27 Şubat 2012

Dig ve nslookup ile DNS zone transfer

Posted by: Fırat Celal Erdik 27 Şubat 2012
Zone transfer; birden fazla domain name server varsa diger name serverların zone içeriklerini güncel tutabilmesi için Primary DNS serverdan zonu çekip kullanmalarını sağlayan bir özelliktir.Fakat genellikle burada düşülen konfigrasyon hatası; zone transfer yapacak diğer DNS serverlara ait IP adreslerinin source IP olarak verilmesi yerine, zone transfer özelliğinin tüm herkese(ANY) açılmasıdır. Zone transfer ANY'e açık olan bir DNS server üzerinde var olan bir zone çekilerek, bir web sitesine ait tüm subdomain'ler elde edilebilir ve buralardan saldırı girişimleri gerçekleştirilebilir. Örnek olarak dünyada top listelerde baş sıralarda gelen üniversitelerden biri olan X üniversitesine (http://www.example.com) ait zone transfer açıklığını verdim:)

Öncelikle bir domain adresinin NS server'larını bulmak için ilgili dig komutu aşağıdaki gibidir:


root@bt:~# dig NS example.com

;; ANSWER SECTION:
example.com.                24301        IN        NS        dns0.inf.example.com.
example.com.                24301        IN        NS        cancer.ucs.example.com.
example.com.                24301        IN        NS        dns2.inf.example.com.
example.com.                24301        IN        NS        dns1.inf.example.com.
example.com.                24301        IN        NS        lewis.ucs.example.com.
example.com.                24301        IN        NS        xlab-0.example.com.

Buradaki NS server'ları tek tek denemek gerekebilir.Zone hangisi üzerindeyse ve transferi ANY'e açıksa onu bulmalıyız.Tek tek denemek istemiyorsak buradaki NS serverların listesini dnsenum perl scriptine dosya olarak verip aynı anda hepsinde zone transfer kontrolü yapmasını da sağlayabiliriz.

Linux sistem üzerinde dig ile zone transfer yapmak için kullanılacak komut aşağıdaki gibidir:


root@bt:~# dig @xlab-0.example.com example.com axfr | more
; <<>> DiG 9.7.0-P1 <<>> @xlab-0.example.com example.com axfr
; (1 server found)
;; global options: +cmd
example.com.                86400        IN        SOA        dns0.example.com. hostmaster.ed.ac.
uk. 2012022200 1800 900 864000 86400
example.com.                86400        IN        MX        5 renko.ucs.example.com.
example.com.                86400        IN        MX        5 pascoe.ucs.example.com.
example.com.                86400        IN        MX        5 dalziel.ucs.example.com.
example.com.                86400        IN        NS        dns0.inf.example.com.
example.com.                86400        IN        NS        dns1.inf.example.com.
example.com.                86400        IN        NS        dns2.inf.example.com.
example.com.                86400        IN        NS        lewis.ucs.example.com.
example.com.                86400        IN        NS        cancer.ucs.example.com.
example.com.                86400        IN        NS        xlab-0.example.com.
6-daysample.example.com.        86400        IN        CNAME        psy-b6-2.psy.example.com.
www.6-daysample.example.com. 86400        IN        CNAME        psy-b6-2.psy.example.com.
_msdcs.example.com.        900        IN        NS        oban.ucs.example.com.
_msdcs.example.com.        900        IN        NS        kelso.ucs.example.com.
_msdcs.example.com.        900        IN        NS        leven.ucs.example.com.
_msdcs.example.com.        900        IN        NS        crieff.ucs.example.com.
_msdcs.example.com.        900        IN        NS        aviemore.ucs.example.com.
_msdcs.example.com.        900        IN        NS        cromarty.ucs.example.com.
mouse-db.bioservices.aaps.example.com. 86400 IN A        129.215.10.26
www.bioservices.aaps.example.com. 86400 IN        CNAME        kb-iis-1.ucs.example.com.
www.intra.aaps.example.com. 86400        IN        CNAME        spike.mis.example.com.
www.pgrt.aaps.example.com.        86400        IN        CNAME        kb-iis-1.ucs.example.com.
www.scwg.aaps.example.com.        86400        IN        CNAME        kb-iis-1.ucs.example.com.
www.aaps.example.com.        86400        IN        CNAME        kb-iis-1.ucs.example.com.
abm.example.com.                86400        IN        NS        dns0.inf.example.com.
abm.example.com.                86400        IN        NS        dns1.inf.example.com.
abm.example.com.                86400        IN        NS        dns2.inf.example.com.
abm.example.com.                86400        IN        NS        lewis.ucs.example.com.
abm.example.com.                86400        IN        NS        cancer.ucs.example.com.
abm.example.com.                86400        IN        NS        xlab-0.example.com.
www.acadreg.example.com.        86400        IN        CNAME        spike.mis.example.com.
www.pgaf.acaffairs.example.com. 86400 IN        CNAME        kb-iis-1.ucs.example.com.
www.test.acaffairs.example.com. 86400 IN        CNAME        mis-adam.mis.example.com.
www.acaffairs.example.com.        86400        IN        CNAME        kb-iis-1.ucs.example.com.
www.appform.accom.example.com. 900        IN        CNAME        accmcls.ucs.example.com.
www.book.accom.example.com. 86400        IN        CNAME        accmh2.ucs.example.com.
www-test.book.accom.example.com. 86400 IN        CNAME        mis-xander.mis.example.com.
www.booking.accom.example.com. 900        IN        CNAME        accmcls.ucs.example.com.


