Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

DNS Enumeration

DNS - Domain Name System is often a very rich source of information when doing Active Information Gathering.

Enumerating the DNS involves interacting with the DNS server to gather information about Forward and Reverse lookup. You may have to sometimes Brute force the Forwad and Reverse lookups to gather required information.

One may also attempt to do a Zone Transfer.

If you are not familiar with the terminology in DNS I recommend grab a system admin book and have a nice read. This is really important before you  attempt information gathering during your penetration test.

Kali has some very good tools to make your job easier:

[1] DNSRecon - This is an excellent script written in Python.

Usage: dnsrecon -d <domain name> -t axfr



In the above example the zone transfer failed.

[2] DNSENUM (automatically attempts Zone Transfer as well)

usage: dnsenum <domain name>

Here as well the zone transfer has failed indicating the system is configured good.

The idea was to let you know the available options in your penetration testing destro so that you can use it when needed.

If you had to do this manually?

Well its not that difficult:

Let us consider we have an Ubuntu box and we plan to do some basic DNS enumeration.

host <domain name>  - This will attempt to resolve the hostname and provide the IP address.



Now this domain name can be associated with various common hosts e.g. mail, router, proxy, ftp etc.


mail.blogspot.com
router.blogspot.com
proxy.blogspot.com
ftp.blogspot.com

etc etc.

So lets have these in a list viz. names.txt

nano names.txt

save this file. And quickly verify that the file is saved.



Now let's automate the lookup

for ip in $(cat names.txt); do host $ip.blogspot.com; done 

The result will indicate  for the positive results from our brute force if any.

Once this is done we will have the IP addresses for the entries for which the brute force was successful.
However now, you can do a reverse lookup brute force as now you have the IP range (indicative).

For reverse Lookup:
for ip in $(seq 155 220); do host x.x.x.$ip; done | grep -v "not found" 

This way you will have the names and IPs.

Now for zone transfer:
A zone file has important information like the names, addresses and functionalities of the servers. Zone transfer is replication of this information from the master DNS server to the slave DNS servers. Ideally this should be allowed between the authorized servers. However, if this is not configured correctly then anyone requesting for the zone file will receive it.

As such the compromise of the zone file i.e. successful zone transfer does not mean that the network is compromised, however, this definitely facilitate for the same.

In order to do a zone transfer there are 2 parameters required:
[1] The domain name and 
[2] The name server (dns server address)

Finding the name server:

host -t ns <domain name> |cut -d " " -f 4


So in order to do the zone transfer our command will be:

host -l <domain name> <dns server address>



If you have multiple name servers then you can keep trying each to see if the zone transfer is successful.

Another option will be to write a script to automate this process.

All these above manual steps and the task of automating these can be achieved by the help of the 2 tools / scripts that we talked about. i.e. DNSRecon and dnsenum.

However you must know how the tool works and what the script does, before you use it blindly. Hope you enjoyed DNS enumeration.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more