- Common Enumeration Technique Seen in Scenario-Based Questions. (SY0-701)
For this lab, you’ll need Kali Linux.
By analyzing publicly available DNS records, security professionals and adversaries alike can map an organization's network infrastructure, identifying key servers, subdomains, and other relevant details.
By analyzing publicly available DNS records, security professionals and adversaries alike can map an organization's network infrastructure, identifying key servers, subdomains, and other relevant details.
A Corporate Topology might look like this:
In enterprise environments, there will be a ‘primary’ DNS server and at least one ‘secondary’ DNS server.
- The master copy of up-to-date domain names→IP Address mappings will be kept on the primary server.
- The secondary server will perform ‘zone transfers’ periodically to remain in sync with the primary.
The best practice is that this ‘zone transfer’ operation will be protected by at least a shared secret (password). The secondary server requesting the ‘zone transfer’ will provide the correct authentication credentials before receiving the DNS records and IP Addresses that are associated with them.
However, it is possible to configure the primary server so that no password is necessary. This is known as an ‘unauthenticated zone transfer.’
- In most environments, the master list of domain names to IP Address mappings is considered sensitive at the very least.
- A malicious user who can instantly obtain a list of all the IP Addresses and domains belonging to an organization will quickly have a fairly accurate attack surface defined.
- Therefore, this zone transfer operation should be protected by some authentication.
Case and Point: North Korea
- In 2016 an independent security researcher requested a zone transfer (AXFR) from North Korea’s top-level DNS server.
Lab Objective:
- In this lab, we’ll walk the process of DNS Footprinting using Zone Transfer (AXFR).
- You’ll then be asked to solve a challenge that is a little more difficult.