I am going to show you how to do a zone transfer using the command line tool DiG. Ok so its not really hacking but it can help you get a foot in the door. Wikipedia says a zone transfer also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS server packages provide.
Ok so what all that means is a DNS zone transfer will give us all the subdomains a DNS has on record for a given domain. Like if we did a zone transfer on a DNS server that services google we would get mail.google.com, code.google.com, images.google.com and so on. In other words giving you more access points into the network, now instead of just the
www.target.com and what ever links you can find on the site you can attack anything they may have that goes out to the net. You might get lucky and find some test servers and who knows what else.
For testing I will be using zoneedit.org. Now goto your console and type
dig ns zoneedit.orgNow we are looking for what ever DNS server holds records for the domain zoneedit.org so we will be looking in the ";; ANSWER SECTION:" and we see "zoneedit.org. 7005 IN NS ns2.zoneedit.com." Here we see that ns2.zoneedit.com is the DNS server that holds the records we want so now again go back to console and type this command:
dig @ns2.zoneedit.org axfr zoneedit.orgIt should return all the records that DNS server holds for the zoneedit.org domain, now you can really get some scanning done!!
If you did the same thing to evilzone.org you would get a transfer failed message which will be the case with any secure DNS host. Now for the sake of security I wold hope ppl are pen-testing things before they expose them to the net, but more often then not they don't and that can get really messy! Also notice how more then one DNS server was returned in our first query? If you try a zone transfer on the first DNS server and it fails, go ahead and try it on the next one in the list. Most admins only turn zone transfers off on the first DNS server in their pool.
Securing BIND against this kind of information leak just edit /etc/bind.conf and add this line:
allow-transfer{192.168.1.4; 172.16.1.5; };
Where 192.168.1.4 and 172.16.1.5 are the only address you will allow transfers to and from. To secure other DNS server software look here -
http://articles.techrepublic.com.com/5100-10878_11-1058056.html
