Note
Viewing this article requires free TIN MEMBERSHIP. We need to know who is collecting our pen-testing information for legal and marketing purposes
The goal of using the tools in the DNS records category is to collect information about the DNS servers and the corresponding records of a target domain.
The following are several common DNS record types:
No. | Record type | Description |
1 | SOA | This is the start of authority record. |
2 | NS | This is the name server record. |
3 | A | This is the IPv4 address record. |
4 | MX | This is the mail exchange record. |
5 | PTR | This is the pointer record. |
6 | AAAA | This is the IPv6 address record. |
7 | CNAME | This is the abbreviation for canonical name. It is used as an alias name for another canonical domain name. |
For example, in a penetration test engagement, the customer may ask you to find out all of the hosts and IP addresses available for their domain. The only information you have is the organization’s domain name. We will look at several common tools that can help you if you encounter this situation.
Host
After we get the DNS server information, the next step is to find out the IP address of a hostname. To help us out in this matter, we can use the following host command-line tool to look up the IP address of a host from a DNS server:
# host hackthissite.org
By default, the host command will look for the A, AAAA, and MX records of a domain. To query for any records, just give the -a option to the command:
host -a hackthissite.orgTrying "hackthissite.org";; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32115;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;hackthissite.org. IN ANY;; ANSWER SECTION:hackthissite.org. 5 IN A 198.148.81.135hackthissite.org. 5 IN A 198.148.81.139hackthissite.org. 5 IN A 198.148.81.137hackthissite.org. 5 IN A 198.148.81.136hackthissite.org. 5 IN A 198.148.81.138hackthissite.org. 5 IN NS ns1.hackthissite.org.hackthissite.org. 5 IN NS c.ns.buddyns.com.hackthissite.org. 5 IN NS f.ns.buddyns.com.hackthissite.org. 5 IN NS e.ns.buddyns.com.hackthissite.org. 5 IN NS ns2.hackthissite.org.hackthissite.org. 5 IN NS b.ns.buddyns.com.hackthissite.org. 5 IN NS d.ns.buddyns.com.Received 244 bytes from 172.16.43.2#53 in 34 ms
The host command looks for these records by querying the DNS servers listed in the /etc/resolv.conf file of your Kali Linux system. If you want to use other DNS servers, just provide the DNS server address as the last command-line option.
Note
If you provide the domain name as the command-line option in host, the method is called forward lookup, but if you give an IP address as the command-line option to the host command, the method is called reverse lookup.
Try to do a reverse lookup of the following IP address:
host 23.23.144.81
What information can you get from this command?
The host tool can also be used to do a DNS zone transfer. With this mechanism, we can collect information about the available hostnames in a domain.
A DNS zone transfer is a mechanism used to replicate a DNS database from a master DNS server to another DNS server, usually called a slave DNS server. Without this mechanism, the administrators have to update each DNS server separately. The DNS zone transfer query must be issued to an authoritative DNS server of a domain.
Due to the nature of information that can be gathered by a DNS zone transfer, nowadays, it is very rare to find a DNS server that allows zone transfer to an arbitrary zone transfer request.
If you find a DNS server that allows zone transfer without limiting who is able to do it, this means that the DNS server has been configured incorrectly.
dig
Besides the host command, you can also use the dig command to do DNS interrogation. The advantages of dig compared to host are its flexibility and clarity of output. With dig, you can ask the system to process a list of lookup requests from a file.
Let’s use dig to interrogate the http://hackthissite.org domain.
Without providing any options besides the domain name, the dig command will only return the A record of a domain. To request any other DNS record type, we can provide the type option in the command line:
# dig hackthissite.org; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> hackthissite.org;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44321;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; MBZ: 0005 , udp: 4096;; QUESTION SECTION:;hackthissite.org. IN A;; ANSWER SECTION:hackthissite.org. 5 IN A 198.148.81.139hackthissite.org. 5 IN A 198.148.81.137hackthissite.org. 5 IN A 198.148.81.138hackthissite.org. 5 IN A 198.148.81.135hackthissite.org. 5 IN A 198.148.81.136;; Query time: 80 msec;; SERVER: 172.16.43.2#53(172.16.43.2);; WHEN: Tue Feb 02 18:16:06 PST 2016;; MSG SIZE rcvd: 125
From the result, we can see that the dig output now returns the DNS records of A.
