The DNS service class of Nmap Scan tutorial

Source: Internet
Author: User

Nmap Scan Tutorial DNS service class NMAP DNS service class

The role of DNS (domain Name System) is the process of resolving host names to corresponding IP addresses. The general structure of the host domain name is: hostname. Level three domain name. Level two domain name. Therefore, when a DNS server resolves a host name, it needs a first-level parsing, that is, a recursive query. To facilitate the user's next access, the DNS server caches the resolved host names temporarily. Some basic information can be obtained by scanning the DNS server. such as version, server address, and cached domain name. This section describes the DNS service scanning methods.

Nmap gets DNS information

You can obtain information about the DNS Name service by requesting the DNS server's ID and Access ID. In Nmap, the Dns-nsid script can be used to send an ID request and obtain the DNS details. Among them, including Nsid, ID of the service and version. The syntax format for the Dns-nsid script is as follows:

    • Nmap-ssu-p--script Dns-nsid [target]

The "-ssu" option in the syntax above indicates a UDP and TCP SYN scan.

"Example 1-4" gets the DNS information on the target host Rhel 6.4. The execution commands are as follows:

    • [Email protected]:~# nmap-ssu-p--script Dns-nsid 192.168.1.104
    • Starting Nmap 6.47 (http://nmap.org) at 2015-05-28 16:04 CST
    • Nmap Scan report for localhost (192.168.1.104)
    • Host is up (0.00033s latency).
    • PORT State SERVICE
    • 53/TCP Open Domain
    • 53/UDP Open Domain
    • | Dns-nsid:
    • |_ bind.version:9.8.2rc1-redhat-9.8.2-0.17.rc1.el6 #版本
    • MAC address:00:0c:29:2a:69:34 (VMware)
    • Nmap done:1 IP Address (1 host up) scanned in 0.54 seconds

From the output information above, you can see that the version information obtained to the DNS service on the target host is 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6.

Nmap DNS Service Discovery Protocol

The DNS Service Discovery protocol allows clients to discover a list of servers. By sending a DNS-SD query broadcast package, you can get a list of services from the response package. In Nmap, the Broadcast-dns-service-discovery script can send a DNS-SD broadcast packet and get a list of services. Where the syntax format is as follows:

    • Nmap--script=broadcast-dns-service-discovery

Example 1-5 uses the Broadcast-dns-service-discovery script to send the DNS-SD broadcast package. The execution commands are as follows:

  • [Email protected]:~# nmap--script=broadcast-dns-service-discovery
  • Starting Nmap 6.47 (http://nmap.org) at 2015-05-21 13:56 CST
  • Pre-scan Script Results:
  • | Broadcast-dns-service-discovery:
  • | 192.168.1.101
  • | 47989/tcp Nvstream #nvstream服务信息
  • |_ address=192.168.1.101 fe80:0:0:0:744c:a0ee:dbfd:769 #nvstream服务地址
  • Warning:no targets were specified, so 0 hosts scanned.
  • Nmap done:0 IP addresses (0 hosts up) scanned in 7.06 seconds

From the output information above, you can see that you receive a response package with an address of 192.168.1.101 host. From this response package, you can see that there is a service on the target host 192.168.1.101 that uses the DNS Service Discovery protocol. Where the service name is Nvstream, the port number is 47989, the protocol is TCP, and the service address is 192.168.1.101.

Nmap probe host allows DNS recursive queries

The primary role of the DNS server is to perform domain name resolution. When DNS does domain name resolution, recursive queries and iterative queries are typically used. Among them, recursive query is the most common way of querying. In Nmap, the dns-recursion script can be used to detect whether a host allows DNS recursive queries. Where the syntax format is as follows:

    • Nmap-su-p--script=dns-recursion [Target]

"Example 1-6" probes whether the target host Rhel 6.4 allows DNS recursive queries. The execution commands are as follows:

    • [Email protected]:~# nmap-su-p--script=dns-recursion 192.168.1.104
    • Starting Nmap 6.47 (http://nmap.org) at 2015-05-28 16:10 CST
    • Nmap Scan report for localhost (192.168.1.104)
    • Host is up (0.00030s latency).
    • PORT State SERVICE
    • 53/UDP Open Domain
    • |_dns-recursion:recursion appears to be enabled #递归查询已启用
    • MAC address:00:0c:29:2a:69:34 (VMware)
    • Nmap done:1 IP Address (1 host up) scanned in 2.58 seconds

From the output information, you can see that the DNS recursive query on the target host is turned on.

Nmap enumerates the host names of DNS servers

The hostname is the name of the computer, and the network neighbor is identified by the hostname, and the name can be changed at any time. The host name of the DNS server can be enumerated by brute-force common subdomain. In Nmap, the Dns-brute script can enumerate the host names of the DNS servers. Where the syntax format is as follows:

    • Nmap--script dns-brute--script-args dns-brute.domain=[domain name],dns-brute.threads=[number],dns-brute.hostlist=[host list], NEWTARGETS-SS-P 80 [domain name]

The "Dns-brute.domain" parameter in the above syntax is used to specify the cracked domain name, such as baidu.com; the "dns-brute.threads" parameter is used to specify the number of threads to crack, default is 5; "Dns-brute.hostlist" Parameters are used to specify a host name list file for dns-brute scripts to be cracked. By default, the list of host names used by the hack is the/usr/share/nmap/nselib/data/vhosts-default.lst file. Of course, the above parameters can also be unspecified.

"Example 1-7" enumerates the host names of DNS server benet.com. The execution commands are as follows:

  • [Email protected]:~# nmap--script Dns-brute mail.benet.com
  • Starting Nmap 6.47 (http://nmap.org) at 2015-06-01 16:47 CST
  • Nmap Scan Report for mail.benet.com (69.172.201.208)
  • Host is up (0.26s latency).
  • Not shown:998 filtered ports
  • PORT State SERVICE
  • 80/TCP Open http
  • 443/TCP Open HTTPS
  • Host Script results: #脚本扫描结果
  • | Dns-brute:
  • | DNS Brute-force hostnames: #暴力破解出的主机名
  • | admin.benet.com-69.172.201.208
  • | stats.benet.com-69.172.201.208
  • | devel.benet.com-69.172.201.208
  • | host.benet.com-69.172.201.208
  • | mx.benet.com-69.172.201.208
  • | development.benet.com-69.172.201.208
  • | administration.benet.com-69.172.201.208
  • | http.benet.com-69.172.201.208
  • | mx0.benet.com-69.172.201.208
  • | devsql.benet.com-69.172.201.208
  • | ads.benet.com-69.172.201.208
  • | mx1.benet.com-69.172.201.208
  • | devtest.benet.com-69.172.201.208
  • ......
  • | mobile.benet.com-69.172.201.208
  • | helpdesk.benet.com-69.172.201.208
  • | monitor.benet.com-69.172.201.208
  • | home.benet.com-69.172.201.208
  • | mssql.benet.com-69.172.201.208
  • |_ mta.benet.com-69.172.201.208
  • Nmap done:1 IP Address (1 host up) scanned in 60.25 seconds

From the above output information, you can see the DNS server enumerated benet.com all domain names and the corresponding IP address of the domain name. For example, the IP address with host name admin.benet.com is 69.172.201.208.

Nmapdns Cache probing

The DNS cache is when a user accesses a URL, the operating system will record the address into the cache, convenient for the next visit. In this way, you can save users from each visit, the time to parse multiple times. However, this cache is only a temporary cache, and the time exceeded will be erased. In Nmap, the Dns-cache-snoop script can probe DNS cache entries in a host. Its syntax format is as follows:

    • Nmap-su-p--script dns-cache-snoop.nse--script-args ' Dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1, HOST2,HOST3} '

The "-su" option in the syntax above indicates that the UDP port is scanned, the "-P" option specifies the default port of the DNS protocol, the "Dns-cache-snoop.mode" parameter is used to specify the mode of operation, there are two types of modes that can be set. Nonrecursive and timed, respectively. Where nonrecursive is the default mode. The "dns-cache-snoop.domains" option indicates that the host name of the probe cache can be specified. If multiple host names are specified at the same time, a comma is used to split the middle.

"Example 1-8" probes for DNS cache entries on the target host, Rhel 6.4. The execution commands are as follows:

    • [Email protected]:~# nmap-su-p--script dns-cache-snoop.nse 192.168.1.104
    • Starting Nmap 6.47 (http://nmap.org) at 2015-06-03 16:42 CST
    • Nmap Scan report for localhost (192.168.1.104)
    • Host is up (0.00036s latency).
    • PORT State SERVICE
    • 53/UDP Open Domain
    • |          Dns-cache-snoop:1 of tested domains are cached. #探测结果
    • |_www.baidu.com
    • MAC address:00:0c:29:2a:69:34 (VMware)
    • Nmap done:1 IP Address (1 host up) scanned in 0.52 seconds

From the output information above, you can see that 100 domain names have been probed, one of which is cached. From the output information, you can see that the host name of the cache is www.baidu.com.

Whether Nmap probe host supports blacklist list

The blacklist referred to here is to support the prevention of DNS anti-spam and open proxy blacklist. In Nmap, the Dns-blacklist script can detect whether the target host supports preventing DNS anti-spam and opening the proxy blacklist. Where the syntax format is as follows:

    • NMAP-SN--script dns-blacklist [target]

The "-sn" option in the syntax above indicates that no ping scan is performed.

"Example 1-9" probes whether the target host Rhel 6.4 supports a blacklist list. The execution commands are as follows:

  • [Email protected]:~# nmap-sn--script dns-blacklist 192.168.1.104
  • Starting Nmap 6.47 (http://nmap.org) at 2015-06-05 16:00 CST
  • Nmap Scan report for localhost (192.168.1.104)
  • Host is up (0.00028s latency).
  • MAC address:00:0c:29:2a:69:34 (VMware)
  • Host Script Results:
  • | Dns-blacklist:
  • | PROXY #PROXY协议
  • | Dnsbl.tornevall.org-proxy
  • | IP marked as "abusive host"
  • | ?
  • | Dnsbl.ahbl.org-proxy
  • | SPAM #SPAM协议
  • | Dnsbl.ahbl.org-spam
  • | L2.apews.org-fail
  • |_ List.quorum.to-spam
  • Nmap done:1 IP Address (1 host up) scanned in 12.58 seconds

From the output information above, you can see that the target host supports preventing DNS anti-spam and opening the proxy blacklist.

This article is selected from: Nmap Scan actual Course University PA internal information, reproduced please indicate the source, respect the technology respect the IT person!

The DNS service class of Nmap Scan tutorial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.