We will be using zonetransfer.me as our target domain name. The domain zonetransfer.me has been created by Robin Wood, from DigiNinja (https://digi.ninja/projects/zonetransferme.php), to illustrate the risks of allowing public DNS zone transfers:
- We first use whois on the domain name to get the registration information about it. Let's try testing a domain such as zonetransfer.me:
# whois zonetransfer.me
- Another tool used to get information about the domain name and DNS resolution is dig. We can, for example, query the nameservers for the target domain:
# dig ns zonetransfer.me
- Once we have the information on the DNS servers, we can attempt a zone transfer attack to get all the hostnames the server resolves. For this we use dig:
# dig axfr @nsztm1.digi.ninja zonetransfer.me
Luckily for us, the server is vulnerable and gives us a complete list of subdomains and the hosts it resolves to. Sometimes we can find some low-hanging fruits to exploit on them:
- We now use theharvester to identify email addresses, hostnames, and IP addresses related to the target domain:
# theharvester -b all -d zonetransfer.me
- For each web server in scope, we want to know what software and which versions it uses; a way of doing this without directly querying the server is through Netcraft. Browse to https://toolbar.netcraft.com/site_report and enter the URL in the search box:
- Also, sometimes it may be useful to know what the site looked like before the last update; maybe it had some valuable information that was later removed. To get a static copy of a previous version of our targets, we can use Wayback Machine from https://archive.org/web/web.php: