Being accidentally given a list of all domains and sub-domains within an organisation increases vulnerability to attacks and exploits.
A recent engagement uncovered something I”ve never encountered before – I was able to complete a full DNS zone transfer. Usually DNS is locked down so that it’s not possible to complete a zone transfer, but here we had a domain that was wide open to abuse. This particular domain had an impressive 205 sub-domains, many of which were helpfully named to convey the exact nature of the box in question. A lot of these sub-domains were helpfully named ‘dev’, ‘test’ and ‘stg’ as well, so for anyone looking to build a picture of the orgnanisation, they didn’t really have to put much effort in.
A DNS Zone Transfer should not be possible from the internet, and yet here I had a full list of domain names, sub-domains and IP addresses. Not only that, I also had a pretty good idea as to the purpose of the machines, and given the naming of some of them, it indicated that they were old systems, and probably stood a good chance of not having the latest patches applied. Development and test machines are usually less robust in their configuration as the teams using them often need to make numerous changes; this gives me another attack surface to hit.
However, I’m an ethical hacker, so a quick responsible disclosure email to the organisation indicating what I’d identified, and why they should lock their DNS down resulted in a grateful reply within the hour. I’m not going to identify the organisation in question, as they’re still in the process of resolving this issue. it’s something that they can address quickly, I’ll check soon to confirm that they’ve made the necessary changes and have plugged the security hole.
For those that aren’t sure how to check for DNS Zone Transfers, I used a trusted tool – fierce. Fierce is a DNS reconnaissance tool, it’s simple to use and incredibly powerful. There are a number of options that you can apply, for this particular domain I simply ran:
fierce --domain <domain name > output-file.txt
Within 30 seconds or so, Fierce had completed the transfer, sent the output to a file (output-file.txt) and did not need to attempt any brute force requests; when you’ve been handed the keys, you don’t really need to try any more 🙂
if you’ve not used Fierce before, please check it out. If you’re responsible for security within your organsiation, please have a look at your DNS settings, just in case.