diannaosec

The goal of this lab on ine   was to enumerate the DNS server to discover as much as possible about the domain witrap.com In my other (first) post about enumerating DNS servers (Information Gathering Lab) I mentioned that I would show how we can brute-force subdomains and look for machines which only respond to reverse DNS lookups. These techniques are covered in this post. My first job was to find out more about the network my attacking machine was connected to. The ip addr command revealed that it was on a /24 network 192.36.208.0/24 The IP address of the attacking machine was 192.36.208.2 I decided to start off by using nmap to perform an ICMP scan. I followed this up with a fast half-open SYN scan as sometimes ICMP traffic is blocked or dropped by firewalls. I then specifically targeted DNS servers by performing a UDP scan against port 53 and then another half-open SYN scan against port 53 but with the --source-port switch set to 53 as sometimes DNS servers will only...

  I started with the usual nmap enumeration of all the ports on the beep box. Lots of open ports were returned, so I had a look to see if any seemed to be a good starting point. My attention was first of all drawn to the obvious services running on ports 22 and 80, but I was also interested in the Simple Mail Transfer Protocol service which was running on port 25. The -sV -A flags in my nmap scan had executed lots of default scripts from the Nmap Scripting Engine and therefore discovered which commands could be used with the SMTP service. The VRFY command stood out as being of some use. The actual NSE script being run in order to enumerate the SMTP commands available is smtp-commands I also noticed the domain was revealed as beep.localdomain so I added it to my /etc/hosts file. It is useful to enumerate commands and authentication methods available on an SMTP service as they can possibly reveal usernames and / or passwords. We can use the NSE script as shown above, or we can use a ...