DNS Information Recon (Deep dive)

[kawaiipantsu]

DNS Information Recon (Deep dive)

---

Item condition criteria: Target must be a host/domain name Item gather type: Passive

This is the task/issue for creating the "DNS Information Recon" item, that does a deep dive into osint dns info etc. I have made a list of things that i want it to do out of the box, its a lot but again it all depends on how it's shown.

• Use 'system' DNS or config provided DNS servers for lookup ie. Public or Private DNS server for lan lookup etc...

• [ ] DNS Zone Transfer

  • Check if allowed on 'target'
  • DNS AXFR Output last if available (append bottom div etc)

• [x] #13

• [x] Lookup 'target' NS

  • Resolve all NS server(s) to IP

• [x] Lookup 'target' addresses

  • A, AAAA, CNAME

• [x] DNS Fuzz (simple array only)

  • See if resolves for (A, AAAA, CNAME)
    • Config provided word array (host-fuzz) (etc: www,www1,www2,ftp,mail,ns,ns1,ns2,admin,blog,admin,firewall,gw,exchange, owa,jira,wiki,serec,beta,test,sso,login,portal,intranet,files,srv,srv1,ad, dl,download,server,archive,backup,bak,support,tracker,srv2,cdn,vdi,vpn, citrix,vmware,git,svn,code,vnc,ingress,k8s,kube,kubenetes,cloud,cluster, mon,monitor,grafana,dashboard,ldap,autodiscover,sip,web,snmp,auth,ha,elb, vm,hyper,hyperv,vcenter,vami,psc,vcsa,cam,camera,dvr,nvr,cctv,sec, security,api,apis,mq,mqtt,queue,iot,db,database,mysql,db2,oracle,tomcat)
    • On 'host-fuzz'.'target'
    • Perhaps show as matrix, red means not found, green means found
  • Extensive DNS fuzz with wordlist should be provided in seperate collection-item (redteam)

• [x] Lookup 'target' MX

  • Order by priority hierarchy
  • Resolve all MX server(s) to IP

• [x] Lookup 'target' DMARC

  • Lookup the special _dmarc.target TXT record

• Lookup special records of interest

  • [x] SPF special records of interest
    • On 'target'
    • Follow / Crawl SPF include: directives
  • [x] TXT special records of interest
    • Config provided word array (text-fuzz) (etc: domainkey,dmarc,host,salt,info,contact,abuse,spf,mail,smb,ad,bgp,peer,dyn,ip, vlan,vlanif,cpe,peer-as,dynamic,static,customer,a1,a10,a100,link,ldn,nto,tcore, tcore1,tcore2,sv,sv1,sv2,sql,eql,dhcp,net,edge,cidr,as,as1,as2,ospf,igp,egp, rules,mail,local,config,pref,conf,cfg)
    • On 'target'
    • On 'txt-fuzz'.'target'
    • On _'txt-fuzz'.'target'
  • [x] SRV special records of interest
    • Config provided word array (service-fuzz) (etc: ldap,kerberos,caldav,caldavs,carddav,carddavs,sip,xmpp-server,xmpp-client, ftp,finger,ssh,telnet,ntp,nntp,http,https,idb,db,smtp,h323cs,h323ls,h323rs, sips,federation,sipfederationtls,pexapp,xmpp,cuplogin,cisco-phone-tftp,bgp, cisco-phone-http,ciscowtp,pcoip-bootstrap,daap,irc,printer,ipp,pdl-datastream, riousbprint,ipp-printer,dicom,avaya-ep-config,gc,kpasswd,smb,wins,netbios,nfs, dns,rip,nat,stun,snmp,syslog,splunk,dhcp,trunk,socks,proxy,socks5,tor,edge,gw, elb,ha,kafka,casandra,mysql,postgresql,nosql,db2,oracle)
    • On 'target'
    • On _'service-fuzz'._tcp.'target'
    • On _'service-fuzz'._udp.'target'
    • On _'service-fuzz'._tls.'target'
    • On _'service-fuzz'._tcp.dc._msdcs.'target'
  • [x] CAA special records of interest
    • On 'target'
    • On www.'target'
    • On mail.'target'
  • [ ] DNSKEY special records of interest
    • On 'target'
    • Should parse Flag into human readable
    • Should parse Protocol into human readable
    • Should parse Algorithm into human readable

• [x] Validation token fingerprinting

  • Use JSON list / Regexp (More examples in attached file, parse into json)
  • Example tokens regexp data Match: google-site-verification=(<hash>) Match: ms=(<hash>) Match: mscid=(<hash-base64>) Match: facebook-domain-verification=(<hash>) Match: _globalsign-domain-verification=(<hash>)-(<hash>)
  • Example providers results Gmail.com ( Cloud Services) Microsoft Office 365 ( Cloud Services) O365 ( Cloud Services) Facebook.com ( Cloud Services) Globalsign.com ( Certificate Authority)

Attached files

DNS-Token-Fingerprints.txt

[kawaiipantsu]

A little progress update, SOA, NS and Addresses lookup is done

[kawaiipantsu]

First sneak preview of "host fuzz" output, it shows if the subdomain have A and/or AAAA resolving etc. And color code green/red. So in the example below you know that your target has etc. "jira.mytarget.com" and so forth. I am making it so if you click a "subdomain/fuzz" word it will be set as the new target and you can rerun intel gathering etc.

[kawaiipantsu]

SPF traverse :D That was something - But i think the end-result was okay ?? With a little SPF note function that can add a note on spf records to make it more readable for non-spf players :)

[kawaiipantsu]

Forgotten to add DMARC on the list. So this is added after MX and before SPF. Just as a short little segment.

[kawaiipantsu]

Now with proper DMARC lookup and explenations

[kawaiipantsu]

Test screenshot of fingerprinting in the TXT section. Any fingerprints that matches will output the vendor service instead of the "vendor verification string" Any unknown fingerprints will just show the original "vendor verification string"