Kali Linux Tools Tutorial
Episode 6
DNSTRACER
we're not done with the DNS enumeration and querying tools just yet ladies and gentlemen and now that i have kali linux i'll start to review more recent up-to-date versions of the tools you have in Backtrack, So some people who're still on BackTrack might not find some of the options implemented in their versions of the tools, Seriously though, Move to kali its insanely better.
DNSTRACER_
DNSTRACER is a tool that tracks the DNS delegation process in order to find servers from which it can obtain authoritative answers about your target. DNS Delegation is the process by which your computer obtains an answer to its DNS query, the process starts by consulting the root server which is denoted by a '.' (a dot) in the end of the website you're requesting, for example if you're requesting www.cnn.com what you're actually sending is that "I want the ip address for www.cnn.com." Notice the dot at the end ?
It actually happens always whenever you request a a website but you don't see it in your address bar, but if you looked closer, way closer, you'd still find nothing because now browsers automatically put a dot there at the end for you to save you the trouble of looking down your keyboard, finding the dot key and actually pressing it.
The reason this dot exists is that the DNS lookup process actually works in reverse order, here's an example of what happens when you request www.cnn.com(.)
The reason this dot exists is that the DNS lookup process actually works in reverse order, here's an example of what happens when you request www.cnn.com(.)
- After you press the enter key the operating system embarks on a journey to translate the name you gave him into an IP address, It starts at the dot at the end of the address (Yes that invisible dot) which denoted the ROOT name server, The ROOT is the server that has the IP addresses of the TLD servers (Top level domain) like .com, .net, .org etc..
Your OS then says to the Root server "Sup root ! can you hook me up with the address of www.cnn.com ?" But the root replies "Sorry bro don't have that, I DO however know where you can find the TLD server that might have the address to that site of yours ! and gives your OS the address to the .com TLD server (since its www.cnn.com).
- Your OS will then go the .com TLD server and asks him the same thing, it says "Well i don't have www.cnn.com but i do have the address of CNN servers ! maybe you can find the www part there !
- The courageous OS will continue on its journey to the CNN namesevers, Now this is called the Authoritative Server take note of that term as its very important ! the OS goes to CNN name servers and asks them the same question, the CNN Nameserver will say "Yeah sure thing but the address is 157.166.249.10, Having finally reached what it wants the OS goes back, Gives the Browser the Address, The browser connects to it and everybody sleeps happily.
And that's how the DNS delegation process works.
Coming back to our main subject here, If you were to follow that aforementioned chain of queries and know when the query has reached an authoritative server, You can then ask this server a bunch of other questions about other records and since its the Authoritative server which is directly responsible for the DNS records of your targets it'll give you some very interesting answers.
As you already saw up there running the tool without arguments presents you with the help page which contains the options you can use with the tool, And as always i'll leave you to a quick review of the options and their function.
As you already saw up there running the tool without arguments presents you with the help page which contains the options you can use with the tool, And as always i'll leave you to a quick review of the options and their function.
- -c : Disable Local caching of the results of the queries.
- -C: Disable Negative caching (Negative caching is when the cache caches the failed queries\operations, Don't know why would anyone want to enable that (Disabled by default)
- -o : Gives you an overview of the process when the tool has done its work, Pretty useful !
- -q : Specifies the type of the query you want to pass to the servers (MX, SRV, SOA, PTR etc..)
Default is A (Name to IP address) - -r : Specifies how many times the tool should retry to obtain an answer before giving up.
- -s : specifies the DNS server to use in the querying process, If you specified . (a dot) it'll use the ROOT server mentioned above.
- -t : Specifies a period of time the tool should wait to get a response before giving up.
- -v : Output Verbose output
- -S : Specifies an address to use as an originating address for the querying process.
- -4 : Query servers that use IPv4 only.
Now for the good part let's play around with it a little.
Let's try to see the query chain to www.ubuntu.com with timeout of 10 second and using the router to query the DNS server and also give us an overview on how it went at the end, So the Command will be:
dnstracer -o -t 10 -s 192.168.1.1 www.ubuntu.comAs you can see it first asked my Router (192.168.1.1) then it found the Authoritative nameservers for ubuntu.com, ns1.canonical.com, ns2.canonical.com and ns3.canonical.com which all pointed it at the address of www.ubuntu.com which is 91.189.89.118.
Now to realize the significance of this little tool we've got to conduct a little experiment.
Let's send a query of type any (means any info you can find on that target) with and without asking the authoritative servers, Then we'll see if there's a difference in the answers we obtain.I'll be using the Linux "host" which is the linux equivalent of nslookup in windows, It's a tool that enables you to issue DNS queries by hand.
In the first case ill just make a query of type any without specifying any server which will make the process go normally, So the command will be:
host -t any ubuntu.com
BUTT ! If we were to use the authoritative nameservers to gain authoritative answers on the target (the word authoritative is starting to sound weird.. have you ever like said this word many times like bubble bubble bubble bub-... irrelevant..) let's see what happensWhile using hosts you can specify the server to use by adding it's address at the end of the command so the command will become:
host -t any ubuntu.com 91.189.94.156 Interestingly we get a much better answer with a much more records, First you can see at the top saying that it's using the server we specified in the command as the domain server, Then it started the enumeration process. It started by Giving us the A record which is the IP Address of the target, Then it gave us the SOA (Start of authority) Record saying that it's at ns1.canonical.com and hostmaster.canonical.com. Then it gave us the NS records which state the name servers for the target when were the ns1, ns2 and ns3. and finally it concluded by giving us the MX record for the target which states the server that the target uses for Email exchange which is mx.canonical.com.
It can be argued that there are tons of other tools that can figure out the DNS delegation process and the authority servers which is true, But dnstracer is a specialized tool for this purpose and it does it's job perfectly.
_______________________________________________
Next Episode: DNSWALK
No comments:
Post a Comment