It’s always DNS. If something has broken online the first step is normally checking what the DNS is doing. Similar when we try to discover all we can about an organisation in the recon stages of any assessment it’s also DNS that makes a re-appearance first on the list. ‘Hackers’ or in our case – ethical social engineering consultants, will look to DNS on the hunt to discover all there is to know about a company. Normally a simple query will provide information about the mail servers, maybe some cname and txt records would be the norm in the reply of the server. But what if a simple query revealed everything a hacker would like to know?…. in milliseconds! Well, sometimes it can if open DNS Zone Transfer is enabled.
We recently came across this issue in one of ‘Big 4’ accounting organisations. We reported to the organisation which of their servers was openly sharing all 3600 of its mostly confidential records – a goldmine for any would-be attacker. They fixed it promptly and it gave me some inspiration to inform people of this relic of a vulnerability.
AXFR
So I’ll keep this simple! DNS servers keep records of all the IP’s and Addresses you will need on the internet. Your corporate DNS will have all the information about your organisation’s domain structure in it. It’s normal to have two name servers, normally ran together to offer some redundancy. It’s a great idea to have these servers sharing their records so they stay up to date and mirror each other and through the day they share these records via IXFR and AXFR data transfers. For security you only really want each name server to talk to the other about this kind of information… but what if they were misconfigured and they would share this information with anyone who asked? This is AXFR.
It can affect businesses of all sizes, we found it in a company worth upwards of $20 Billion, but this could of been any organisation.
The Risks
So when an attacker is on the prowl of your organisation’s online estate they may try to brute-force subdomain entries to discover what software you have. You might one day want a special server to sit on its own away from your regular servers so you register it in a separate IP block and try to obscure this server with HF24SKDFJ.ComanyName.com. Maybe when you enrol a client onto your systems a cname is configured to allow their own subdomain at your place with companyB.CompanyName.com… AXFR would reveal this information immediately with zero effort.
In the case of the company we reported our issue too, from the 3600 AXFR records, we received many subdomains referred to ‘payroll’ and ‘backup’ – information which if you can help it is best to hide it a little.
Simply forgetting the domain name section of a successful AXFR for a second but it will also reveal most, if not all of the organisations IP’s which can later be scanned for direct exploitation at a later date.
The Fix
Well DNS servers can be configured to only talk to each other securely, it’s easy to click here or run the command below (Windows):
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList
But here’s the twist, most DNS servers on the internet are already secure. This issue is older than me and yearly testing, PCI assessments and Vulnerability scans will almost always check for this issue.
This is the problem, in my opinion, the lower paid ‘scanning vendors’ and inexperienced testers will tend to only test what a company displays as their name servers. Normally the first two!
ns1.comanyname.com and ns2.companyname.com… but what if there were more? ns3.companyname.com for example, is this being tested? as businesses grow infrastructure can be bolted on and services get forgotten about. DNS is a hardy setup and will run for years when launched, I feel companies time and time again neglect their legacy equipment as they expand. If this kind of attack worries you scan your network yourself and look for anything open on 53 UDP/TCP? can you check for a domain transfer yourself using a simple dig? (Linux):
dig axfr domain.com @ns3.nameserver.com
If you would like assistance in testing for issues like these, make contact today.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.