DNS Zone Transfer Tutorial (Subdomain Discovery)

HTB – Cronos

Welcome! This article is going to focus on DNS Zone Transfers. I’m going use to the retired Hack The Box (HTB) machine, Cronos, for this tutorial. This is not an entire writeup on Cronos, however I will be publishing one at a later time. This is just a simple DNS Zone Transfer tutorial to show the effectiveness of this type of attack.

What is a Zone Transfer?

A DNS Zone Transfer is essentially where the AXFR DNS query type is used to replicate DNS records from a primary DNS server to a secondary one. This could allow an attacker to view all of the DNS records on the Zone Transferred server, which could lead to potential subdomain discovery. There’s not much to it, but for such a simple technique there could be a lot of repercussion if you have sensitive data in your primary DNS server.

Let’s dive into it.

Recon

We’ll start with an NMAP scan of the box: nmap -n -v -sT -A 10.10.10.13
Breakdown of the command:
-n : Skip DNS Resolution
-v : Increase Verbosity (amount of output)
-sT : TCP Connect Scan
-A : Enable OS Detection, Version Detection, Script Scanning, and Traceroute

┌──(kali㉿kali)-[~/HTB/cronos]
└─$ sudo nmap -n -v -sT -A 10.10.10.13
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

***Results summarized for brevity***

Finding the Domain Name

Unfortunately, no domain name popped up in the NMAP enumeration. Now, there are a lot of ways to conduct DNS enumeration. I plan to write an article on it in the future, but for the sake of this article I’ll just be showing you how to find the domain name and conduct the zone transfer. We’ll use a tool called nslookup to help identify it. Just launch the tool, set the server, then enter the server IP.

nslookup

Perfect. Now let’s add the newly found domain name to the /etc/hosts file. If you’re not familiar with adding IPs to the hosts file, simply type in the box IP followed by the ‘tab’ key then the domain name.

nano hosts
Add the domain name to /etc/hosts file

Initiate the Zone Transfer

Now that we have the domain added to our hosts file we can go ahead and use the ‘dig’ command to proceed with the Zone Transfer.

The dig command in Linux is used to gather DNS information. There’s a lot of useful DNS troubleshooting and enumeration functionality, but the big one we’re focused on is the “axfr” option. This option allows us to conduct our zone transfer, grabbing all of the DNS records from the DNS server.

Success

And just like that, we successfully conducted a zone transfer and received all the subdomains we previously didn’t have access to.

These subdomains need to be added to our hosts file, otherwise we will not be able to access them through the web browser.

Results

Visiting the site without the subdomain added to our hosts file:

Fail 🙁

Now let’s add admin.cronos.htb to the hosts file:

And revisit the page:

Whoo!

Done. As you can see zone transfers can be a pretty brutal blow to your company/network if in the hands of the wrong person. I’d recommend locking it down, and at minimum restricting zone transfers on a “per IP” basis.

Hope you enjoyed this short tutorial. Keep a lookout for more! Leave a comment if there’s anything specific you’d like to see from me.

Leave a Reply

%d bloggers like this: