> See DNS Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/1 - Service Enumeration/DNS (53)|DNS (53)]] # Introduction - Domain Name System (DNS) translates domains names to IP addresses - Typically uses UDP/53 - May use TCP/53 as a fallback or with AD # Enumeration ```bash sudo nmap <target_ip> -p53 -Pn -sCV ``` # Zone Transfers - A DNS zone is a portion of the DNS namespace that a specific org or administrator manages - DNS servers utilize zone transfers to copy a portion of their db to another DNS server - No authentication required for a zone transfer - Unless configured properly (with IP whitelists), anyone can ask a DNS server for a copy of its zone info ```bash dig AXFR @ns1.inlanefreight.htb inlanefreight.htb firece --domain inlanefreight.htb ``` # Domain Takeover & Subdomain Enumeration - A domain takeover is registering a non-existent domain to takeover another domain - Also possible with sub-domains -  Suppose the `anotherdomain.com` expires and is available for anyone to claim the domain since  `sub.target.com`'s DNS server has the `CNAME` record - In this case, anyone who registers `anotherdomain.com` will have complete control over `sub.target.com` until the DNS record is updated - Enumerating `CNAME` records ```bash host support.inlanefreight.com ``` ```bash ./subfinder -d inlanefreight.com -v ``` ```bash git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1 cd subbrute echo "<target_dns_ip" > ./resolvers.txt echo "ns.inlanefreight.htb" > ./resolvers.txt ./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt #uses a self-defined resolver ``` # DNS Spoofing - Also referred to as DNS cache poisoning - Involves altering legitimate DNS records with false information so that they can be used to redirect online traffic to a fraudulent website. Example attack paths for the DNS Cache Poisoning are as follows: - An attacker could intercept the communication between a user and a DNS server to route the user to a fraudulent destination instead of a legitimate one by performing a `MITM` attack - Exploiting a vulnerability found in a DNS server could yield control over the server by an attacker to modify the DNS records ## Local DNS Cache Poisoning ```bash cat /etc/ettercap/etter.dns #edit to map the target names to be spoofed and Kali host ip ettercap & #scan for live hosts by navigating to Host > Scan for Hosts #activate dns_spoof plugin by navigating to Plugins > Manage Plugins #If successful, when target machine <target_ip> visits the `inlanefreight.com` domain on a web browser, they will be redirected to a `Fake page` that is hosted Kali host ```