Changes

From Security Weekly Wiki
Jump to navigationJump to search
3,650 bytes added ,  20:55, 6 May 2010
== Questions ==
= Tech Segment: Zone Transfers & Embedded Systems =
Security FAIL Dot Com update:
* [http://www.securityfail.com/index.php/BT:Homehub BTHome Hub Recap]
* [http://securityfail.com/index.php/APC:Smart_UPS_RT_10000XL APC Information Leak]
* [http://securityfail.com/index.php/Belkin:F5D7633 Belkin Authentication Disclosure]
* [http://securityfail.com/index.php/4610 Avaya 4610 Hacking Guide]
 
One method of finding embedded systems is to brute force the subdomains as described in the following article from GNUCitizen:
 
http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-6/
 
They even have a handy tool they created to help you do it! Carlos also maintains the DNS Enum scripts in Metasploit, which also have the capability to do sub-domain brute forcing.
 
Zone transfers are even better, for example:
 
<pre># time host -la ourlinksys.com 66.161.11.121 > ourlinksys.com.out
 
real 0m2.564s
user 0m0.456s
sys 0m0.068s</pre>
 
The "host" command is great for doing zone transfers. And in this case we found a DDNS provider that happens to allow zone transfers from one of its DNS servers. Carlo's tool is better at finding these as you can point it at one domain and it will try to do a zone transfer for that domain from each DNS server listed. As for the results:
 
# wc -l ourlinksys.com.out 120815 ourlinksys.com.out
 
Sweet! Here are some easy ways to find all those DDNS providers:
 
http://www.dmoz.org/Computers/Internet/Protocols/DNS/DNS_Providers/Dynamic_DNS/
http://www.oth.net/dyndns.html
 
You can put them in a list and do something like these:
 
for i in `cat ddlist.txt`; do ./msfcli auxiliary/gather/dns_enum DOMAIN=$i E; done
~/msf3/msfcli auxiliary/gather/dns_enum DOMAIN=ourlinksys.com ENUM_AXFER=true ENUM_BRT=false ENUM_RVL=false ENUM_SRV=false
 
I find that calling Carlos's script in this way is really slow. I've already made the request for Carlos to build in a way to read from a list of domains, which shouldn't be that hard of a feature to implement. Speaking of Carlos's script, here are the options:
 
<pre>msf > use gather/dns_enum
msf auxiliary(dns_enum) > show options
 
Module options:
 
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The target domain name
ENUM_AXFR true yes Initiate a zone Transfer against each NS record
ENUM_BRT false yes Brute force subdomains and hostnames via wordlist
ENUM_RVL false yes Reverse lookup a range of IP addresses
ENUM_SRV true yes Enumerate the most common SRV records
ENUM_STD true yes Enumerate standard record types (A,MX,NS,TXT and SOA)
ENUM_TLD false yes Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
IPRANGE no The target address range or CIDR identifier
NS no Specify the nameserver to use for queries, otherwise use the system DNS
STOP_WLDCRD false yes Stops Brute Force Enumeration if wildcard resolution is detected
WORDLIST /home/paulda/msf3/data/wordlists/namelist.txt no Wordlist file for domain name brute force.</pre>
= Stories For Discussion =
2,337

edits

Navigation menu