When doing recon on a target, it’s important to spend some quality time looking at your target’s public DNS. There is lots of valuable information that can be gleaned from subdomain public DNS records. For example, many companies will utilize vpn.companyname.com, which is an entry point into the network that may be able to be exploited. Another good one is remote.companyname.com. Ideally, you want to identify as many entry points into the network and begin to perform nmap scans to locate potentially vulnerable services being exposed to the Internet.
However, as you can imagine, it doesn’t make much sense to manually query all of the possibilities – so that leaves us with a couple of options. One option is to attempt a zone transfer from the domain’s name servers. When taking this approach (which probably won’t work), we usually start by performing a simple “whois” on the target’s domain. For example:
With this scenario, based on the above whois, we know that Monsanto (our victim)’s name servers are:
To attempt a zone transfer against a particular name server, we can issue the following command:
dig axfr @ns4.monsanto.com monsanto.com
As suspected, it failed. However, there are actually a high number of misconfigured/poorly configured public DNS servers which allows for a zone transfer. If you can find a target that allows a zone transfer, it negates the need for option 2 because there would be no need to bruteforce subdomains. For testing purposes, zonetransfer.me allows zone transfers.
Option 2 is used to automate the guessing of our target’s subdomains by using a tool to bruteforce query their public name servers for responses against a wordlist. A great tool for this is Fierce. Basically, you feed Fierce a wordlist of likely subdomains and it will automatic the work of performing all of the queries so that we don’t have to do it manually. The key here is having good wordlists. The better the wordlists, the better information we have on our target, which increases the likelihood of finding an entry point into the network with a vulnerable service to exploit.
The command we want to use for Fierce is:
phython3 fierce.py –domain monsanto.com –subdomain-file ./lists/sub_domain_list1.txt
With a domain like monsanto.com, there are a lot or results and it’s not practical to post every listed subdomain; however, below is a very small portion of the results:
Upon further review, we discover that https://w3t.teamconnect.monsanto.com takes us to an Apache landing page. While this is not indicative of a problem, it’s certainly interesting and probably worth looking into – along with a hundred other sites like airwatch.monsanto.com, which lands us at an IIS default page.