PTT – The Pen Testing Toolkit: DNS-Bruteforcing

You already have installed the Pen Testing Toolkit and now want to use it. So we look at the DNS functionality.

The whole design of PTT is centered arround Project directories. So create a directory for your tests: mkdir ptttest; cd ptttest. We now try to find some interesting hostnames and domains. Create a file called target-domains.txt which contains the domains you want to research. For this example I will try domains from my employer and a german Bank. Since all of this ist DNS only, nobody should get to upset about this. But you should try something else.

md@hextatic ~/ptttest$ echo 'informatik.uni-mannheim.de' > target-domains.txt
md@hextatic ~/ptttest$ echo 'uni-mannheim.de' >> target-domains.txt
md@hextatic ~/ptttest$ echo 'deutsche-bank.de' >> target-domains.txt

Let’s go:

md@hextatic ~/ptttest$ ptt-dnsbruteforce -f ./target-domains.txt
calibrating for TLDs with wildcard dns ...
www.obscuredomainasdfghj.tk = 195.20.32.85
www.obscuredomainasdfghj.tk = 217.115.203.20
www.obscuredomainasdfghj.tk = 62.129.131.34
[...]
Domains which are suspected to use wildcard DNS and thus beeing excluded:
 Set(['ac', 'com.ph', 'pw', 'vg', 'net.ph', 'de.vu', 'sh', 'cd', 'museum', 
      'tm', 'ws', 'vu', 'ph', 'st', 'mp', 'nu', 'org.ph', 'tk'])

The first thing dnsbruteforce is trying to do here is to find TLDs with those ugly wildcard entries which redirect you to some advertisement site run by the TLD operator. PTT generally spits out a lot of output, because we are hackers, we like blinkenlights and moving screen displays. But it also generates output in ./output/ where it never overwrites files but merges them with new information if appropriate.

The next thing dnsbruteforce does, is to check if the domains in target-domains.txt also exist in other TLDs. It not only checks for the domains you gave in target-domains.txt but also for slight variants. When it’s done the output appears in output/namesinothertlds.txt:

md@hextatic ~/ptttest$ cat output/namesinothertlds.txt 
# Auto generated: 2005-11-18 Nov:11:42
www.uni-mannheim.de
www.deutsche-bank.de
www.deutschebank.ru
www.deutschebank.co.nz
www.deutschebank.ca
deutsche-bank.biz
www.unimannheim.de
uni-mannheim.com
unimannheim.de
www.uni-mannheim.com
[...]

Deutsche Bank has registered domains in many countries, no suprise there. I’m more suprise that they are not in the top 75 companies in DNS. But never the less, you would be probably interested in the branch offices.

Uni Mannheim seems th have a Typo-Squatting problem. The bomains found are all expect one owned by other entities. Sigh.

Depending on your objectives you might want to add some of the names in output/namesinothertlds.txt to target-domains.txt.

The the next step can take a few hours, so better let it run over night. First variants of very common hostnames in the domains you supplied are checked for ther existence. Next some other stilll common names are tried:

Trying 22 very common hostnames in 3 domains
@ deutsche-bank.de : wo1.prod.deutsche-bank.de
@ deutsche-bank.de : wo2.prod.deutsche-bank.de
@ deutsche-bank.de : fallback.mail.de.uu.net
. deutsche-bank.de : auth02.ns.de.uu.net
. deutsche-bank.de : auth52.ns.de.uu.net
. deutsche-bank.de : dgate1.db.com
. deutsche-bank.de : dgate2.db.com
www.deutsche-bank.de = 217.73.49.24
www.deutsche-bank.de = 217.73.49.24
www1.deutsche-bank.de = 212.96.254.10
www2.deutsche-bank.de = 212.96.254.1
wwwtest.deutsche-bank.de = 217.111.13.189
www3.deutsche-bank.de = 195.124.75.164
www5.deutsche-bank.de = 195.124.75.160
[...]
Writing data ... output/dnsbruteforce.txt
Trying 3868 hostnames in 3 domains
scorpius.informatik.uni-mannheim.de = 134.155.65.240
arwen.informatik.uni-mannheim.de = 134.155.81.154
[...]
Writing data ... output/dnsbruteforce.txt

The console output can be is meant to be greppable. Lines containing ‚ = ‚ mean an hostname=IP adress mapping (A record) has been found. Lines starting with ‚@ ‚ man an domainname-mailserver mapping (MX record) has been found and lines starting with ‚. ‚ man that an domainname-nameserver mapping (NS record) has been found.

Often checking the MX and NS records can reveal relationships between companies or providers. It is up to you to screen them.

When dnsbruteforce is finished, output/dnsbruteforce.txt contains the hostnames found:

md@hextatic ~/ptttest$ grep bank output/dnsbruteforce.txt 
wob1.deutsche-bank.de
wwwtest.deutsche-bank.de
ccmail.deutsche-bank.de
wob.deutsche-bank.de
www2.deutsche-bank.de
info3.deutsche-bank.de
info1.deutsche-bank.de
rd2.deutsche-bank.de
jb2.deutsche-bank.de
info.deutsche-bank.de
info2.deutsche-bank.de
notes.deutsche-bank.de
public.deutsche-bank.de
rd1.deutsche-bank.de
banking.deutsche-bank.de
wobtest.deutsche-bank.de
wob3.deutsche-bank.de
jb1.deutsche-bank.de
www.deutsche-bank.de
notes2.deutsche-bank.de
www3.deutsche-bank.de
tp.deutsche-bank.de
www5.deutsche-bank.de
www1.deutsche-bank.de
notes1.deutsche-bank.de
chat.deutsche-bank.de
ml.deutsche-bank.de

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s