Attacking DNS

DNZ zone is a portion of the DNS namespace that an org manages
DNS comprises of zones, servers
DNS servers utilize DNS zone transfers to copy a portion of their db to another DNS server
If not configured to limit the IPs requesting zone transfer, it can be done by anyone as it does not require authentication
Done over the TCP port

Command - DNS Zone transfer

Fierce - Enum DNS servers of the root domain and scan for Zone transfer

Domain Takeover is registering a non-existent domain name to gain control over another domain
If an expired domain is found, it can be used to host malicious content

Subfinder - https://github.com/projectdiscovery/subfinder
enumerate subdomains
./subfinder -d inlanefreight.com -v
sublist3r - https://github.com/aboul3la/Sublist3r
brute-force subdomains
subbrute - https://github.com/TheRook/subbrute
for internal pentests on hosts that dont have access to internet
Enter the domain you have in the resolvers.txt
You will get a list of subdomains
Try dig axfr subdomain @<domain>\
One of the above tool found 4 subdomains
Using nslookup or host, we can enumerate the CNAME records
host support.inlanefreight.com
It points to an AWS S3 bucket
When we try to access the URL, we can see that the bucket does not exist
- This is a misconfiguration
We can create a bucket with the same name and perform subdomain takeover
https://github.com/EdOverflow/can-i-take-over-xyz - check if target is vulnerable for account takeover

MITM tools like Ettercap or Bettercap Workflow
cat /etc/ettercap/etter.dns
modify to map the target domain name and attackers IP
Start ettercap and scan for live hosts
Add target IP to Target 1, default gateway to target 2
Activate dns_spoof attack by navigating to Plugins > Manage Plugins.
This send the target machine with fake DNS responses to resolve inlanefreight.com to our attacker IP
Once done:
Targets browser will redirect to our IP
ICMP to inlanefreight.com will respond from our IP