Interaction with a DNS server can be done by using programs like dig,nslookup etc.
nslookup is a very useful tool which can be used for forwarding dns requests to and from a dns server.
I have chosen to use “checkpoint.com” as the site on which commands like nslookup can be used upon. The choice of site is based on no malicious intent.read more
As usual i`m using backtrack for this exercise. At the bash prompt, i type,
# nslookup
> checkpoint.com
OR
nslookup checkpoint.com
setting the type to mx or ns can cause nslookup to look for mail servers or nameservers of a particular organisation respectively.
# nslookup
> set type=mx
> checkpoint.com
> set type=ns
> checkpoint.com
however information gathering using DNS can also be grouped into 3 main techniques:-
1. forward lookup brute force
the working principle is the guessing of server names of an organisation. it can be found out whether a particular server exists by trying to resolve the given name using the whois command. if the command gives an IP address, then the server exists or else gives a “host not found error”
we could make a list having the most commonly used server names. a few are listed below. we put theses names into a file(say myguesses.txt)
the contents of the file are:-
www
www1
www2
firewall
cisco
checkpoint
smtp
pop3
dns
ns
now we write a small bash script to perform a host lookup on all of the servers in the file above.
#!/bin/bash
for name in $(cat myguesses.txt);do
host $name.checkpoint.com
done
try executing the script. the output shows us that many of our uesses have gone correct.
modifying the third line as follows gives us an output whichc can be operated upon better.
host $name.checkpoint.com | grep “has address” | cut -d” ” -f4
now we get a list of ips which correspond to the various servers of the organisation; and we can perform whois lookups on wach of them to obtain more information(like additional network ranges)
2. reverse lookup brutforce
now that we have the network ranges of the ips being used by an organisation. now we perform a reverse lookup by
doing
host 216.200.241.69
we get the O\P suggesting that the ip is reffered to by the domain name pointer gould.us.checkpoint.com
using a bash script we could perform the lookups for all ip blocks.
#!/bin/bash
echo “enter the network range(first 3 parts) of your ip address”
read range
for ip in `seq 1 255`; do
host $range.$ip. | grep “name pointer” | cut -d” ” -f5
done
this should do it.
