Information gathering is the first step in penetration testing process. In this phase, we try to collect as much information as we can about the target. To perform an attack, we need to gather basic information about our target. So, more information we get, the higher the probability of a successful attack.
Information gathering can be categorized
Active information gathering: We collect information by introducing network traffic to the target network.
Passive information gathering: We gather information about a target network by utilizing a third party’s services, such as the Google search engine.
DNStracer is an information gathering tool. Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers knows the data. It prints all responses it receives from the DNS server.
- AUTHOR: EDWIN GROOTHUIS
- LICENCE: BSD (Berkeley Software Distribution)
BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and redistribution of covered software. The original BSD license was used for its namesake, the Berkeley Software Distribution (BSD), a Unix-like operating system. The BSD license is a simple license that merely requires that all code licensed under the BSD license be licensed under the BSD license if redistributed in source code format. BSD (unlike some other licenses) does not require that source code be distributed at all.
WORKING OF DNSTRACER
- Dnstracer works by sending the specified name-server a non-recursive request for the name.
- If the name server does returns an authoritative answer for the name, the next server is queried.
- If it returns a non-authoritative answer for the name, the name servers in the authority records will be queried.
- The program stops if all name-servers are queried.
- This tool objective is to map the target till we reach the root name servers.
We can question about various kinds of data like NS, MX, A, AAAA, SOA, NSEC etc.
SYNTAX AND OPTIONS
Syntax: dnstracer [options] [host]
- -o: enable overview of received answers, default disabled
- -4: don’t query IPv6 servers
- -v: verbose
- -r <retries>: amount of retries for DNS requests, default 3
- -s <server>: DNS server to use for the initial request, default is acquired from the system. If a dot is specified (.), A ROOT SERVERS.NET will be used.
- -t <maximum timeout>: Limit time to wait per try
- -c: disable local caching, default enable
- -S <ip address>: use this source address.
- -C: enable negative caching, default disabled
-q <querytype >: most important option.
It is used to specify, which kind of DNS document you want to question about.
Address Mapping records (A)
The record A specifies IP address (IPv4) for given host.
A records are used for conversion of domain names to corresponding IP addresses.
Host Information records (HINFO) HINFO
Acquire general information about a host. b. Specifies type of CPU and OS.
Mail exchanger record (MX)
Specifies a mail exchange server for a DNS domain name.
The information is used by SMTP to route emails to proper hosts.
Name Server records (NS)
The NS record specifies an authoritative name server for given host.
IP Version 6 Address records (AAAA)
The record AAAA specifies IPv6 address for given host.
Reverse-lookup Pointer records (PTR)
The PTR record is used to look up domain names based on an IP address.
Start of Authority records (SOA)
It specifies core information about a DNS zone.
Including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
Text records (TXT)
The text record can hold arbitrary non-formatted text string.
To open a dnstracer:
Application → Kali Linux → Information gathering → DNS Analysis → dnstracer
To see overview of all the responses:
dnstracer -o google.com
To see more information in structured format:
dnstracer -v -o google.com
To view soa records:
dnstracer –q soa -o -4 google.com
- It returns serial number, mname, and rname
- Mname shows the primary server for the domain
- Rname is the email address for the person responsible for the domain
To scan all the mail servers:
dnstracer -q mx -o -4 google.com
To view all the name servers:
dnstracer -q ns -o -4 google.com