DMitry
Deepmagic Information Gathering Tool (DMitry) is an all-in-one information gathering tool. It can be used to gather the following information:
• The Whois record of a host by using the IP address or domain name
• Host information from https://www.netcraft.com/
• Subdomains in the target domain
• The email address of the target domain
• Open, filtered, or closed port lists on the target machine by performing a port scan
Even though this information can be obtained using several Kali Linux tools, it is very handy to gather all of the information using a single tool and to save the report to one file.
Note
We think this tool is more suitable to be categorized under DNS analysis instead of the Route analysis section because the capabilities are more about DNS analysis rather than routing analysis.
To access DMitry from the Kali Linux menu, navigate to Applications | Information Gathering | dmitry, or you can use the console and type the following command:
# dmitry
As an example, let’s do the following to a target host:
• Perform a Whois lookup
• Get information from https://www.netcraft.com/
• Search for all the possible subdomains
• Search for all the possible email addresses
The command for performing the mentioned actions is as follows:
# dmitry -iwnse hackthissite.org
The following is the abridged result of the preceding command:
Deepmagic Information Gathering Tool"There be some deep magic going on"HostIP:198.148.81.138HostName:hackthissite.orgGathered Inet-whois information for 198.148.81.138---------------------------------inetnum: 198.147.161.0 - 198.148.176.255netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCKdescr: IPv4 address block not managed by the RIPE NCCremarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtmlremarks:remarks: -----------------------------------------------------country: EU # Country is really world wideadmin-c: IANA1-RIPEtech-c: IANA1-RIPEstatus: ALLOCATED UNSPECIFIEDmnt-by: RIPE-NCC-HM-MNTmnt-lower: RIPE-NCC-HM-MNTmnt-routes: RIPE-NCC-RPSL-MNTcreated: 2011-07-11T12:36:59Zlast-modified: 2015-10-29T15:18:41Zsource: RIPErole: Internet Assigned Numbers Authorityaddress: see http://www.iana.org.admin-c: IANA1-RIPEtech-c: IANA1-RIPEnic-hdl: IANA1-RIPEremarks: For more information on IANA servicesremarks: go to IANA web site at http://www.iana.org.mnt-by: RIPE-NCC-MNTcreated: 1970-01-01T00:00:00Zlast-modified: 2001-09-22T09:31:27Zsource: RIPE # Filtered% This query was served by the RIPE Database Query Service version 1.85.1 (DB-2)
We can also use dmitry to perform a simple port scan by providing the following command:
# dmitry -p hackthissite.org -f -b
The result of the preceding command is as follows:
Deepmagic Information Gathering Tool"There be some deep magic going on"HostIP:198.148.81.135HostName:hackthissite.orgGathered TCP Port information for 198.148.81.135--------------------------------- Port State…14/tcp filtered15/tcp filtered16/tcp filtered17/tcp filtered18/tcp filtered19/tcp filtered20/tcp filtered21/tcp filtered22/tcp open>> SSH-2.0-OpenSSH_5.8p1_hpn13v10 FreeBSD-2011010223/tcp filtered24/tcp filtered25/tcp filtered26/tcp filtered…79/tcp filtered80/tcp openPortscan Finished: Scanned 150 ports, 69 ports were in state closedAll scans completed, exitin
From the preceding command, we find that the target host is using a device to do packet filtering. It only allows incoming connections to port 22 for SSH and port 80, which is commonly used for a web server. What is of interest is that the type of SSH installation is indicated, allowing for further research on possible vulnerabilities to the OpenSSH installation.
Maltego
Maltego is an open source intelligence and forensics application. It allows you to mine and gather information and represent the information in a meaningful way. The phrase open source in Maltego means that it gathers information from open source resources. After gathering the information, Maltego allows you to identify the key relationship between the information gathered.
Maltego is a tool that can graphically display the links between data, so it will make it easier to see the common aspects between pieces of information.
