Often times, administrators and default installations of various DNS servers (on all platforms) leave the DNS server susceptible to zone transfers. What this basically means is that the DNS server will allow someone to download a dump of all DNS records served for a specific domain. This can obviously pose a moderate to high security risk (but can be disabled on the server quite easily).
The information gained with a successful zone transfer can be very helpful for an intelligence gathering attacker and can ultimately expose the addresses of a huge number of hosts that administrators might not want the public (internet) to know about (and that no one planned to be exposed to internet traffic!).
For example, I have seen zone transfers that listed multiple development servers that were freely accessible, exposing security flaws due to incomplete code. Development boxes are also a good candidate to look for files with incorrect permissions to gain even more information out of the host.
Also, bare in mind the situation where someone gets their hands on a decent sized transfer. Thousands of hosts belonging to a single domain can be easily gleaned in seconds. I think it is also neat how you can quickly read over most zone transfers and easily pick out the devices that belong to the core infrastructure and even addresses of important services used in the domain (due to the verbosity some administrators use in coming up with a hostname).
I wrote a small Perl tool, dig-shovel, to automate the process of finding the list of nameservers for a domain, attempting a domain transfer from each, and finally parsing the addresses contained in the zone transfer into something easily readable and exportable. The tool I wrote can be directly downloaded form this site by with this link (right-click, Save As...) or click through to this post to get the details on dig-shovel.
Zone Transfer Example
The following is an example of a typical zone transfer using the free open source tool dig. This tool is available on most operating systems, though some you might have to hunt for the packages for your specific package manager. More information on manually using dig can be found here.
| $ dig @ns1.example.com axfr example.com | ||||
| ; <<>> DiG 9.5.1-P3 <<>> @ns1.exampledns.com axfr example.com | ||||
| ; (1 server found) | ||||
| ;; global options: printcmd | ||||
| example.com. | 3600 | IN | SOA | ns1.exampledns.com. postmaster.exampleinc.com. 2009052203 10800 3600 604800 10800 |
| example.com. | 3600 | IN | NS | ns1.exampledns.com. |
| example.com. | 3600 | IN | NS | ns2.exampledns.com. |
| example.com. | 3600 | IN | NS | ns3.exampledns.com. |
| example.com. | 3600 | IN | MX | 10 mx01.exampleinc.com. |
| example.com. | 3600 | IN | MX | 20 mx02.exampleinc.com. |
| example.com. | 3600 | IN | A | 10.10.15.201 |
| mailman.example.com. | 3600 | IN | A | 10.10.15.201 |
| ftp.example.com. | 3600 | IN | CNAME | example.com. |
| ipv6.example.com. | 3600 | IN | AAAA | 2001:4978:238::1:1 |
| hosting.example.com. | 3600 | IN | CNAME | example.com. |
| mx01.example.com. | 3600 | IN | A | 10.10.15.211 |
| mx02.example.com. | 3600 | IN | A | 10.10.15.221 |
| www.example.com. | 3600 | IN | CNAME | example.com. |
| ns2.example.com. | 3600 | IN | A | 10.10.15.50 |
| ns1.example.com. | 3600 | IN | A | 10.10.15.53 |
| ns3.example.com. | 3600 | IN | A | 10.10.15.58 |
| gw.example.com. | 3600 | IN | AAAA | 2002:18c9:defa::1:5:0 |
| ;; Query time: 91 msec | ||||
| ;; SERVER: 24.199.222.201#53(24.199.222.201) | ||||
| ;; WHEN: Wed Aug 12 15:21:03 2009 | ||||
| ;; XFR size: 17 records (messages 1, bytes 948) | ||||
The dig-shovel Process
The manual process of this program would be as follows:
- dig NS domain.tld to get the initial nameservers we can attempt a zone transfer from
- dig @nameserver axfr domain.tld for each nameserver found in the previous step. (This manually attempts to do a zone transfer)
- parse all the data into something easily readable
The dig-shovel program automates the process of diging up the nameserers, attempting a zone transfer from each, and finally tidies up the raw output of the zone transfer originally parsed by dig. I have also included a few simple logging facilities to either give you a total list of found hosts line-by-line or specifiy a user delimited, single line of found hosts. I figured someone might be interested in these export features to make it easy extend the list of hosts to another program.
Dependencies
Note that the following is for a Unix like operating system (Linux, BSD, etc, etc), but using it on Windows is just as possible. Hopefully I will get those directions on here as well.
To gain a little more control over Perl's form function, I overloaded it with the Perl6::Form module. Usually, your package manager will have the as a package. You are welcome to search for it, but the following are generic directions that can be used across nearly any platform with Perl already installed.
Again, Linux people might want to use wget instead of fetch here.
- $ mkdir /tmp/perl6_form
- # cd /tmp/perl6_form
- $ fetch http://search.cpan.org/CPAN/authors/id/D/DC/DCONWAY/Perl6-Form-0.04.tar.gz
- $ tar xvzf Perl6-Form-0.04.tar.gz
- $ cd Perl6-Form-0.04
- $ ls
- Changes Form.pm MANIFEST Makefile.PL README demo t
- $ perl Makefile.pl
- $ make test
- $ su root
- Password:
- $ make install
Using dig-shovel
If you have not already downloaded the dig-shovel.pl file, do it now by right-clicking on this link and use Save As... to save the file to your system.
