정보보안(구버전)/공격툴&정보수집 2016. 5. 26. 17:50

공격툴&정보수집 - 16. DNS 정보 수집

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

 - DNS 정보 수집 : DNS를 이용하여 IP 주소 및 도메인 정보를 획득하여 공격 타겟에 대한 추가 정보를 수집할 수 있다.

 

 

Ex1) nslookup & Whois 서비스

 

@ Window2008

 

 - 'nslookup' 명령어를 이용하여 'www.google.com'에 대한 IP 주소를 확인한다.


C:\Users\Administrator>nslookup www.google.com
서버:    kns.kornet.net
Address:  168.126.63.1

 

권한 없는 응답:
이름:    www.google.com
Addresses:  2404:6800:4004:819::2004
                216.58.197.196

 

 

 

 - 후이즈 사이트(http://whois.kisa.or.kr/kor/)에 접속하여 '216.58.197.196' IP 주소를 검색한다.

 

 

 - IPCONFIG.KR 사이트(http://www.ipconfig.kr)에 접속하여 '216.58.197.196' IP 주소를 검색한다.

 

 

 

 

Ex2) 'dnsenum'을 이용한 DNS 정보 수집

 

 - dnsenum 툴 : Host, Name Server, Mail Server, Zone Transfers 정보를 수집하는 톨

 

 

@ Kali Linux

 

 - 'certcollection.org'에 관련된 Host, Name Server, Mail Server, Zone Transfers 정보 수집

 

root@kali:~# dnsenum certcollection.org
dnsenum.pl VERSION:1.2.3

 

-----   certcollection.org   -----


Host's addresses:
__________________

certcollection.org.                      1391     IN    A        95.215.60.111

 


Name Servers:
______________

ns1.certcollection.org.                  40238    IN    A        208.94.148.4
ns2.certcollection.org.                  40238    IN    A        208.80.124.4
ns4.certcollection.org.                  40238    IN    A        208.80.125.4
ns6.certcollection.org.                  40238    IN    A        208.94.149.4
ns3.certcollection.org.                  3600     IN    A        208.80.126.4
ns5.certcollection.org.                  3600     IN    A        208.80.127.4

 


Mail (MX) Servers:
___________________

aspmx.l.google.com.                      244      IN    A        173.194.72.26
alt1.aspmx.l.google.com.                 115      IN    A        74.125.25.26
alt2.aspmx.l.google.com.                 261      IN    A        74.125.194.26
aspmx2.googlemail.com.                   40       IN    A        74.125.25.27
aspmx3.googlemail.com.                   88       IN    A        74.125.142.27
aspmx5.googlemail.com.                   262      IN    A        74.125.192.27
aspmx4.googlemail.com.                   127      IN    A        74.125.142.26

 


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for certcollection.org on ns4.certcollection.org ...    <- Zone 요청 거부 메세지
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns2.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns3.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns1.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns5.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns6.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

brute force file not specified, bay.

 

 

 - certcollection.org 대해서 'dns.txt' 파일을 이용한 Brute force & Dictionary 방식 DNS 정보 수집

 

root@kali:~# cat  /usr/share/dnsenum/dns.txt
~ 중간 생략 ~

 

 

 --dnsserver : DNS 서버 지정 (지정하지 않으면, '/etc/resolv.conf'에 설정된 DNS 서버에게 쿼리를 보냄)

 --noreverse : 역방향 DNS 조회 작업 생략

 -f : Brute force & Dictionary 공격시 사용할 파일 지정

 --subfile : Brute force & Dictionary 공격시 사용할 서브 파일 지정

 

root@kali:~# dnsenum --dnsserver 8.8.8.8 --noreverse -f /usr/share/dnsenum/dns.txt certcollection.org
dnsenum.pl VERSION:1.2.3
Warning: can't load Net::Whois::IP module, whois queries disabled.

 

-----   certcollection.org   -----


Host's addresses:
__________________

certcollection.org.                      21599    IN    A        95.215.60.111

 


Name Servers:
______________

ns1.certcollection.org.                  3599     IN    A        208.94.148.4
ns2.certcollection.org.                  3599     IN    A        208.80.124.4
ns6.certcollection.org.                  3599     IN    A        208.94.149.4
ns3.certcollection.org.                  3599     IN    A        208.80.126.4
ns4.certcollection.org.                  3599     IN    A        208.80.125.4
ns5.certcollection.org.                  3599     IN    A        208.80.127.4

 


Mail (MX) Servers:
___________________

aspmx3.googlemail.com.                   292      IN    A        74.125.194.26
alt2.aspmx.l.google.com.                 292      IN    A        74.125.194.26
aspmx2.googlemail.com.                   292      IN    A        74.125.194.26
aspmx.l.google.com.                      292      IN    A        74.125.204.26
aspmx5.googlemail.com.                   292      IN    A        173.194.219.26
aspmx4.googlemail.com.                   292      IN    A        173.194.219.26
alt1.aspmx.l.google.com.                 292      IN    A        74.125.194.26

 


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for certcollection.org on ns3.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns1.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns5.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns6.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns2.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 

Trying Zone Transfer for certcollection.org on ns4.certcollection.org ...
AXFR record query failed: RCODE from server: REFUSED

 


Scraping certcollection.org subdomains from Google:
____________________________________________________


 ----   Google search page: 1   ----


 ----   Google search page: 2   ----


 ----   Google search page: 3   ----


 ----   Google search page: 4   ----


 ----   Google search page: 5   ----

 

 

Google Results:
________________

  perhaps Google is blocking our queries.
 Check manually.

