1 DNS Introduction
DNS (domain Name System) can provide valuable data during the detection process, the basic function of DNS is to convert the domain name to an IP address. (If you don't know much about DNS, it's going to take a lot of effort!) Now there are a number of great tools that can help us extract the data we need from our domain name servers, and the information we can collect includes:
Record |
Description |
CNAME |
Alias, used to bind multiple domain names to the same IP address |
A |
Convert a domain name or subdomain to a 32-bit IP address, or store other valuable information |
Mx |
Bind a domain name to a mail server |
The DNS detective is considered an active casing reconnaissance, because you have to interact with the customer's device to get information.
2. Nslookup Tools
Nslookup is a DNS query tool that resolves a domain name to an IP address and vice versa. It can query a given domain name server and give a specific record. Nslookup is a cross-platform software that has been preinstalled in Kali Linux.
2.1 Default Output
Take www.baidu.com domain name as an example, implement a fast IP address query. Enter the following command on the Kali Linux terminal:
# nslookup www.baidu.com
The output information is as follows:
Server 202.205.16.4 is the NDS server for this network, and UDP port 53 is the port used by DNS requests. According to the output shows that the Baidu alias is www.a.shifen.com, the query to two IP address description Baidu used more than one server to balance the load.
2.2 Replacing a domain name server
The results of using different authentication DNS queries, such as server 8.8.8.8, are public DNS servers provided by Google to provide secure browsing for public users. In penetration testing, it makes sense to use a different public DNS server to detect if your current DNS server has been tampered with.
# nslookup
\> server
\>server 8.8.8.8
\>set type=ns
\>www.baidu.com
Initialize nslookup, and then console input server, you can see the domain name servers and ports currently used by this machine. For a domain name server, enter a command to server 8.8.8.8
view the domain name with the specified domain name server. set type=ns
defines the type as NS (domain name server).
The above command can be simplified to one line of command:
# nslookup -type=ns baidu.com 8.8.8.8
Nslookup Reverse parsing Example:
2.3 Creating an Automation script
Nslookup can be executed with a single command, so you can create a script that automatically performs the extraction of information for a domain name or host, and then imports the output into a text file.
Create a text file for the domain name you want to query
# vim DomainNames.txt
Fill in
baidu.com
blog.csdn.net
: Wq save exit.
Create a script
# vim autoDNS.sh
Write the following script to the autodns.sh file:
#!/bin/sh
for HOSTNAME in `cat DomainNames.txt`
do
echo "Name servers of [$HOSTNAME]"
nslookup $HOSTNAME
done
Add executable permissions for autodns.sh.
# chmod +x autoDNS.sh
Execute script
# ./autoDNS.sh
The results are as follows:
Export the results to the specified file
# ./autoDNS.sh > NameServerLists.txt# cat NameSercerLists.txt
Cat views the results correctly.
The--nslookup of penetration testing in DNS detection