DNS Zone delivery vulnerability

1. Experimental environment

Server :Windows2008 install DNS service , install IIS service ( Build a web site )

client :win7(DNS Set to windows 2008 Of IP address )

2. Experimental steps

(1) First of all windows 2008 Upper mounting DNS service

        New role on Service Manager , choice DNS The server

        Finished adding on Service Manager DNS After role , At the beginning -> program -> Management tools DNS, Use it to start DNS Manager , And DNS Server to set up .

(2) test DNS Whether the server can service normally

       Set up a website on the server and set the default homepage

(3) Server settings DNS, And create a host record

(4) test DNS Whether the server is normal

(5) Check whether the server is on “ Zone transfer ”, You can see that the server is not turned on DNS Zone transfer

(6) Then use the nslookup see DNS record , As follows ;

(7) See if it exists DNS Zone delivery vulnerability , list xaut.com All hosts in ; It can be seen that , The target we want to view does not exist DNS Transmission vulnerability ;

(8) In order to test the effect of the experiment , We just windows 2008 Turn on zone transfer , Recreate 1 Host records ;

(9) Finally, test whether there is a regional delivery vulnerability in the client , You can see several host records , Quickly learn about hosts in the domain , Indicates presence DNS Zone delivery vulnerability

Secondary domain name explosion

When we are looking for a valid subdomain of a domain name , The technology that can be used is through a common domain name dictionary ( Need to prepare a dictionary by yourself ), For each domain name in the dictionary nslookup Try to resolve to find a subdomain . There are some limitations in this way , It's not common for those hostnames , This method has no practical benefits .

The code is as follows :
import os from threading import Thread import time # Load dictionary , Common host names in the dictionary with
open("C:/Users/Lenovo/Desktop/dict.txt") as f: nlist=f.readlines() # Flag bit bz=0
# Store domain names active after scanning rlist=[] # use nslookup Get the existing domain name in the current cycle of domain name def f(astr): global bz
cmd="nslookup %s.xaut.com"%astr result=os.popen(cmd).read() if
result.count("Address")>1: rlist.append(astr+".xaut.com") bz+=1 if
__name__=="__main__": print(" Scan start :") for i in nlist:
t=Thread(target=f,args=(i.strip(),)) t.start() while 1: # Sign of exit if
bz==len(nlist): break time.sleep(1) print(" A total of %d Results :"%len(rlist))
print(rlist) print(" End of scan !")
  give the result as follows : You can find a valid subdomain under this domain name .

Technology
©2019-2020 Toolsou All rights reserved,
Mybatis Error resolution :There is no getter for property named '*' in 'class Java.lang.String Big data tells you , How tired are Chinese women Message quality platform series | Full link troubleshooting Gude Haowen serial - You deserve to be an engineer ( Preface ) Image explanation of over fitting and under fitting Springboot of JPA Common query methods JAVA Detailed explanation of anomalies vue Of v-if And v-show The difference between python To solve the problem of dictionary writing list in Codeup——601 | problem A: task scheduling