Bu devam edip gidiyor.Görüldüğü gibi primary NS serverdan ilgili zone transfer edildi.Buradaki subdomainler çeşitli saldırılarda kullanılabilir.Malesef ülkemizde de bir çok kamu ve özel kurumda bu açıklık hala vardır.

Aynı işlemi windowsta nslookup kullanarak yapalım:

C:\Users\ERD>nslookup
Varsayılan Sunucu:  google-public-dns-a.google.com
Address:  8.8.8.8

> set type=ns
> example.com
Sunucu:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Güvenilir olmayan yanıt:
example.com        nameserver = dns1.inf.example.com
example.com        nameserver = dns2.inf.example.com
example.com        nameserver = cancer.ucs.example.com
example.com        nameserver = lewis.ucs.example.com
example.com        nameserver = xlab-0.example.com
example.com        nameserver = dns0.inf.example.com
> server xlab-0.example.com
DNS request timed out.
    timeout was 2 seconds.
Varsayılan Sunucu:  xlab-0.example.com
Address:  129.215.168.33

> ls -d example.com

[xlab-0.example.com]
 example.com.                      SOA    dns0.example.com hostmaster.example.com. (2012022600 1800 900 864000 86400)
 example.com.                      MX     5    renko.ucs.example.com
 example.com.                      MX     5    pascoe.ucs.example.com
 example.com.                      MX     5    dalziel.ucs.example.com
 example.com.                      NS     dns0.inf.example.com           
 example.com.                      NS     dns1.inf.example.com           
 example.com.                      NS     dns2.inf.example.com           
 example.com.                      NS     lewis.ucs.example.com          
 example.com.                      NS     cancer.ucs.example.com         
 example.com.                      NS     xlab-0.example.com             
 6-daysample                    CNAME  psy-b6-2.psy.example.com
 www.6-daysample                CNAME  psy-b6-2.psy.example.com
 _msdcs                         NS     oban.ucs.example.com           
 _msdcs                         NS     kelso.ucs.example.com          
 _msdcs                         NS     leven.ucs.example.com          
 _msdcs                         NS     crieff.ucs.example.com         
 _msdcs                         NS     aviemore.ucs.example.com       
 _msdcs                         NS     cromarty.ucs.example.com       
 _msdcs                         NS     roslin-dc.ucs.example.com      
 _msdcs                         NS     roslin-dc2.ucs.example.com     
 _sites                         NS     oban.ucs.example.com           
 _sites                         NS     kelso.ucs.example.com          
 _sites                         NS     leven.ucs.example.com          
 _sites                         NS     crieff.ucs.example.com         
 _sites                         NS     aviemore.ucs.example.com       
 _sites                         NS     cromarty.ucs.example.com       
 _sites                         NS     roslin-dc.ucs.example.com      
 _sites                         NS     roslin-dc2.ucs.example.com     
 _tcp                           NS     oban.ucs.example.com           
 _tcp                           NS     kelso.ucs.example.com          
 _tcp                           NS     leven.ucs.example.com          
 _tcp                           NS     crieff.ucs.example.com         
 _tcp                           NS     aviemore.ucs.example.com       
 _tcp                           NS     cromarty.ucs.example.com       
 _tcp                           NS     roslin-dc.ucs.example.com      
 _tcp                           NS     roslin-dc2.ucs.example.com     
 _udp                           NS     oban.ucs.example.com           
 _udp                           NS     kelso.ucs.example.com          
 _udp                           NS     leven.ucs.example.com          
 _udp                           NS     crieff.ucs.example.com         
 _udp                           NS     aviemore.ucs.example.com       
 _udp                           NS     cromarty.ucs.example.com       
 _udp                           NS     roslin-dc.ucs.example.com      
 _udp                           NS     roslin-dc2.ucs.example.com     
 mouse-db.bioservices.aaps      A      129.215.10.26
 www.bioservices.aaps           CNAME  kb-iis-1.ucs.example.com
 www.intra.aaps                 CNAME  spike.mis.example.com
 www.pgrt.aaps                  CNAME  kb-iis-1.ucs.example.com
 www.scwg.aaps                  CNAME  kb-iis-1.ucs.example.com
 www.aaps                       CNAME  kb-iis-1.ucs.example.com
 abm                            NS     dns0.inf.example.com           
 abm                            NS     dns1.inf.example.com           
 abm                            NS     dns2.inf.example.com           
 abm                            NS     lewis.ucs.example.com          
 abm                            NS     cancer.ucs.example.com         
 abm                            NS     xlab-0.example.com             
 www.acadreg                    CNAME  spike.mis.example.com
 www.pgaf.acaffairs             CNAME  kb-iis-1.ucs.example.com
 www.test.acaffairs             CNAME  mis-adam.mis.example.com
 www.acaffairs                  CNAME  kb-iis-1.ucs.example.com
 www.appform.accom              CNAME  accmcls.ucs.example.com
 www.book.accom                 CNAME  accmh2.ucs.example.com
 www-test.book.accom            CNAME  mis-xander.mis.example.com
 www.booking.accom              CNAME  accmcls.ucs.example.com
 www-test.booking.accom         CNAME  mis-xander.mis.example.com
 wwwtest2.booking.accom         CNAME  mis-xander.mis.example.com
