Zone Transfer without the AXFR

Zone Transfers are the quick and easy way to figure out what’s what during a pen-test but these days they almost never work. This article explains how to get the same data without tripping the alarms!

The Internet used to be such a friendly place. Servers used to willingly tell you who was logged on and from where, everyone had an anonymous FTP server and DNS servers were more than happy to give you a copy of their zone records.

Of course, there are lots of techniques for scanning and fingerprinting hosts and discovering networks, but these are sure to tip off someone who’s watching that there’s something going on. This is even more true if you’re performing an internal pen-test where, generally speaking, there should be next to no scanning going on.

The name server, however, still has a treasure trove of data. The trouble is, how can we get at it? Relatively few name servers permit zone transfers anymore and exploiting a well secured DNS server has a good chance of getting someone’s attention. The answer is to ask your questions carefully.

Rather than going straight for the name server, start with some research. First figure out what IP ranges the target site has allocated to it. Be sure not to overlook remote sites with ISP assigned space. Traceroute is still your friend as are mail headers! Your next stop is the name servers themselves.

Essentially, if you know what you are interested in, you can ask the server directly without requesting an AXFR. Rather than scanning the network for live hosts, send reverse queries to the name server for each of the public IPs in the networks that you can discover. Another fantastic trick, provided your target has not deployed a Split DNS arrangement is to set your resolving server to be one of your target’s servers and then do a reverse lookup for the .1 address of every private network range.

To help you along your way, we’ve included a Perl script here that we use for just this purpose. Have fun and only use your powers for good!

#!/usr/bin/perl
#
# Released under GPL. Copyright 2005, David Hoelzer, www.cyber-defense.org
#
# When I teach hacking classes, I often point out that there are lots of scanning
# techniques that can be used to map out a network, but that it's always best
# to start with the least noticible methods first when red teaming. For
# this reason, I recommend that people NOT try to dump a zone from a DNS
# server since that is sure to raise an IDS alarm if there is an IDS. My
# preferred method is to simply grab the IP allocations from whois and
# then march right through the address space performing a reverse lookup.
# Especially of the organization does not have a split DNS, this can be
# extremely fruitful and even limit how much additional "noisy" recon
# is necessary.
#
# Please only use your powers for good!

if(!$ARGV[0] || !$ARGV[1])
{
print"Usage: dnsscan a.a.a.a b.b.b.b\n\na.a.a.a and b.b.b.b represent the starting and ending IP addresses to obtain information for.\n\n";
exit;
}

$start = $ARGV[0];
$end = $ARGV[1];
print "Scanning from $start to $end\n";

($as, $bs, $cs, $ds) = split(/\./,$start);
($ae, $be, $ce, $de) = split(/\./, $end);
$de ++;
if($de > 255) { $de = 0; $ce++;}

while("$as.$bs.$cs.$ds" ne "$ae.$be.$ce.$de")
{
$command = "nslookup $as.$bs.$cs.$ds";
open(FILE,"$command |") or die("Could not run nslookup!\n");
@results = ;
foreach(@results)
{
if($_ =~ m/.*name =.*/)
{
s/.*name = (.*$).*/\1/;
print "$as.$bs.$cs.$ds -> $1\n";
}
}
$ds++;
if($ds > 255)
{
$ds=0; $cs++; if($cs > 255)
{
$cs=0; $bs++; if($bs > 255)
{
$bs=0;
$as++;
}
}
}
}