Closed digininja closed 3 years ago
Sir can u teach me hacking Bro
On Thu 8 Oct, 2020, 2:24 PM Robin Wood, notifications@github.com wrote:
Steps to reproduce
How'd you do it?
- use auxiliary/gather/enum_dns.rb
- set NS 127.0.0.1
- set ENUM_AXFR true
- set DOMAIN mytest.com
- set ENUM_A false
- set ENUM_BRT false
- set ENUM_MX false
- set ENUM_SOA false
- set ENUM_SRV false
- set ENUM_TXT false
- set ENUM_CNAME false
- set ENUM_NS false
- run
The local Bind9 server is setup to allow zone transfers. The IP addresses in it aren't setup to point to anything valid, including the NS records. Were you following a specific guide/tutorial or reading documentation?
n/a Expected behavior
AXFR should be attempted against the NS specified.
Maybe have an option to also test the NS records set for the domain, but that could create unexpected traffic so it shouldn't be on by default. Target may notice and log an AXFR attempt against the NS. Current behavior
I'm guessing that the NS returned by the SOA request is chosen rather than the NS specified in the options, or it may just pick the first NS entry from doing an NS lookup. As the NS doesn't resolve, the AXFR fails with an error.
msf6 auxiliary(gather/enum_dns) > run
[] Querying DNS NS records for mytest.com [+] witrap.com NS: ns1.mytest.com [+] witrap.com NS: ns1.mytest.com [+] witrap.com NS: ns3.mytest.com [] Attempting DNS AXFR for mytest.com from ns1.mytest.com [-] AXFR failed: getaddrinfo: Name or service not known [*] Auxiliary module execution completed
Metasploit version
d0778c7a547a0f49fdea54463862306764675090 (HEAD, upstream/master) Land #14228, Increase operations per run
Additional Information
Found this during building a lab, I don't own the Bind config files but may be able to share them if needed.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/14236, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARG5CBO4VZVCJ64XURB6BI3SJV443ANCNFSM4SIOXL7A .
Ignoring the hacking request, it looks like it is just pulling back the NS records not the SOA, if I run it a couple of times it switches between ns1 and ns3 but would stick on ns1 if it were using the SOA.
Marking this as a dup of #14321, if that's incorrect just let me know.
It is a duplicate, I thought I'd raised it in the past but I completely failed to find this in the issue list.
Steps to reproduce
How'd you do it?
The local Bind9 server is setup to allow zone transfers. The IP addresses in it aren't setup to point to anything valid, including the NS records.
Were you following a specific guide/tutorial or reading documentation?
n/a
Expected behavior
AXFR should be attempted against the NS specified.
Maybe have an option to also test the NS records set for the domain, but that could create unexpected traffic so it shouldn't be on by default. Target may notice and log an AXFR attempt against the NS.
Current behavior
I'm guessing that the NS returned by the SOA request is chosen rather than the NS specified in the options, or it may just pick the first NS entry from doing an NS lookup. As the NS doesn't resolve, the AXFR fails with an error.
Metasploit version
Additional Information
Found this during building a lab, I don't own the Bind config files but may be able to share them if needed.