4.6 SMTP and DNS Enumeration

SMTP Enumeration

  • SMTP provides 3 built-in-commands:
    • VRFY: Validates users
    • EXPN: Tells the actual delivery addresses of aliases and mailing lists
    • RCPT TO: Defines the recipients of the message
  • SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server.
  • Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.
  • Using the SMTP VRFY command:
    $ telnet 192.168.168.1 25
    ...
    VRFY Jonathan
    250 Super-User
    <[email protected]>
    VRFY Smith
    550 Smith... User unknown
    
  • Using the SMTP EXPN command:
    $ telnet 192.168.168.1 25
    ...
    EXPN Jonathan
    250 Super-User
    <[email protected]>
    EXPN Smith
    550 Smitn... User unknown
    
  • Using the SMTP RCPT TO command:
    $ telnet 192.168.168.1 25
    ...
    MAIL FROM:Jonathan
    250 Jonathan... Sender ok
    RCPT TO:Ryder
    250 Ryder... Recipient ok
    RCPT TO: Smith
    550 Smith... User unknown
    

SMTP Enumeration Tool: NetScanTools Pro

  • NetScanTools Pro's SMTP Email Generator and Email Relay Testing Tools are designed for testing the process of sending an email message through an SMTP server and performing relay tests by communicating with a SMTP server.

SMTP Enumeration Tools

  • Telnet:
    • Telnet can be used to probe an SMTP server using VRFY, EXPN and RCPT TO parameters and enumerate users.
  • smtp-user-enum:
    • It is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail)
    • Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands

DNS Zone Transfer Enumeration Using NSlookup

  • It is a process of locating the DNS server and the records of a target network.
  • An attacker can gather valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets.
  • In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.

使用host command查zonetransfer.me的name server:

host -t ns zonetransfer.me

[email protected]:~# host -t ns zonetransfer.me
zonetransfer.me name server nsztm2.digi.ninja.
zonetransfer.me name server nsztm1.digi.ninja.

查到兩個name server,針對其中一個做zone transfer:

host -t axfr zonetransfer.me nsztm1.digi.ninja,下圖可看到取得DNS紀錄

[email protected]:~# host -t axfr zonetransfer.me nsztm1.digi.ninja
Trying "zonetransfer.me"
Using domain server:
Name: nsztm1.digi.ninja
Address: 81.4.108.41#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8677
;; flags: qr aa; QUERY: 1, ANSWER: 153, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zonetransfer.me.        IN    AXFR

;; ANSWER SECTION:
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me.    7200    IN    RRSIG    SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me.    7200    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    7200    IN    NS    nsztm2.digi.ninja.
...
xss.zonetransfer.me.    3600    IN    NSEC    zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me.    3600    IN    RRSIG    NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600

Received 16183 bytes from 81.4.108.41#53 in 645 ms
  • host -l zonetransfer.me 167.88.42.94
[email protected]:~# host -l zonetransfer.me 167.88.42.94
Using domain server:
Name: 167.88.42.94
Address: 167.88.42.94#53
Aliases: 

zonetransfer.me has address 217.147.177.157
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
157.177.147.217.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 167.88.42.94
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 217.147.177.157

或使用 dig command來查詢,同樣也要先查到name server:

dig -t ns zonetransfer.me

[email protected]:~# dig -t ns zonetransfer.me

; <<>> DiG 9.10.3-P4-Debian <<>> -t ns zonetransfer.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 512
;; QUESTION SECTION:
;zonetransfer.me.        IN    NS

;; ANSWER SECTION:
zonetransfer.me.    5    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    5    IN    NS    nsztm2.digi.ninja.

;; Query time: 234 msec
;; SERVER: 192.168.99.2#53(192.168.99.2)
;; WHEN: Sat Jul 09 16:00:36 CST 2016
;; MSG SIZE  rcvd: 96

接著做zone transfer:

dig axfr @nsztm1.digi.ninja zonetransfer.me

[email protected]:~# dig axfr @nsztm1.digi.ninja zonetransfer.me

; <<>> DiG 9.10.3-P4-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me.    7200    IN    RRSIG    SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me.    7200    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    7200    IN    NS    nsztm2.digi.ninja.
...
xss.zonetransfer.me.    3600    IN    NSEC    zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me.    3600    IN    RRSIG    NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
;; Query time: 710 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Sat Jul 09 15:13:31 CST 2016
;; XFR size: 153 records (messages 1, bytes 16183)

或使用nslookup command來查詢,同樣也要先查到name server:

nslookup -type=ns zonetransfer.me

[email protected]:~# nslookup -type=ns zonetransfer.me
Server:        192.168.99.2
Address:    192.168.99.2#53

Non-authoritative answer:
zonetransfer.me    nameserver = nsztm2.digi.ninja.
zonetransfer.me    nameserver = nsztm1.digi.ninja.

Authoritative answers can be found from:

接著做zone transfer:

nslookup - nsztm2.digi.ninja

ls -d zonetransfer.me

C:\Users\Sean>nslookup - nsztm2.digi.ninja
預設伺服器:  UnKnown
Address:  167.88.42.94

> ls -d zonetransfer.me
[UnKnown]
 zonetransfer.me.               SOA    nsztm1.digi.ninja robin.digi.ninja. (2014101601 172800 900 1209600 3600)
 zonetransfer.me.               HINFO  Casio fx-700G  Windows XP
 zonetransfer.me.               TXT             "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"

 zonetransfer.me.               MX     0    ASPMX.L.GOOGLE.COM

Q1) Which port number is used by DNS for zone transfers?

  1. 53 TCP
  2. 53 UDP
  3. 25 TCP
  4. 25 UDP

A1) Port 53 TCP is used for zone transfers concerning DNS.

Q2) A DNS zone transfer is used to do which of the following?

  1. Copy files
  2. Perform searches
  3. Synchronize server information
  4. Decommission servers

A2) A zone transfer is used to synchronize information, namely records, between two or more DNS servers.

results matching ""

    No results matching ""