What is a DNS Zone Transfer?
A Dns Zone Transfer is not in itself a type of attack, it is a type of enumeration. It’s an information gathering method to facilitate later attacks. In ‘normal’ circumstances, a DNS Zone Transfer is used to copy the zone file (a copy of all DNS names in a zone) from a master DNS server to a slave DNS server.
How can this be abused?
When a DNS server is misconfigured, not only an authorized slave DNS server can request a copy of the zone file, but anyone asking will receive a copy. Basically you’re asking the DNS information to give all the information it has on a given domain. This includes names, addresses and functionalities of all servers within a domain. Check out the awesome post by Zonetransfer.me for a detailed example of which information can be retrieved via a zone transfer and how this information can facilitate your hacking.
Linux DNS Zone Transfers:
host -t axfr domain.name dns-server
or
host -t ns zonetransfer.me | cut -d " " -f 4Let’s breakdown the above command:
- host (DNS lookup utility in build-in Kali)
- -t ns (specifies target = nameservers)
- zonetransfer.me (the domain you are trying to identify nameservers)
- | cut -d ” ” -f 4 ( you’re piping the result of the host command and you cut out the 4th field which is delimited with spaces)
Once you identified the DNS servers for a domain, you can try to do a Zone Transfer on each of the DNS servers.
host -l zonetransfer.me nsztm1.digi.ninja- host (DNS lookup utility in build-in Kali)
- -l (attempt a Zone Transfer, or more difficult – AXFR)
- zonetransfer.me (the target domain)
- nsztm1.digi.ninja (one of the DNS servers you identified in step 1)
dig axfr @nsztm1.digi.ninja zonetransfer.me
; > DiG 9.9.5-12.1-Debian > axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "\; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - [email protected]. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}\; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600
;; Query time: 125 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Tue Mar 20 21:52:08 EDT 2018Using the nslookup utility that is contained in Windows, a DNS zone transfer can be easily tried out. All you need to do is enter the target DNS server and the domain you want to interrogate:
server ns.example.com (the target DNS server)
set type=any (to get all types of DNS records)
ls -d example.com (do the actual transfer)
;; XFR size: 48 records (messages 1, bytes 1875)
Bash Shell:
#!/bin/bash
# You need to have dnsutils installed
DOMAIN="YOURDOMAIN.TLD"
dig NS $DOMAIN +short | sed -e "s/\.$//g" | while read nameserver; do
echo "Testing $DOMAIN @ $nameserver"; dig AXFR $DOMAIN "@$nameserver";
done
Doing a DNS Zone Transfer in Windows:
Using the nslookup utility that is contained in Windows, a DNS zone transfer can be easily tried out. All you need to do is enter the target DNS server and the domain you want to interrogate:
server ns.example.com (the target DNS server)
set type=any (to get all types of DNS records)
ls -d example.com (do the actual transfer)
C:\Users\Lode>nslookup Default Server: asse.dnscache01.telenet-ops.be Address: 195.130.130.1 > server ns1.baddns.com Default Server: ns1.baddns.com Address: xxx.xxx.xxx.xxx > set type=any > ls -d example.com
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here
