Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

6.5 DNS Dictionary Mapper

A potential attacker that wants to get a list of important servers quickly without rumbling through the net by firing noisy port-scans could for instance use DNS for scanning. First of all he might try to transfer the whole zone (see Sect. 6.3), but this could also trigger an alarm by a network intrusion detection systems and by the way, nowadays DNS server that allow a complete zone transfer to the world are really rare.

Another method to collect hostnames of a domain is the application of a DNS mapper. It reads a dictionary of common server names, appends the domain name to each of them and tries to resolve it's IP address by issuing a DNS query. If it succeeds the possibility that this host exists is quite high or you found a messy zone with zombie entries.

The following script implements a simple DNS mappers. For the dictionary we create a text file filled with possible hostnames per line.

1 #!/usr/bin/python

2

3 import sys

4 import socket

5

6 if len(sys.argv) < 3:

7 print sys.argv[0] + ": <dict_file> <domain>"

8 sys.exit(1)

9

10

11 def do_dns_lookup(name):

12 try:

13 print name + ": " + socket.gethostbyname(name)

14 except socket.gaierror, e:

15 print name + ": " + str(e)

16

17 try:

18 fh = open(sys.argv[1], "r")

19

20 for word in fh.readlines():

21 do_dns_lookup(word.strip() + "." + sys.argv[2])

22

23 fh.close()

24 except IOError:

25 print "Cannot read dictionary " + file

The only thing new in this source code should be the function socket.gethostbyname(), that simply takes a hostname and returns the IP address.

6.6 Reverse DNS Scanner

The reverse method gets you to your target quicker, at least if there are PTR records for the IP addresses. However, today this is mostly always the case, because services like SMTP rely on it for spam filtering purpose.

If you found out the net belonging to an IP by using WHOIS (Sect. 6.4) you could, in the next step, build a little script that takes the net as input in the form of 192.168.1.1-192.168.1.254. The function get_ips() splits the start and the end IP into its bytes and converts the IP into a decimal number. The while loop increments the start IP by one and converts it back to a 4 byte IP address until it reaches the end IP. Maybe you may now ask why is it coded so complicated? Why not only add one to the last number? Sure you can implement the algorithm that way and all is well as long as you don't try to scan a network larger than a class c. Thus only the last byte is available for hosts otherwise you will need an algorithm that can calculate addresses for class b and a networks.

1 #!/usr/bin/python

2

3 import sys

4 import socket

5 from random import randint

6

7 if len(sys.argv) < 2:

8 print sys.argv[0] + ": <start_ip>-<stop_ip>"

9 sys.exit(1)

10

11

12 def get_ips(start_ip, stop_ip):

13 ips = []

14 tmp = []

15

16 for i in start_ip.split('.'):

17 tmp.append("%02X" % long(i))

18

19 start_dec = long(''.join(tmp), 16)

20 tmp = []

21

22 for i in stop_ip.split('.'):

23 tmp.append("%02X" % long(i))

24

25 stop_dec = long(''.join(tmp), 16)

26

27 while(start_dec < stop_dec + 1):

28 bytes = []

29 bytes.append(str(int(start_dec / 16777216)))

30 rem = start_dec % 16777216

31 bytes.append(str(int(rem / 65536)))

32 rem = rem % 65536

33 bytes.append(str(int(rem / 256)))

34 rem = rem % 256

35 bytes.append(str(rem))

36 ips.append(".".join(bytes))

37 start_dec += 1

38

39 return ips

40

41

42 def dns_reverse_lookup (start_ip, stop_ip):

43 ips = get_ips(start_ip, stop_ip)

44

45 while len(ips) > 0:

46 i = randint(0, len(ips) 1)

47 lookup_ip = str(ips[i])

48

49 try:

50 print lookup_ip + ": " +

51 str(socket.gethostbyaddr(lookup_ip)[0])

52 except (socket.herror, socket.error):

53 pass

54

55 del ips[i]

56

57 start_ip, stop_ip = sys.argv[1].split('-')

58 dns_reverse_lookup(start_ip, stop_ip)

The function dns_reverse_lookup() is doing the rest of the work. It randomly iterates over the calculated IP address space and sends a reverse query with the help of the function socket.gethostbyaddr(). Errors of gethostbyaddr() like “Unknown host” get dropped by the try-except block.

Running this script on the IP addresses of the German federal bureau for radiation protection you get the following result:

./reverse-dns-scanner.py 194.94.68.0-194.94.69.255

194.94.69.75: ngainfo.bfs.de

194.94.69.82: extranet.bfs.de

194.94.69.121: bfs.de

194.94.69.77: sk.bfs.de

194.94.69.68: groupware.bfs.de

194.94.69.71: test.bfs.de

194.94.69.100: ox-groupware.bfs.de

194.94.69.70: assearchive.bfs.de

194.94.69.123: jp-files.bfs.de

194.94.69.114: ndkk.bfs.de

194.94.69.80: mx02.sz.bfs.de

194.94.69.72: isizurs.bfs.de

194.94.69.106: node1.extern.bfs.de

194.94.69.116: hrq.bfs.de

194.94.69.94: tecdovpn.sz.bfs.de

194.94.69.103: mx01.sz.bfs.de

194.94.69.117: hrqreg.bfs.de

194.94.69.122: node2.extern.bfs.de

194.94.69.118: elan.bfs.de

194.94.69.78: melodionline.bfs.de

194.94.69.74: odlinfo.bfs.de

194.94.69.69: intranet.bfs.de

194.94.69.102: fw01.sz.bfs.de

194.94.69.67: dns01.bfs.de

194.94.69.73: pvgb.bfs.de

194.94.69.107: elan.imis.bfs.de

194.94.69.104: rayvpn.bfs.de

194.94.68.1: testptr.bfs.de

194.94.69.81: burg.bfs.de

194.94.69.111: era.bfs.de

194.94.69.108: filetransfer.bfs.de

194.94.69.83: doris.bfs.de

As you can see such a scan quickly delivers interesting information about the network.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel