Fundamentals of OSINT & DNS
"Learn about Open Source Intelligence (OSINT) and Domain Name System (DNS) basics, record types, what can be derived from DNS, including zone transfers. Discover the importance of DNS in network security and information gathering."
Uploaded on Apr 04, 2025 | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
OSINT: DNS Module Type: Basic Method Module Number: 0x06 Last Updated: 2017-03-28 Author: Hermit
Topics What is OSINT? What is DNS? What Can We Learn From DNS? Zone Transfers Mail Server Enumeration Points of Contact Subnets Third Party Providers Security Posture
What is OSINT? Open Source Intelligence = OSINT Information from public sources Often involves directly connecting to a target Analysis of publicly available data
What is DNS? Domain Name System = DNS Simple lookup mechanism for public records Commonly, a human-memorable name to an IP address Both generic (TXT) and specific (MX, A, NS, SOA) records Both IPv4 (A) and IPv6 (AAAA) records Hierarchical system in a tree structure
What Are DNS Record Types? A = Address mapping (name -> IPv4) AAAA = Address mapping (name -> IPv6) CNAME = Canonical Name (alias) DNAME = Subtree lookup MX = Mail server NS = Name server (DNS resolution) SOA = Start of Authority (top level domain information) SRV = Generic service record (e.g. instead of MX) TXT = Generic text record (e.g. SPF, DKIM, DMARC, etc) HINFO = Host information (CPU, OS, etc.), but not commonly available CAA = CA Authorization (CAs for a domain) IPSECKEY = An IPSec key PTR = Address mapping (reverse lookups) DNSSIG = DNSSEC signature NSEC/NSEC3 = DNSSEC Non-existence
What Can We Learn From DNS? Internal server names Security Posture Deployed Services Points of Contact Third Party Service Providers Tools Present Infrastructure Maturity Infrastructure layout (IP addresses, network schema, etc) Mail servers
Zone Transfers A zone transfer allows for replication of an entire DNS structure. We like this because full replication lets us see hidden names that may not typically be tried (e.g. X41KALCN081KS.HIDDENS.EXAMPLE.COM) but which are publicly resolvable. Unfortunately for pentesters, it s normally disable by default, and seldom found.
A Quick Note About dig You might want to script things, or just avoid all the extra output each time you run a command. The dig tool allows you to modify output using + commands. For instance, adding +noall to the end of a command drops everything except global settings. And adding +answer includes the DNS response. Combine the two for cleaner output, e.g. +noall +answer Those trailings have been left out of the following slides for brevity.
Zone Transfers: Try It! Using dig: dig axfr @{DNS_SERVER} {DOMAIN} dig axfr @nsztm1.digi.ninja zonetransfer.me Using nslookup: nslookup > server {DNS_SERVER} > set type=any > ls -d {DOMAIN}
Mail Service Enumeration: Try It! Using dig: dig {DOMAIN} MX dig {DOMAIN} TXT Using nslookup nslookup > set type=mx > {DOMAIN} > set type=txt > {DOMAIN}
Points of Contact: Try It! Using dig: dig {DOMAIN} SOA Using nslookup nslookup > set type=soa > {DOMAIN}
Subnet Enumeration: Try It! Using nmap: nmap --script dns-brute {DOMAIN} nmap --script dns-brute --script-args dns-brute.domain={DOMAIN},\ dns-brute.threads={#},dns-brute.hostlist={FILE} Using dnsrecon: dnsrecon -d {DOMAIN} -D {FILE} -f -t std dnsrecon -d {DOMAIN} -D /usr/share/wordlists/dirb/small.txt -f -t std Using theharvester: theharvester -d {DOMAIN} -b all -n -c -t
Third Party Providers/Services Looking through results we ll often see indicators of third parties, for example in MX records: MS O365 has mail.protection.outlook.com Symantec Security.Cloud has cluster_.__.messagelabs.com Google App Suite has aspmx._.google.com ProofPoint has mx_-________.gslb.pphosted.com Or we ll see indicators in TXT records: Adobe: adobe-idp-site-verification Or we ll see indicators in CNAME records: Look for resolutions to external network names Look for non-standard IP address ranges
Security Posture Just like third party providers, we can learn about security postures through DNS records, e.g.: Look for TXT records that contain SPF/DKIM/DMARC records Look for DNS brute-forcing that contains common tool names: epo.{DOMAIN} paloalto.{DOMAIN} siem.{DOMAIN} etc. Look for IPSECKEY, DNSSIG, NSEC/NSEC3 records Be creative!
Additional Resources DNS RFCs RFC 1035 RFC 1101 RFC 4025 RFC 4033 RFC 4035 Hermit https://twitter.com/hermit_hacker https://www.cryptolingus.net/ https://www.stackattack.net/blog/