 www.catering.accom             CNAME  accmcls.ucs.example.com
 www.contracts.accom            CNAME  accm-vwww1.ucs.example.com
 www.dev.accom                  CNAME  spike.mis.example.com
 www.dev-oapp.accom             CNAME  ted.mis.example.com
 www.examplefirst.accom       CNAME  accmcls.ucs.example.com
 www-test.examplefirst.accom  CNAME  mis-xander.mis.example.com
 www.flats.accom                CNAME  accmcls.ucs.example.com
 www-test.flats.accom           CNAME  mis-xander.mis.example.com
 www.intra.accom                CNAME  marzipan.ucs.example.com
 www.ipams.accom                CNAME  earn.mis.example.com
 www-train.ipams.accom          CNAME  duich.mis.example.com
 www.kxweb.accom                CNAME  accm-vwww2.ucs.example.com
 www.livetest-catering.accom    CNAME  mis-xander-vwww7.mis.example.com
 www.menus.accom                CNAME  accmcls.ucs.example.com
 www-test.menus.accom           CNAME  mis-xander.mis.example.com
 www.salisburygreen.accom       CNAME  accmcls.ucs.example.com
 www-test.salisburygreen.accom  CNAME  mis-xander.mis.example.com
 www.simply.accom               CNAME  accmcls.ucs.example.com
 www.studenthomes.accom         CNAME  accmcls.ucs.example.com
 www-test.studenthomes.accom    CNAME  mis-xander.mis.example.com
 www.test-catering.accom        CNAME  mis-xander-vwww5.mis.example.com
 www.test-contracts.accom       CNAME  mis-xander-vwww2.mis.example.com
 www.test-kxweb.accom           CNAME  mis-xander-vwww3.mis.example.com
 www.test2-kxweb.accom          CNAME  mis-xander.mis.example.com
 www.testappform.accom          CNAME  mis-xander.mis.example.com
 www.accom                      CNAME  kb-iis-1.ucs.example.com
 www.accord                     CNAME  webhost1.is.example.com
 ace                            NS     dns0.inf.example.com           
 ace                            NS     dns1.inf.example.com           
 ace                            NS     dns2.inf.example.com           
 ace                            NS     lewis.ucs.example.com          
 ace                            NS     cancer.ucs.example.com         
 ace                            NS     xlab-0.example.com             
 acf                            NS     lewis.ucs.example.com          
 acf                            NS     cancer.ucs.example.com         
 www.acss                       CNAME  spike.mis.example.com
 activedir                      NS     thanatos.activedir.example.com 
 thanatos.activedir             A      129.215.149.215
 demas.activedirdev             A      129.215.149.182
 www.intra.admin                CNAME  spike.mis.example.com
 adtest                         NS     dns0.inf.example.com           
 adtest                         NS     dns1.inf.example.com           
 adtest                         NS     dns2.inf.example.com           
 adtest                         NS     lewis.ucs.example.com          
 adtest                         NS     cancer.ucs.example.com         
 adtest                         NS     xlab-0.example.com             
 aers                           MX     10   firstclass2.comcation.example.com
 www.aers                       CNAME  morse.ucs.example.com
 ai                             MX     5    virtualrelay.inf.example.com
 ai                             MX     7    renko.ucs.example.com
 ai                             MX     7    pascoe.ucs.example.com
 ai                             MX     7    dalziel.ucs.example.com
 aiai                           NS     dns0.inf.example.com           
 aiai                           NS     dns1.inf.example.com           
 aiai                           NS     dns2.inf.example.com           
 aiai                           NS     lewis.ucs.example.com          
 aiai                           NS     cancer.ucs.example.com         
 aiai                           NS     xlab-0.example.com             
 aifh                           MX     5    virtualrelay.inf.example.com
 aifh                           MX     7    renko.ucs.example.com
 aifh                           MX     7    pascoe.ucs.example.com
 aifh                           MX     7    dalziel.ucs.example.com
 aipna                          MX     5    virtualrelay.inf.example.com
 aipna                          MX     7    renko.ucs.example.com
 aipna                          MX     7    pascoe.ucs.example.com
 aipna                          MX     7    dalziel.ucs.example.com
 aisb                           MX     5    virtualrelay.inf.example.com
 aisb                           MX     7    renko.ucs.example.com
 aisb                           MX     7    pascoe.ucs.example.com
 aisb                           MX     7    dalziel.ucs.example.com
 aiva                           MX     5    virtualrelay.inf.example.com
 aiva                           MX     7    renko.ucs.example.com
 aiva                           MX     7    pascoe.ucs.example.com
 aiva                           MX     7    dalziel.ucs.example.com
 www.alwaleed                   CNAME  webhost1.is.example.com
 www.alzscotdrc                 CNAME  vox.ppls.example.com
 ana                            NS     dns0.inf.example.com           
 ana                            NS     dns1.inf.example.com           
 ana                            NS     dns2.inf.example.com           
 ana                            NS     lewis.ucs.example.com          
 ana                            NS     cancer.ucs.example.com         
 ana                            NS     xlab-0.example.com             
 www.anaesthesiapractice        CNAME  srv1ltsmvm.mvm.example.com