Maltego allows you to enumerate the following internet infrastructure information:
• Domain names
• DNS names
• Whois information
• Network blocks
• IP addresses
It can also be used to gather the following information about people:
• Companies and organizations related to the person
• Email addresses related to the person
• Websites related to the person
• Social networks related to the person
• Phone numbers related to the person
• Social media information
Kali Linux, by default, comes with Maltego 3.6.1 Kali Linux edition. The following are the limitations of the community version:
• Not for commercial use
• A maximum of 12 results per transform
• You need to register yourself on our website to use the client
• API keys expire every couple of days
• Runs on a (slower) server that is shared with all community users
• Communication between client and server is not encrypted
• Not updated until the next major version
• No end user support
• No updates of transforms on the server side
There are more than 70 transforms available in Maltego. The word transform refers to the information gathering phase of Maltego. One transform means that Maltego will only do one phase of information gathering.
To access Maltego from the Kali Linux menu, navigate to Application | Information Gathering | Maltego. There is also a start icon on the desktop, or you can use the console and type the following command:
# maltego
You will see the Maltego welcome screen. After several seconds, you will see the following Maltego start up wizard that will help you set up the Maltego client for the first time.
Click on Next to continue to the next window and enter your login details. (Click on register here to create an account if you do not have login details.)
Once logged in, enter your personal details (name and email address).
You will then need to select the transform seeds, as shown in the following screenshot:
The Maltego client will connect to the Maltego servers in order to get the transforms. If Maltego has been initialized successfully, you will see the following screenshot:
This means that your Maltego client initialization has been done successfully. Now you can use the Maltego client.
Before we use the Maltego client, let’s first look at the Maltego interface:
On the top-left side of the preceding screenshot, you will see the Palette window. In the Palette window, you can choose the entity type for which you want to gather the information. Maltego divides the entities into six groups, as follows:
• Devices such as phone or camera
• Infrastructure such as AS, DNS name, domain, IPv4 address, MX record, NS record, netblock, URL, and website
• Locations on earth
• Penetration testing
• Personal such as alias, document, email address, image, person, phone number, and phrase
• Social network such as Facebook object, Twitter entity, Facebook affiliation, and Twitter affiliation
In the top-middle of the preceding screenshot, you will see the different views:
• Main View
• Bubble View
• Entity List
Views are used to extract information that is not obvious from large graphs—where the analyst cannot see clear relationships via the manual inspection of data. Main View is where you work most of the time. In Bubble View, the nodes are displayed as bubbles, while in the Entity List tab, the nodes are simply listed in text format.
Next to the views, you will see different layout algorithms. Maltego supports the following four layout algorithms:
• Block layout: This is the default layout and is used during mining.
• Hierarchical layout: The hierarchical layout works with a root and subsequent branches for hosts. This provides a branch structure to allow for visualization of parent/child relationships.
• Centrality layout: The centrality layout takes the most central node and then graphically represents the incoming links around the nodes. This is useful when examining several nodes that are all linked to one central node.
• Organic layout: The organic layout displays the nodes in such a way that the distance is minimized, giving the viewer a better overall picture of the nodes and their relationships.
After a brief description of the Maltego client user interface, it’s time for action.
Let’s suppose you want to gather information about a domain. We will use the example.com domain for this example. We will explore how to do this in the following sections:
- Create a new graph (Ctrl + T) and go to the Palette tab.
- Select Infrastructure, and click on Domain.
- Drag it to the main window. If successful, you will see a domain called paterva.com in the main window.
- Double-click on the name and change it to your target domain, such as example.com, as shown in the following screenshot:
- If you right-click on the domain name, you will see all of the transforms that can be done to the domain name:
- DNS from domain
- Domain owner’s details
- Email addresses from domain
- Files and documents from domain
- Other transforms, such as To Person, To Phone numbers, and To Website
- All transforms
- Let’s choose DomainToDNSNameSchema from the domain transforms (Run Transform | Other Transforms | DomainToDNSNameSchema). The following screenshot shows the result:
After the DNS from Domain transform, we got information on the website address (www.example.com) related to the example.com domain.
Hope you found the article helpful and interesting. If you want to unleash the full potential of Kali Linux 2018 for your cybersecurity requirements, you must check out Kali Linux 2018: Assuring Security by Penetration Testing – Second Edition. Following a coherent, step-by-step approach, Kali Linux 2018: Assuring Security by Penetration Testing – Second Edition showcases penetration testing through cutting-edge tools and techniques, and is a must-read for pentesters, ethical hackers, and IT security professionals.