Finding what you need with nslookup

Hello all,

I was just thinking if I was doing recon with a Windows machine and had a limitation of just using built-in tools, how would I do DNS interrogation?

First of all,  nslookup can be very powerful and for starts I can try the classic a zone transfer:

>nslookup
>server target_dns_server_ip
>set type=any
>ls -d target_zone_name

If the servers are locked down well try to brute force your way:

>nslookup
>server target_dns_server_ip
>set type=mx
>target_domain_name
>set type=soa
>target_domain_name
>set type=ns
… well you get the picture

Another way is brutforce using a list of names. Get a single word per line list and put it into a file called hosts_names.txt and then use some Windows CLI kungu-fu:

>set DOMAIN=target_domain_suffix
>For /F %%x in (host_names.txt) do nslookup %%x.%DOMAIN% dns_server_ip

Also try to do a reverse lookup brute force attack:

>For /L %%n in (1,1,255) do nslookup ip_subnet.%%n dns_server_ip

For these loops remmeber to clean the output turning echo off (@) and redirecting using |, & or to a file using >.

For example try this:

>set SUBNET=xxx.yyy.zzz
>For /L %%n in (1,1,255) do @nslookup %SUBNET%.%%n dns_server_ip 2>null | find “Name” && echo %SUBNET%.%%n

Remember to clean any variables that you used and if this is going into a batch file use the setlocal, endlocal statements.

Finally DNS Snooping:

IF you use the -norecurse option on nslookup it will only give you the information the server or clients know, it will not iterate thru the DNS hierarchy. This will give an insight into the cache, so you will able to see where the users are surfing.

Just like this:

>nslookup
>server dns_server_ip
>set norecurse
>host_name

If you want to try your kung-fu with this just using the command:

>nslookup -norecurse host_name dns_server_ip

If you want to see the content of the local Resolver Cache for your Windows client just type:

>ipconfig /displaydns

Also remember to try these techniques with all DNS servers for the domain, sometimes admins forget to secure secondary dns servers or have missconfigured ones.

Hope you enjoyed this, until next time.

JQ