DNS Records
Domain Name System (DNS) records can provide a wealth of information regarding services that may be exposed to the Internet, but here there be dragons.
The "target" we're going to attack in the lab is an organisation called Cyberbotic. Their domain name is cyberbotic.io. We can start off by performing a simple lookup of any A records for this domain.
\
Performing a whois
on each public IP address can show who it belongs to. We can see that it resolves to a 3rd party provider, Cloudflare.
\
When we browse to https://cyberbotic.io, we are actually being sent to Cloudflare, which proxies the traffic between us and a back-end webserver. The issue being that we don't know if the web server is hosted on premise of the target organisation, or in another 3rd party cloud service. This information you must confirm with the client - providers such as Amazon and Azure have specific rules and/or require explicit permission before you are able to carry out any security assessments hosted on, or performed from, their infrastructure. You may also come across IP addresses that belong to Internet Service Providers (ISPs), as some organisations rent their public address space.
Some Software as a Service (SaaS) offerings require DNS records on the target domain, in order to point towards those services. A notable example includes Microsoft's Office 365 which can be found at autodiscover.target-domain. If the target uses these SaaS services for email and/or document storage etc, it may be possible to gain access to your objective without ever needing to compromise their network.
Subdomains can also provide insight to other publicly available services, which could include webmail, remote access solutions such as Citrix, or a VPN. Tools such as dnscan come with lists of popular subdomains.
\
From the output above, we've discovered www and mail subdomains.
The astute will notice that mail resolves to an internal address rather than a public address. This is the IP address of the Exchange server in the RTO lab.
\
Weak email security (SPF, DMARC and DKIM) may allow us to spoof emails to appear as though they’re coming from their own domain. Spoofy is a Python tool that can verify the email security of a given domain.
Last updated