DNS Zone delivery vulnerability
1. Experimental environment
Server :Windows2008 install DNS service , install IIS service ( Build a web site )
client :win7(DNS Set to windows 2008 Of IP address )
2. Experimental steps
(1) First of all windows 2008 Upper mounting DNS service
New role on Service Manager , choice DNS The server
Finished adding on Service Manager DNS After role , At the beginning -> program -> Management tools DNS, Use it to start DNS Manager , And DNS Server to set up .
(2) test DNS Whether the server can service normally
Set up a website on the server and set the default homepage
(3) Server settings DNS, And create a host record
(4) test DNS Whether the server is normal
(5) Check whether the server is on “ Zone transfer ”, You can see that the server is not turned on DNS Zone transfer
(6) Then use the nslookup see DNS record , As follows ;
(7) See if it exists DNS Zone delivery vulnerability , list xaut.com All hosts in ; It can be seen that , The target we want to view does not exist DNS Transmission vulnerability ;
(8) In order to test the effect of the experiment , We just windows 2008 Turn on zone transfer , Recreate 1 Host records ;
(9) Finally, test whether there is a regional delivery vulnerability in the client , You can see several host records , Quickly learn about hosts in the domain , Indicates presence DNS Zone delivery vulnerability
Secondary domain name explosion
When we are looking for a valid subdomain of a domain name , The technology that can be used is through a common domain name dictionary ( Need to prepare a dictionary by yourself ), For each domain name in the dictionary nslookup Try to resolve to find a subdomain . There are some limitations in this way , It's not common for those hostnames , This method has no practical benefits .
The code is as follows :
import os from threading import Thread import time # Load dictionary , Common host names in the dictionary with
open("C:/Users/Lenovo/Desktop/dict.txt") as f: nlist=f.readlines() # Flag bit bz=0
# Store domain names active after scanning rlist=[] # use nslookup Get the existing domain name in the current cycle of domain name def f(astr): global bz
cmd="nslookup %s.xaut.com"%astr result=os.popen(cmd).read() if
result.count("Address")>1: rlist.append(astr+".xaut.com") bz+=1 if
__name__=="__main__": print(" Scan start :") for i in nlist:
t=Thread(target=f,args=(i.strip(),)) t.start() while 1: # Sign of exit if
bz==len(nlist): break time.sleep(1) print(" A total of %d Results :"%len(rlist))
print(rlist) print(" End of scan !")
give the result as follows : You can find a valid subdomain under this domain name .
Technology
Daily Recommendation