Lecture
If you need to know all the subdomains of a domain name, you can try to execute AXFR request.
This tip only works if the DNS server we are going to contact allows AXFR requests.
Not all DNS servers allow AXFR requests. Most of them answer "Transfer failed".
The first thing you need to do is find out the DNS servers responsible for the zone of our domain, for example zonetransfer.me:
$ dig zonetransfer.me
We are interested in information from AUTHORITY SECTION:
;; AUTHORITY SECTION: zonetransfer.me. 7122 IN NS ns16.zoneedit.com. zonetransfer.me. 7122 IN NS ns12.zoneedit.com.
In this case, the domain zonetransfer.me has 2 authoritative servers: ns12.zoneedit.com and ns16.zoneedit.com.
Now you can request all the zonetransfer.me subdomains from one of these servers:
$ dig @ ns12.zoneedit.com zonetransfer.me AXFR
The result:
; > DiG 9.9.2-P1> @ ns12.zoneedit.com zonetransfer.me AXFR ; (1 server found) ;; global options: + cmd *** zonetransfer.me. 7200 IN NS ns16.zoneedit.com. zonetransfer.me. 7200 IN NS ns12.zoneedit.com. zonetransfer.me. 7200 IN A 217.147.180.162 zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM. ***
DNS zone transfer, AXFR - type of DNS transaction. It is one of the mechanisms for replicating DNS databases between servers © wikipedia
When the DNS server receives an AXFR request, it sends all the data that it knows to the requested domain. It is implied that such a request will come from the DNS server that is trying to perform a zone transfer (transfer the domain to itself, replicate). But if the DNS server is configured incorrectly, any user can access this data.
I want to remind you about the hacking of Valve, when the hacker stole the source code for Half-Life 2 (at that time, the development cost ~ $ 1 million per month). To begin with, the hacker sent an AXFR DNS query to the ValveSoftware.com server. After receiving data on the domain, Gembe (hacker) received all the information, including the subdomains ValveSoftware.com.
You can also read about AXFR in the Metasploit Penetration Testing Cookbook, chapter 2:
Authoritative records
for a domain between multiple servers. This method is responsible for transferring the primary and secondary servers. A misconfigured DNS server can respond to your query and provide information about the queried domain.
Very often sites have “secret” subdomains (dev. *, Test. * And similar) for internal use. Usually, these domains have an insecure configuration (included stacktrace for dev domains as an example) or features being developed.
And some other, very famous and large resources that I can not mention here (or there is no answer). But some facts without naming resources:
Hosters, parking DNS services are vulnerable. One of the resources in this way gave me ~ 3.2mln customer records for this site (client = domain).
Some large security companies are also vulnerable.
Many payment systems, airline websites, banks, and providers are subject to this bug.
Funny fact. On one of the university sites, the domain “muonline.NAMEOFUNIVERSITY” was found, which is the server of the popular MMORPG - MU Online (similar to WoW, LineAge2, etc.). Waiting for statistics online on the main page of the university :)
I wrote a small service that can help in checking your domain, more precisely, its DNS servers, on their configuration to receive AXFR requests - http://sergeybelove.ru/tools/axfr-test
(perhaps this will allow your resource to have disastrous consequences). You can also use the dig utility to do this.
Restrict IP addresses that are allowed to perform transfer zones.
Bind example:
allow-transfer {
first_ip;
second_ip;
};
and
rndc reconfig
Comments
To leave a comment
Malicious, and information security
Terms: Malicious, and information security