, my plan was to use this blog to help keep me honest and committed to getting this certification under my belt. I’m not kidding, its tough. Sometimes things like this don’t always “fit” into real life. I’m doing my best and slowly crawling through the information so I thought I would share a little piece. This time, my studying is really harping on DNS issues so I thought I would touch on what I’m working on this week…
What is DNS? Lame you say? How else would I open this… -_-
DNS, or Domain Name System, is something that we all use every single day, often without realizing it. Basic networking teaches us that every network node has a unique address assigned much like your home address. In computer land, however, this address is a series of numbers used to identify you as a stop on the “map”. DNS does for us what our memories will not. We can ask DNS to help us find Google for example and it’s nice enough to look through the “phone book” and find out that Google is actually 18.104.22.168. I don’t know about you but if I had to remember that, I would never make it. Operating happily over port 53, DNS politely does this for us and asks for little in return.
Why am I rambling about this? To explain something called DNS Zone Transfers and why this is a thing. In many organizations, there is a need for internal DNS servers to do things like map application servers, email, etc… DNS does a great job of telling everyone where they need to go. Now any company worth its salt is going to care about disaster recovery and availability so what if we throw another DNS server in there so the first one isn’t lonely or overworked. Now we have two independent DNS servers that are serving the same domain but how do we know that they are reading from the same “phonebook”? This is where Zone transfers become necessary. A DNS Zone Transfer is the process of synchronizing multiple DNS servers by way of a secondary server requesting a full information dump from the primary server. This is completely normal and allows fluid operation regardless of which DNS server you may be querying. Ok, so this is pretty weak so far..nothing exciting. Now put your black hat on. How sweet would it be if the company you are attacking would let you connect from the internet and ask their internal DNS for all of this information…and you got it? It’s very necessary for companies to restrict this procedure to known trusted DNS hosts only and to never allow internet entities to ask for or receive this info. We are talking about “keys to the kingdom” stuff here people. Full profiling of your entire network walking right out the door. Food for thought, good study topic. See below for a great example of a zone transfer from Microsoft.
This is wickedly useful in both the wrong hands and the right hands. Our thinking around things like this has to include the fact that while we may be cognizent of our own operations, are we sure that normal maintenance tasks are being carried out how we think they are? For example, if you are used to seeing this zone transfer chatter on the network, is a recon mission that originated from some basement in Asia going to look weird enough to notice? Ok, maybe…hacker.cn is milking your DNS…I pray that it would be detected immediately; but what about the remote worker who is running driveby malware and just did a zone tranfer from an IP range that you trust? Are you still going to see your hacker on the other end? Are you even going to notice? Are you even going to notice -_- …….
DNS: TCP Length = 445 (0x1BD) DNS: Query Identifier = 0 (0x0) DNS: DNS Flags = Response, OpCode - Std Qry, RA Bits Set, RCode - No error DNS: 1............... = Response DNS: .0000........... = Standard Query DNS: .....0.......... = Server not authority for domain DNS: ......0......... = Message complete DNS: .......0........ = Iterative query desired DNS: ........1....... = Recursive queries supported by server DNS: .........000.... = Reserved DNS: ............0000 = No error DNS: Question Entry Count = 1 (0x1) DNS: Answer Entry Count = 16 (0x10) DNS: Name Server Count = 0 (0x0) DNS: Additional Records Count = 0 (0x0) DNS: Question Section: domain.com. of type Req. for zn Xfer on class INET addr. DNS: Question Name: domain.com. DNS: Question Type = Request for zone transfer DNS: Question Class = Internet address class DNS: Answer section: . of type SOA on class INET addr.(16 records present) DNS: Resource Record: domain.com. of type SOA on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Start of zone of authority DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 41 (0x29) DNS: Primary Name Server: server.domain.com. DNS: Responsible Authorative Mailbox: administrator.domain.com. DNS: Version number = 26 (0x1A) DNS: Refresh Interval = 300 (0x12C) DNS: Retry interval = 120 (0x78) DNS: Expiration Limit = 600 (0x258) DNS: Minimum TTL = 86400 (0x15180) DNS: Resource Record: domain.com. of type Host Addr on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 22.214.171.124 DNS: Resource Record: domain.com. of type Auth. NS on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Authoritative Name Server DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 10 (0xA) DNS: Authoritative Name Server: server.domain.com. DNS: Resource Record: Dell.domain.com. of type Host Addr on class INET addr. DNS: Resource Name: Dell.domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 126.96.36.199 DNS: Resource Record: JH40PS.domain.com. of type Host Addr on class INET addr. DNS: Resource Name: JH40PS.domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 188.8.131.52