 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
HI Rich,
Thanks for replying. Looks like i may be more confused then I thought!
Perhaps I did a bad job explaining what's going on too. I can't use my
exact domain as an example for security reasons, but I found this blog (
http://www.question-defense.com/2013/02/03/dnsenum-backtrack-5-information-gathering-network-analysis-dns-analysis-dnsenum)
that uses CNN.COM as an example.
Now, let's suppose I work for CNN as an IT person. When I work from home I
VPN into "access.cnn.com."
Running the script with no parameters does not return "access.cnn.com" as a
valid (sub domain? Host name? I don't know...)
dnsenum Perl Script: Default Output Against cnn.com
root at bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl
cnn.comdnsenum.pl VERSION:1.2.2
----- cnn.com -----
Host's addresses:
__________________
cnn.com 198 IN A
157.166.255.19cnn.com 198 IN
A 157.166.226.25cnn.com 198
IN A 157.166.226.26cnn.com
198 IN A 157.166.255.18
Name Servers:
______________
ns1.p42.dynect.net 159347 IN A
208.78.70.42ns1.timewarner.net 169183 IN A
204.74.108.238ns3.timewarner.net 169183
IN A 199.7.68.238ns2.p42.dynect.net
169183 IN A 204.13.250.42
Mail (MX) Servers:
___________________
atlmail3.turner.com 40 IN A
157.166.174.56atlmail5.turner.com 40 IN
A 157.166.165.14hkgmail1.turner.com 40
IN A 168.161.96.115lonmail1.turner.com
107 IN A 157.166.216.142nycmail1.turner.com
107 IN A 157.166.157.8nycmail2.turner.com
107 IN A 157.166.157.10
Now, if instead I use a brute force attack I get the following, which
includes access.cnn.com.
*Bruteforced Sub Domains Example Output:*
Brute forcing with subdomains.txt:
___________________________________
access.cnn.com 2066 IN A
64.20.247.69ads.cnn.com 96 IN A
157.166.255.216asia.cnn.com 300
IN CNAMEedition.cnn.com 3600 IN
CNAME
So now I guess I'm curious, is the script just guessing at valid host names
(or as the author of this blog states, "sub domains") to see what results
are returned? What's interesting is running the script without a brute
force on my organization shows me news.blah.org, ftp.blah.org, etc. I do
not, however, see vpn.blah.org listed, which is how I get in from home.
When I run the brute force I do see the vpn.blah.org.
I'm trying to figure this out, very odd.
Thanks for responding... I think I'm missing a piece of the puzzle here and
am really curious as to what's going on.
Thanks,
Chris
On Mon, Mar 25, 2013 at 12:27 PM, Rich Pieri <richard.pieri at gmail.com>wrote:
> --On Monday, March 25, 2013 11:16 AM -0400 Chris O'Connell <
> omegahalo at gmail.com> wrote:
>
> I don't understand the mechanics of how this is happening. What's
>> allowing me to ping VPN.blah.org, but doesn't allows DNSENUM to find it?
>> What exactly is brute forcing DNS doing? Why do some subdomains show up
>> without the use of brute force and others don't?
>>
>
> You appear to be using the word "subdomain" when you mean "host name". If
> you've delegated the vpn.blah.org subdomain from the blah.org domain then
> of course you cannot ping it. Subdomains do not have IP addresses.
>
> --
> Rich P.
> ______________________________**_________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/**listinfo/discuss<http://lists.blu.org/mailman/listinfo/discuss>
>
--
Chris O'Connell
http://outlookoutbox.blogspot.com
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
