4.6 SMTP and DNS Enumeration
SMTP Enumeration
- SMTP provides 3 built-in-commands:
- VRFY: Validates users
- EXPN: Tells the actual delivery addresses of aliases and mailing lists
- RCPT TO: Defines the recipients of the message
- SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server.
- Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.
- Using the SMTP VRFY command:
$ telnet 192.168.168.1 25 ... VRFY Jonathan 250 Super-User <Jonathan@NYmailserver> VRFY Smith 550 Smith... User unknown
- Using the SMTP EXPN command:
$ telnet 192.168.168.1 25 ... EXPN Jonathan 250 Super-User <Jonathan@NYmailserver> EXPN Smith 550 Smitn... User unknown
- Using the SMTP RCPT TO command:
$ telnet 192.168.168.1 25 ... MAIL FROM:Jonathan 250 Jonathan... Sender ok RCPT TO:Ryder 250 Ryder... Recipient ok RCPT TO: Smith 550 Smith... User unknown
SMTP Enumeration Tool: NetScanTools Pro
- NetScanTools Pro's SMTP Email Generator and Email Relay Testing Tools are designed for testing the process of sending an email message through an SMTP server and performing relay tests by communicating with a SMTP server.
SMTP Enumeration Tools
- Telnet:
- Telnet can be used to probe an SMTP server using VRFY, EXPN and RCPT TO parameters and enumerate users.
- smtp-user-enum:
- It is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail)
- Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands
DNS Zone Transfer Enumeration Using NSlookup
- It is a process of locating the DNS server and the records of a target network.
- An attacker can gather valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets.
- In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.
使用
host
command查zonetransfer.me的name server:
host -t ns zonetransfer.me
root@kali:~# host -t ns zonetransfer.me
zonetransfer.me name server nsztm2.digi.ninja.
zonetransfer.me name server nsztm1.digi.ninja.
查到兩個name server,針對其中一個做zone transfer:
host -t axfr zonetransfer.me nsztm1.digi.ninja
,下圖可看到取得DNS紀錄
root@kali:~# host -t axfr zonetransfer.me nsztm1.digi.ninja
Trying "zonetransfer.me"
Using domain server:
Name: nsztm1.digi.ninja
Address: 81.4.108.41#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8677
;; flags: qr aa; QUERY: 1, ANSWER: 153, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonetransfer.me. IN AXFR
;; ANSWER SECTION:
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me. 7200 IN RRSIG SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
...
xss.zonetransfer.me. 3600 IN NSEC zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me. 3600 IN RRSIG NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
Received 16183 bytes from 81.4.108.41#53 in 645 ms
host -l zonetransfer.me 167.88.42.94
root@kali:~# host -l zonetransfer.me 167.88.42.94
Using domain server:
Name: 167.88.42.94
Address: 167.88.42.94#53
Aliases:
zonetransfer.me has address 217.147.177.157
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
157.177.147.217.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 167.88.42.94
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 217.147.177.157
或使用
dig
command來查詢,同樣也要先查到name server:
dig -t ns zonetransfer.me
root@kali:~# dig -t ns zonetransfer.me
; <<>> DiG 9.10.3-P4-Debian <<>> -t ns zonetransfer.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 512
;; QUESTION SECTION:
;zonetransfer.me. IN NS
;; ANSWER SECTION:
zonetransfer.me. 5 IN NS nsztm1.digi.ninja.
zonetransfer.me. 5 IN NS nsztm2.digi.ninja.
;; Query time: 234 msec
;; SERVER: 192.168.99.2#53(192.168.99.2)
;; WHEN: Sat Jul 09 16:00:36 CST 2016
;; MSG SIZE rcvd: 96
接著做zone transfer:
dig axfr @nsztm1.digi.ninja zonetransfer.me
root@kali:~# dig axfr @nsztm1.digi.ninja zonetransfer.me
; <<>> DiG 9.10.3-P4-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me. 7200 IN RRSIG SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
...
xss.zonetransfer.me. 3600 IN NSEC zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me. 3600 IN RRSIG NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
;; Query time: 710 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Sat Jul 09 15:13:31 CST 2016
;; XFR size: 153 records (messages 1, bytes 16183)
或使用
nslookup
command來查詢,同樣也要先查到name server:
nslookup -type=ns zonetransfer.me
root@kali:~# nslookup -type=ns zonetransfer.me
Server: 192.168.99.2
Address: 192.168.99.2#53
Non-authoritative answer:
zonetransfer.me nameserver = nsztm2.digi.ninja.
zonetransfer.me nameserver = nsztm1.digi.ninja.
Authoritative answers can be found from:
接著做zone transfer:
nslookup - nsztm2.digi.ninja
ls -d zonetransfer.me
C:\Users\Sean>nslookup - nsztm2.digi.ninja
預設伺服器: UnKnown
Address: 167.88.42.94
> ls -d zonetransfer.me
[UnKnown]
zonetransfer.me. SOA nsztm1.digi.ninja robin.digi.ninja. (2014101601 172800 900 1209600 3600)
zonetransfer.me. HINFO Casio fx-700G Windows XP
zonetransfer.me. TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. MX 0 ASPMX.L.GOOGLE.COM
Q1) Which port number is used by DNS for zone transfers?
- 53 TCP
- 53 UDP
- 25 TCP
- 25 UDP
A1) Port 53 TCP is used for zone transfers concerning DNS.
Q2) A DNS zone transfer is used to do which of the following?
- Copy files
- Perform searches
- Synchronize server information
- Decommission servers
A2) A zone transfer is used to synchronize information, namely records, between two or more DNS servers.