I was just thinking if I was doing recon with a Windows machine and had a limitation of just using built-in tools, how would I do DNS interrogation?
First of all, nslookup can be very powerful and for starts I can try the classic a zone transfer:
>ls -d target_zone_name
This probably wont work since Zone transfers are mostly block on public DNS servers. If the servers are locked down well try to brute force your way:
… well you get the picture
Another way is brutforce using a list of names. Get a single word per line list and put it into a file called hosts_names.txt and then use some Windows CLI kungu-fu:
>For /F %x in (host_names.txt) do nslookup %x.%DOMAIN% dns_server_ip
Also try to do a reverse lookup brute force attack:
>For /L %n in (1,1,255) do nslookup ip_subnet.%n dns_server_ip
For these loops remmeber to clean the output turning echo off (@) and redirecting using |, & or to a file using >.
For example try this:
>For /L %n in (1,1,255) do @nslookup %SUBNET%.%n 18.104.22.168 2>null | find “Name” && echo %SUBNET%.%n
Remember to clean any variables that you used and if this is going into a batch file use the setlocal, endlocal statements.
Finally DNS Snooping:
IF you use the -norecurse option on nslookup it will only give you the information the server or clients know, it will not iterate thru the DNS hierarchy. This will give an insight into the cache, so you will able to see where the users are surfing.
Just like this:
If you want to try your kung-fu with this just using the command:
>nslookup -norecurse host_name dns_server_ip
If you want to see the content of the local Resolver Cache for your Windows client just type:
Also remember to try these techniques with all DNS servers for the domain, sometimes admins forget to secure secondary dns servers or have missconfigured ones.
Hope you enjoyed this, until next time.