A @textfiles approach to gathering the world's DNS

17,564 views

Published on

My talk from ShmooCon 2012

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
17,564
On SlideShare
0
From Embeds
0
Number of Embeds
13,000
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A @textfiles approach to gathering the world's DNS

  1. 1. What s in a name? A @textfiles attempt atgathering all of the world s DNS
  2. 2. Intro TEAM
  3. 3. Not quite this cool...
  4. 4. maybe...
  5. 5. Black Box Testing
  6. 6. Starts like this right?
  7. 7. CompanyX Go...
  8. 8. Step 1:
  9. 9. ARIN’s REST Web Services
  10. 10. Whois Black Magic whois -h whois.arin.net > ! COMPANY Microsoft (C00006676) DIRECP-NET1-206-71-11 (NET-206-71-119-0-1) 206.71.119.0 - 206.71.119.255Microsoft (C00006677) DIRECP- NET1-118 (NET-206-71-118-0-1) 206.71.118.0 - 206.71.118.255Microsoft (C00006678) DIRECP-NET1-117 (NET-206-71-117-0-1) 206.71.117.0 - 206.71.117.255Microsoft (C00061532) UUHIL-BLK1-C155-112 (NET-209-154-155-112-1) 209.154.155.112 - 209.154.155.119Microsoft (C00168056) SBCIS-101411-164355 (NET-65-68-62-152-1) 65.68.62.152 - 65.68.62.159MICROSOFT (C00313928) SBC067039208168020503 (NET-67-39-208-168-1) 67.39.208.168 - 67.39.208.175Microsoft (C00330795) () -Microsoft (C00446770) SBC066136085192030113 (NET-66-136-85-192-1) 66.136.85.192 - 66.136.85.199MICROSOFT (C00458472) MFN- T280-64-124-184-72-29 (NET-64-124-184-72-1) 64.124.184.72 - 64.124.184.79MICROSOFT (C00459322) () -Microsoft (C00637972) CW-204-71-191-0 (NET-204-71-191-0-1) 204.71.191.0 - 204.71.191.255Microsoft (C01563731) CVNET-454AA20 (NET-69-74-162-0-1) 69.74.162.0 - 69.74.162.255Microsoft (C01647285) UU-65-221-5 (NET-65-221-5-0-1) 65.221.5.0 - 65.221.5.255Microsoft (C01793454) MICROSOFT (NET-74-93-205-144-1) 74.93.205.144 - 74.93.205.151Microsoft (C01793455) MICROSOFT (NET-74-93-205-152-1) 74.93.205.152 - 74.93.205.159Microsoft (C01793456) MICROSOFT (NET-74-93-206-64-1) 74.93.206.64 - 74.93.206.71Microsoft (C01807326) MICROSOFT (NET-70-89-139-120-1) 70.89.139.120 - 70.89.139.127Microsoft (C02008777) RSPC-1218167167199384 (NET-67-192-225-208-1) 67.192.225.208 - 67.192.225.223Microsoft (C02312189) OW-3236-1 (NET-206-72-124-64-1) 206.72.124.64 - 206.72.124.95Microsoft (C02313555) OW-4867-1 (NET-206-72-120-248-1) 206.72.120.248 - 206.72.120.255Microsoft (C02313803) OW-4469-1 (NET-206-72-120-104-1) 206.72.120.104 - 206.72.120.111Microsoft (C02499241) MICROSOFT (NET-64-119-153-72-1) 64.119.153.72 - 64.119.153.79Microsoft (C02499329) MICROSOFT (NET-64-119-130-112-1) 64.119.130.112 - 64.119.130.119Microsoft (C02499544) MICROSOFT (NET-64-119-153-80-1) 64.119.153.80 - 64.119.153.87MICROSOFT (C02570623) MCRS-68-188-29-64 (NET-68-188-29-64-1) 68.188.29.64 - 68.188.29.127Microsoft (C02580886) RACKS-8-1283476925266189 (NET-184-106-14-208-1) 184.106.14.208 - 184.106.14.215Microsoft (C02597593) MICROSOFT (NET-66-228-68-96-1) 66.228.68.96 - 66.228.68.111Microsoft (C02597706) () -Microsoft (C02599338) RACKS-8-1286223485308418 (NET-184-106-32-152-1) 184.106.32.152 - 184.106.32.159Microsoft (C02654382) () -Microsoft (C02677592) MICROSOFT (NET-64-119-136-168-1) 64.119.136.168 - 64.119.136.175Microsoft (C02718410) MICROSOFT (NET-64-119-136-240-1) 64.119.136.240 - 64.119.136.255Microsoft (C02768521) MICROSOFT (NET-66-228-80-160-1) 66.228.80.160 - 66.228.80.191
  11. 11. ShoNuff! By Jason Ross
  12. 12. Step 2: Listen to this guy OSINT
  13. 13. Step 3: Bounce!
  14. 14. Step 4: DNS brute force and hope thatGW.COMPANYX.COM exists
  15. 15. But the best way... but...
  16. 16. Problems: Very small percentage of companies OWN IP space You rarely get Internal IP space from OSINT Getting more rare to see companies host their own EMAIL gateway
  17. 17. TL;DR or TL;Want-To-Party
  18. 18. PTR Records IN ADDR ARPA AKA.. the bastard child of DNS everyone forgets about
  19. 19. Why?
  20. 20. Only 4.294 Billion address...
  21. 21. Bash + Dig = 1 request per second (.5 msec + proc time) NMAP w/ just DNS resolution = 2 seconds per /24 IF everyone’s servers were as fast as Google’s
  22. 22. didn t want to be old by the time it finished
  23. 23. MassResolve: ~3000 requests per second = mubix@research:~ time massresolve IPv4.txt l 262974m1.855suser 394461m0.007ssys 3x262974m0
  24. 24. Quick tangent... •  Is there parent here that doesn t wish this was true?
  25. 25. But people don t like it whenyou DoS their DNS servers
  26. 26. but it s not malicious...
  27. 27. a bunch of text files... 40 GBs of text files Most commands don’t like receiving 30,000+ text files in STDIN I broke grep... xargs -I mutex FTW 668,246,000 - Initial DB load
