Sunday, December 16, 2007

Zone Transfers Still Exist! -- No Really They Do!

So while helping a buddy out with an audit we came across a mis-configured DNS server that allows zone transfers (I know, we couldn't believe it either). Zone Transfers are one of those things that you read about in security books and even teach but you never think they work (like the ping of death), not quite like seeing a unicorn but kinda like finding a four leaf clover.

Here is some background information on Zone Transfers.

"The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain"

This is essentially what we were able to pull down from this DNS server, but not just information from its domain but many other domains because it was authoritative for a whole bunch of domains.


Examples:

Find out the name servers for a zone:

dig @server domain ns

Request all records for a zone from an authoritative server:

dig @server domain axfr

@server is the misconfigured DNS server, domain is the domain you are trying to get information on.

Use host to find all the host records for a zone:

host -l domain

Use host to request all the records for a zone:

host -lv -t any domain

this is what you usually see:

cg@segfault:~$ host -t ns really.vuln.edu

really.vuln.edu name server DNS1.really.vuln.edu.
really.vuln.edu name server DNS2.really.vuln.edu.

cg@segfault:~$ host -lv -t any really.vuln.edu DNS1.really.vuln.edu
Trying "really.vuln.edu"
Using domain server:
Name: DNS1.really.vuln.edu
Address: 192.168.60.150#53
Aliases:

Host really.vuln.edu not found: 5(REFUSED)
; Transfer failed.

The (sanitized) screenshots above is what we got, about 3k internal IPs and hostnames :-)

Of course, the easiest way to test this is to use dnswalk that will do the requests for you.

cg@segfault:~$ dnswalk
Usage: dnswalk domain
domain MUST end with a '.'

cg@segfault:~$ dnswalk really.vuln.edu. DNS1.really.vuln.edu
Checking really.vuln.edu.
Getting zone transfer of really.vuln.edu. from DNS1.really.vuln.edu...failed
FAIL: Zone transfer of really.vuln.edu. from DNS1.really.vuln.edu failed: Response code from server: REFUSED

Getting zone transfer of really.vuln.edu. from dns3.really.vuln.edu...done.
SOA=DNS1.really.vuln.edu contact=admin.nowhere.really.vuln.edu
WARN: router-10.1.1.0.really.vuln.edu A 10.1.1.1: no PTR record
WARN: router_10.2.2.1.really.vuln.edu: invalid character(s) in name
WARN: router_10.3.19.1.really.vuln.edu A 10.115.197.1: no PTR record
...

-CG

No comments:

Post a Comment