1
00:00:01,510 --> 00:00:04,850
Let's see what information you can extract from DNS servers.

2
00:00:05,740 --> 00:00:09,520
It will be widely available information.

3
00:00:09,760 --> 00:00:14,860
If someone fails to secure the information they upload to the DNS server it will be easy to get this

4
00:00:14,860 --> 00:00:15,890
information.

5
00:00:19,970 --> 00:00:28,790
We start with a web knowledge base which is most of the Linux distributions have this tool pre-installed.

6
00:00:28,800 --> 00:00:36,370
There's also many graphical versions of the tool and various operating systems.

7
00:00:36,390 --> 00:00:40,590
Let's make a query about for example the Google dot com domain

8
00:00:45,200 --> 00:00:48,150
because in the Internet everyone should cooperate.

9
00:00:48,250 --> 00:00:55,700
The WHO IS database holds domain registration information.

10
00:00:55,890 --> 00:01:01,710
So you can learn among other things what are the servers addresses and the DNS servers IP address is

11
00:01:01,710 --> 00:01:09,540
responsible for the domain you asked about.

12
00:01:09,550 --> 00:01:25,930
You can also find out when the change is concerning the registration of the domain have been made.

13
00:01:25,940 --> 00:01:31,930
You can also see names of the servers responsible for the domain take notice of them if you want to

14
00:01:31,930 --> 00:01:35,190
learn more about the domain.

15
00:01:35,190 --> 00:01:39,340
You can also get to know who's registered the domain and how to contact its owner.

16
00:01:42,380 --> 00:01:44,890
There's a lot of information available to the public.

17
00:01:45,990 --> 00:01:51,070
By completing the domain registration form you can provide information that will compromise security

18
00:01:54,430 --> 00:02:02,040
for example providing the email address in the format name surname at company name you're giving out

19
00:02:02,040 --> 00:02:05,110
information that should not be publicly available on the Internet.

20
00:02:06,560 --> 00:02:13,540
That would give attackers your log in and the corporate network registering a domain.

21
00:02:13,590 --> 00:02:23,110
Remember that the information you put on the form will be publicly available.

22
00:02:23,110 --> 00:02:26,940
Let's now check how much information can be read from the DNS servers.

23
00:02:28,010 --> 00:02:34,620
A standard tool for the communication with DNS server is an ass look Look-Up.

24
00:02:34,870 --> 00:02:39,940
It allows you to send queries to the DNS servers about the names and addresses of DNS servers that are

25
00:02:39,940 --> 00:02:41,280
responding to you.

26
00:02:43,390 --> 00:02:50,220
Backtrack has a few additional tools and scripts that allow you to make various more queries.

27
00:02:50,330 --> 00:02:52,810
One such tool is Digg.

28
00:02:52,860 --> 00:02:57,890
It will allow you to read the information about the records of the DNS server responsible for the domain.

29
00:02:57,910 --> 00:02:59,750
Google.com for example.

30
00:03:02,440 --> 00:03:06,130
With the commands shown you can access the information about all records

31
00:03:08,770 --> 00:03:14,500
in accordance with best practices the public DNS server does not store information about computers of

32
00:03:14,500 --> 00:03:17,780
the corporate network.

33
00:03:17,860 --> 00:03:20,630
If it did everyone could read them with this command.

34
00:03:24,230 --> 00:03:29,080
We've inquired about the default server.

35
00:03:29,210 --> 00:03:30,860
Let's try not to inquire about the.

36
00:03:30,890 --> 00:03:33,320
And that's one dot Google dot com server

37
00:03:36,960 --> 00:03:43,010
in this case we've received similar addresses of the same computers.

38
00:03:43,010 --> 00:03:45,860
Let's try again to execute the command.

39
00:03:45,860 --> 00:03:49,040
It shouldn't work in the case of a well-secured server.

40
00:03:49,040 --> 00:03:51,620
Then we'll see how another server responds to it.

41
00:03:56,370 --> 00:04:00,140
The command above is the zone transfer request.

42
00:04:00,220 --> 00:04:05,030
Remember that DNS servers have a hierarchical structure.

43
00:04:05,070 --> 00:04:12,660
It may happen that one DNS server will ask another server to send the entire database of computers.

44
00:04:12,720 --> 00:04:20,290
We've conducted such an operation using X for the zone transfers should be permitted only for trusted

45
00:04:20,300 --> 00:04:21,570
DNS servers.

46
00:04:23,990 --> 00:04:28,520
Anonymous Internet users should not be able to request the entire database of computers.

47
00:04:30,920 --> 00:04:38,200
As you can see the zones transfer failed.

48
00:04:38,250 --> 00:04:43,080
We will use Digg once more this time asking another domain about server names.

49
00:04:47,750 --> 00:04:52,670
In the answer section there is one of the servers responsible for the domain We've inquired about

50
00:04:56,910 --> 00:05:06,460
Uji DNS that Eugen that be.

51
00:05:06,500 --> 00:05:21,880
We can now ask the selected server about everything it knows about a given domain.

52
00:05:22,060 --> 00:05:23,410
We haven't learned much more

53
00:05:26,370 --> 00:05:36,000
let's try to request a zone transfer.

54
00:05:36,070 --> 00:05:42,710
This time it worked for the next hour or so individual IP addresses and computers names will be displayed

55
00:05:42,710 --> 00:05:43,680
on the screen.

56
00:05:44,970 --> 00:05:49,750
Very often computer names reveal some information about their configuration and the purposes they're

57
00:05:49,770 --> 00:05:50,630
used for.

58
00:05:52,360 --> 00:05:57,670
The name Eskew all server dumb company dot com fully reveals the computer's function in the corporate

59
00:05:57,670 --> 00:05:58,410
network.