  28. 28. REALLY SLOW TO SEARCH... we’ll come back to this...
  29. 29. So I bought one of these...
  30. 30. from
  31. 31. and someone forgot to format it...
  32. 32. now what?
  33. 33. Continuing the addiction
  34. 34. there’s more?!!!
  35. 35. There are 66 types but over 200 in use that I ve found
  36. 36. what s the fastest way to get them?
  37. 37. Zone Transfer kickin it like it s 1999
  38. 38. What is a Zone?
  39. 39. MICROSOFT IS WRONG
  40. 40. MICROSOFT IS WRONG ok...well somewhat wrong
  41. 41. What is a Zone? these are zones
  42. 42. HD Moore: Its 2012 and youcan still perform zonetransfers from 65 of 312TLDs, including ORG, INFO,PRO, and XXX (zones:http://t.co/rwFQbzjw )
  43. 43. What is a Zone? this is also a zone
  44. 44. B,C,F,G, and K Why? I don’t know...
  45. 45. but... •  COM, NET failed to transfer their zones
  46. 46. learning when to quit...
  47. 47. What is a Zone?
  48. 48. What other sources?
  49. 49. Alexa Top “One Million” Domains
  50. 50. 908584: 0: Testing AXFR on ns899.hostgator.com. for lancasterpuppies.com - Output:4908584: 1: Testing AXFR on ns900.hostgator.com. for lancasterpuppies.com - Output:4908585: 0: Testing AXFR on ns1.webserver.at. for promi.at - Output: 16908585: 1: TestingAXFR on ns2.webserver.at. for promi.at - Output: 16908586: 0: Testing AXFR onns2.bluehost.com. for eveliux.com - Output: 41908586: 1: Testing AXFR onns1.bluehost.com. for eveliux.com - Output: 41908587: 0: Testing AXFR onns2.hongkonghosting.com.hk. for godiva.com.hk - Output: 4908587: 1: Testing AXFR onns1.hongkonghosting.com.hk. for godiva.com.hk - Output: 4908588: 0: Testing AXFR onns01.businesscatalyst.com. for willcuttguitars.com - Output: 4
  51. 51. NS2 FTW!!
  52. 52. 21 and 22
  53. 53. Making OSINT easy... • xxx.xxx.net. 38400 IN HINFO "intel" "linux • _xmpp-server._tcp.im.xx.net. 86400 IN SRV 5 0 5269 im.xx.net. • admin.xx.net. 86400 IN SSHFP 1 1 493E20AA602AA0844823DD5CDF4F4A013B61FACD • xx.xx.ru. 10800 IN HINFO "SCSI/Pentium/133" "BSDI3.1" • admin.xx.k12.xx.us. 86400 IN HINFO "PC" "MS-WINDOWS-98" • www.xx.net. 86400 IN HINFO "NonAlpha" "NetBSD"
  54. 54. TXT records are not your password manager xxxx.xxx.net. 86400 IN TXT "ssh: F8nn2009#@ppyf33t"
  55. 55. same problem lots of text files -> database = slow searching and how do you put 200+ DNS types into a database?
  56. 56. Becoming a DBA
  57. 57. TEAM not telling you the back-end... at least on camera
  58. 58. What would you search for?
  59. 59. there’s more?!!!
  60. 60. DNS
  61. 61. Sources •  Alexa •  Zone Transfers •  Brute forcing with an actively updated list of the Top 50,000 sub zones •  MassResolve •  My wife s DNS traffic •  Other online resources •  You! If you want to submit a DNS log for your company GREAT! ;-) or a ZT, or just want me to update a domain, I accept it all.
  62. 62. 9109 sites in database
  63. 63. Parsing •  New NS records go to ZT and Domain brute forcer •  New A records go to PTR and Type brute forcer •  New PTR records attempt to resolve forward and break down into zones then go to respective parsers •  New other records go to Type Brute forcer •  Anything older than 6 months get rechecked •  MOR PARSERS!! •  you see where this is going..... •  New input gets checked against DB, new records get ADDED, they don t replace, so historical data will stay with date/time stamps
  64. 64. DNS traffic... •  In September of 2011, DNS traffic surpassed my family s TOTAL other bandwidth per month...
  65. 65. How is this different from Shodan? •  Results aren t based on open ports •  I m not going to monetize it, I m doing it for my use, but since it needs to be available everywhere so I can use it, so can you ;-) •  And I ll give you the code to do it yourself if you want to... although...
  66. 66. there’s more?!!!
  67. 67. Why is this useful? •  Because now I have one place to get as much data as I can on a target in regards to DNS (including historical) and I never have to touch one of their servers
  68. 68. and here it is... https://www.deepmagic.com/ $record_type remember the (s), I usually have mean stuff on 80 “everything” search is cludgy right now I am not a web coder •  Free to use, and always will be (PERIOD) •  That means I make no money on it •  Logs last for 24 hours •  so I can catch issues, then they go to /dev/null •  And those will never be released to anyone and long as I can help it, and if that does happen I will just pull it down
  69. 69. Next steps... •  Integration with Sho-nuff •  Idea? Ways to make it better? •  DARPA Security Fast Track?
  70. 70. How d I do Jason?
  71. 71. Questions? •  Rob Fuller •  @mubix •  mubix@hak5.org

×