 


Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________

mail.certcollection.org.                 0        IN    CNAME    ghs.google.com.
ghs.google.com.                          0        IN    CNAME    ghs.l.google.com.
ghs.l.google.com.                        299      IN    A        74.125.23.121
ns1.certcollection.org.                  3540     IN    A        208.94.148.4
ns2.certcollection.org.                  3599     IN    A        208.80.124.4
www.certcollection.org.                  21599    IN    A        95.215.60.111

 


certcollection.org class C netranges:
______________________________________

 95.215.60.0/24
 208.80.124.0/24
 208.80.125.0/24
 208.80.126.0/24
 208.80.127.0/24
 208.94.148.0/24
 208.94.149.0/24

 


certcollection.org ip blocks:
______________________________

 95.215.60.111/32
 208.80.124.4/32
 208.80.125.4/32
 208.80.126.4/32
 208.80.127.4/32
 208.94.148.4/32
 208.94.149.4/32

done.

 

 

 

Ex3) 'dig'을 이용한 DNS 정보 수집

 

 - dig 툴 : 'nslookup'과 비슷한 기능을 수행하는 DNS 정보 수집 툴

 

@ Kali Linux

 

 @ : DNS 서버 지정

 any : 쿼리-타입 지정 (Ex : a,any,mx,ns,soa....)

 

root@kali:~# dig @8.8.8.8 certcollection.org any

 

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> @8.8.8.8 certcollection.org any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24391
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;certcollection.org.         IN ANY

 

;; ANSWER SECTION:
certcollection.org. 21599 IN SOA ns10.dnsmadeeasy.com. dns.dnsmadeeasy.com. 2009010168 43200 3600 1209600 180
certcollection.org. 21599 IN NS ns5.certcollection.org.
certcollection.org. 21599 IN NS ns6.certcollection.org.
certcollection.org. 21599 IN NS ns3.certcollection.org.
certcollection.org. 21599 IN NS ns2.certcollection.org.
certcollection.org. 21599 IN NS ns4.certcollection.org.
certcollection.org. 21599 IN NS ns1.certcollection.org.
certcollection.org. 21599 IN A 95.215.60.111
certcollection.org. 3599 IN MX 20 alt2.aspmx.l.google.com.
certcollection.org. 3599 IN MX 30 aspmx4.googlemail.com.
certcollection.org. 3599 IN MX 30 aspmx2.googlemail.com.
certcollection.org. 3599 IN MX 10 aspmx.l.google.com.
certcollection.org. 3599 IN MX 20 alt1.aspmx.l.google.com.
certcollection.org. 3599 IN MX 30 aspmx3.googlemail.com.
certcollection.org. 3599 IN MX 30 aspmx5.googlemail.com.

 

;; Query time: 689 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 27 11:42:04 KST 2016
;; MSG SIZE  rcvd: 407

 

 

 - Zone Transfer(Master DNS, Slave DNS간에 Zone 정보 동기화) 정보 확인

 

root@kali:~# dig @8.8.8.8 certcollection.org soa +multiline

 

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> @8.8.8.8 certcollection.org soa +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44068
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;certcollection.org. IN SOA

 

;; ANSWER SECTION:
certcollection.org. 21599 IN SOA ns10.dnsmadeeasy.com. dns.dnsmadeeasy.com. (
                                             2009010168 ; serial
                                             43200      ; refresh (12 hours)
                                             3600       ; retry (1 hour)
                                             1209600    ; expire (2 weeks)
                                             180        ; minimum (3 minutes)
                                             )

 

;; Query time: 451 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 27 11:49:47 KST 2016
;; MSG SIZE  rcvd: 107

root@kali:~#


 

 

 

Ex4) 'dnsmap'을 이용한 DNS 정보 수집

 

 - dnsmap 툴 : 'dnsenum'과 비슷한 기능을 수행하는 DNS 정보 수집 툴


root@kali:~# cat /usr/share/dnsmap/wordlist_TLAs.txt

~ 중간 생략 ~

 

 

root@kali:~# dnsmap certcollection.org
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

 

[+] searching (sub)domains for certcollection.org using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests

 

gb.certcollection.org
IP address #1: 208.100.54.79

 

mail.certcollection.org
IPv6 address #1: 2404:6800:4008:c02::79

 

mail.certcollection.org
IP address #1: 74.125.203.121

 

ns1.certcollection.org
IP address #1: 208.94.148.4

 

ns2.certcollection.org
IP address #1: 208.80.124.4

 

ns3.certcollection.org
IP address #1: 208.80.126.4

 

www.certcollection.org
IP address #1: 95.215.60.111

[+] 7 (sub)domains and 7 IP address(es) found
[+] completion time: 318 second(s)

 

 

 

[참고] 쇼단(shodan) 사이트

 

 - 무료/유료 서비스를 지원하는 정보 수집 사이트(Webcam, Cam, Netcam. default password....)

 

http://www.shodan.io

 


[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


공격툴&정보수집 - 제16장 DNS 정보 수집   https://youtu.be/gVZ2gZ_ekt0

저작자표시 비영리 변경금지

'정보보안(구버전) > 공격툴&정보수집' 카테고리의 다른 글

공격툴&정보수집 - 18. 쇼단(shodan)을 이용한 정보 수집  (0) 2016.05.27
공격툴&정보수집 - 17. 스펨 메일 타켓 정보 수집  (0) 2016.05.27
공격툴&정보수집 - 15. 말테고(maltego)를 이용한 정보 수집  (0) 2016.05.26
공격툴&정보수집 - 14. exploit-db 사이트 & 활용 방법(Bash Shell Shock)  (0) 2016.05.26
공격툴&정보수집 - 13. HTTPs 패스워드 크래킹 (sslstrip)  (0) 2016.05.26
Posted by 김정우 강사(카카오톡 : kim10322)
,

티스토리툴바

Q