Note that I used fetch to get the file via command line. All you Linux folk would most likely use wget here... although you can install fetch...
| $ fetch http://digitalfoo.net/~dfoo/code/dig-shovel.pl | ||
| $ chmod +x dig-shovel.pl | ||
| $ ./dig-shovel.pl | ||
| ********************************************************************* | ||
| DIGN :: a tool to parse records found in a zone transfer (via DiG). | ||
| Lyle Scott, III lyle@digitalfoo.net | ||
| http://lylescott.ws http://digitalfoo.net | ||
| ----------------------------------------------------------------------- | ||
| USAGE: dig-shovel.pl [-v] [-e <method> [-f <file> -a <direction>]] | ||
| ----------------------------------------------------------------------- | ||
| -d : domain to dig for a transfer | ||
| -v : verbose output | ||
| -q : quite mode; disable printing to STDOUT | ||
| -r : Comma delimited list of record types, | ||
| Default is NS,A,AAAA,NS,MX. | ||
| -t : seconds to pause between zone-transfer attempts | ||
| -i : DEFAULT | IPv4 and IPv6 | |
| 4 | IPv4 only | |
| 6 | IPv6 only | |
| -e : STDOUT | DEFAULT; no logging | |
| normal | export STDOUT output | |
| hosts_lined | export hosts line-by-line | |
| hosts_delimit | export hosts user specified user delimiters | |
| -f : </path/to/file> | output file for export method | |
| -o : hosts | ips | output hostnames (DEFAULT) or IPs in logfile | |
| -l : <delimiter> | save the hosts in one line with delimiter | |
| ----------------------------------------------------------------------- | ||
| EXAMPLES | ||
| dig-shovel.pl -d domain.tld | ||
| dig-shovel.pl -d domain.tld -e normal -f dig_axfr_output.txt | ||
| dig-shovel.pl -d domain.tld -e hosts_lined -f dig_axfr_output.txt -o ips | ||
| dig-shovel.pl -d domain.tld -e hosts_delimit -f dig_axfr_output.txt -l , | ||
| dig-shovel.pl -d domain.tld -v -r AAAA,MX | ||
| ********************************************************************* | ||
| $ ./dig-shovel.pl -d example.com | ||
| ********************************************************************* | ||
| SUCCESSFUL TRANSFER: ns3.example.com | ||
| ********************************************************************* | ||
| A | : example.com | 10.10.222.201 |
| A | : mail.example.com | 10.10.222.201 |
| A | : ns1.example.com | 10.10.222.201 |
| A | : ns2.example.com | 10.10.222.220 |
| NS | : ns3.example.com | 10.10.222.117 |
| NS | : ns1.example.com | 10.10.222.201 |
| NS | : ns3.example.com | 10.10.222.222 |
| CNAME | : ftp.example.com | example.com |
| CNAME | : www.example.com | example.com |
| MX | : example.com | mx01.example.com |
| MX | : example.com | mx01.example.com |
- $ ./dig-shovel.pl -d example.com -e hosts_lined -f output.txt -o ips
- ... ... snip ... snip ... ...
- $ cat output.txt
- 10.10.14.201
- 10.10.14.200
- 10.10.14.210
- 10.12.5.12
- 2001:9999:238::1:1
- 2001:9999:238::2:1
- $ ./dig-shovel.pl -d example.com -e hosts_delimit -f output.txt
- ... ... snip ... snip ... ...
- $ cat output.txt
- exampleinc.com,mail.exampleinc.com,mx01.exampleinc.com
| $ ./dig-shovel.pl -d example.com -r A,MX | ||
| ********************************************************************* | ||
| SUCCESSFUL TRANSFER: ns3.example.com | ||
| ********************************************************************* | ||
| A | : exampleinc.com | 10.12.15.201 |
| A | : webmail.exampleinc.com | 10.17.5.26 |
| A | : mx01.exampleinc.com | 10.12.15.201 |
| A | : mx02.exampleinc.com | 10.12.15.220 |
| MX | : exampleinc.com | mx01.exampleinc.com |
| MX | : exampleinc.com | mx02.exampleinc.com |
- Tags
- AI (1)
- ALIX (1)
- digitalfoo.net (2)
- embedded (6)
- FreeBSD (30)
- Java (1)
- Linux (26)
- misc (7)
- my projects (1)
- MySQL (2)
- NanoBSD (3)
- opensource (7)
- perl (1)
- PHP (3)
- programming (11)
- Python (1)
- security (4)
- Archives
- 2011
- February (1)
- March (1)
- June (1)
- July (1)
- August (1)
- 2010
- June (5)
- July (2)
- December (4)
- April (6)
- March (2)
- May (1)
- August (2)
- October (1)
- November (1)
- 2009
- August (7)
- July (8)
- April (4)
- May (4)
- December (2)
- June (1)
- September (1)
- November (4)
- October (1)
- Web Tools
- Index
- dig-shovel Live
- SQL Injection Encoder
- Links
-