Bu şekilde devam edip gidiyor.Zone transfer işlemi için host komutu,dnsenum.pl ve fierce.pl gibi perl scriptleri de kullanılabilir.

Bu açıklıktan korunmamız için yapmamız gereken çok basit.Örnek olarak BIND DNS server verdim.
Sadece localhost ve secondary DNS server zone transfer yapmasını ve diğer uzak sistemlerin isteklerinin deny edilmesini istiyorsak.

/etc/named.conf içerisinde allow-transfer için source IP adresleri giriyoruz.Hepsi bu kadar.

options {
        directory "/usr/local/named";   // directory for zone files


        allow-transfer {
                127.0.0.1;              // localhost
                35.6.42.6;               // secondary DNS server
         };
};

Bundan sonra yalnızca burada belirtilen IP adresleri zone transfer gerçekleştirebilecektir diğer tüm IP adreslerin zone transfer istekleri deny edilecektir.Zone transfer TCP 53 portu üzerinden gerçekleştirilmektedir.Bu elbette TCP 53 portu açık her DNS serverdan zone transfer yapacağız anlamına gelmemektedir.Yukarıdaki örnekteki gibi izinler yalnızca belli IP adreslerine verilmiş olabilir.


2 yorum:

  1. Özellikle web uygulamarı için tüm test platformlarının sub domainler altında olması root domain'i hedef almış bir attacker için önemli bir başlangıç olacaktır.

    YanıtlaSil
  2. test ortamları,ftp adresleri,webmail vs vs..birine atacağı webshell,ele geçireceği account veya bulacağı sql injection olayı bitirir zaten..

    YanıtlaSil

Her türlü eleştiri,yorum,ekleme ve düzeltmeye yönelik fikirlerinizi paylaşabilirsiniz.Hakaret içeren yorumlar filtrelenmektedir.

Makalelerin kötüye kullanım kullanıcının sorumluluğundadır. | networkpentest.net. Blogger tarafından desteklenmektedir.