Northern Kentucky University



CIT 480: Securing Computer SystemsLab #8: DNS SecurityName: _____________________1: IntroductionIn this lab, we will research the names and IP addresses of several domains to determine how much information is exposed through domain registration and DNS configuration. We will run our security tools on Kali, a Linux distribution designed for network security and penetration testing. Login as user student. ReferencesDiG HOWTO, man page, man dig2: Domain RegistrationWe will run whois in the terminal window to find domain registration information. The output of this command is long, so we will pipe it through less to paginate it. 2.1: Who is the technical point of contact for NKU's domain?$ whois nku.edu | less2286067945 2.2: Who is the administrative point of contact for NKU's domain?$ whois nku.edu | less2286067945 2.3: What are the IP addresses of NKU's external DNS servers?$ whois nku.edu | less2286067945 2.4: The whois command can lookup information by IP address as well as by domain name. To find the full range of public IP addresses owned by NKU, you can do a lookup of the IP address of one of the DNS servers found in the previous question. Replace the string PUBLIC_DNS_SERVER_IP below with the actual IP address of one of the servers. Write the IP range in CIDR notation in the box below.$ whois PUBLIC_DNS_SERVER_IP | less2286067945 3: DNS Lookups with DiGThe DiG (Domain information Groper) command can be used to lookup information in the DNS. It is a replacement for the older nslookup tool, which is still available on most Linux and Windows systems. By default dig provides long output with much information we don't need, so we will often use the +nocomments +nostats options to remove the irrelevant output.3.1: What is the IP address of nku.edu?$ dig nku.edu +nocomments +nostats2286067945 3.2: If you logged into nku.edu via ssh and looked at the hostname in your bash prompt, what would it be? It would not be nku.edu, which is listed as a CNAME alias for the actual hostname.$ dig nku.edu +nocomments +nostats2286067945 3.3: Login to kosh.nku.edu via ssh, then use dig on that server to find the IP address of nku.edu. Since kosh is outside NKU’s firewall, this lookup will return the public IP address of the server, which is different from the private IP address that is only available to hosts inside NKU’s network. Write it in the box below. Note that the dig output will look slightly different on kosh, due to the version of dig being different than the version on your VM.$ ssh YOUR_USERNAME@kosh.nku.edukosh$ dig nku.edu +nocomments +nostats2286067945 3.4: The reason for the different results for resolving nku.edu internally and externally is the use of different servers. Which servers were used for the internal and external lookups? This information can be found in the file /etc/resolv.conf. The internal servers will be listed in that file on your VM, while the external servers will be listed in that file on kosh.2286067945 Internal DNS server: External DNS server:3.5: You don't actually need to log into a different machine to use a different DNS server, as dig can explicitly lookup a name using another DNS server too. What IP address does the Google public DNS server, 8.8.8.8, return? Is it the internal or external IP address of nku.edu?$ dig @8.8.8.8 nku.edu +nocomments +nostats22860679453.6: Follow each step that a DNS lookup takes with the +trace option. The output is long so we will page it by piping it to the less command. How many steps did the lookup take? What was the address component looked up at each step?$ dig nku.edu +trace | less22860132715__ steps1.2. 3. ...4: DNS Reconnaissance You can obtain the list of all name to IP address mappings for a domain by performing a DNS zone transfer. However, most DNS servers do not permit zone transfers as that information is highly useful to a threat planning to attack a network. To work around this limitation, DNS reconnaissance tools have been developed to find some of the names in a domain. 4.1: First, we'll use dnsrecon to perform reverse DNS lookups of all of NKU's public IP addresses. Replace FIRST_IP below with the first IP address in NKU's public IP address range, and replace LAST_IP with the last IP address in that range. List the DNS names found in the box below.$ dnsrecon -w -r FIRST_IP-LAST_IP | less22860679454.2: Reverse DNS lookups will not find all of the CNAME aliases using for virtual web hosting, so in this step we will use dmitry to find more hosts.$ dmitry –s nku.edu | less22860679454.3: Were any of the names found in question 4.2 not found with dnsrecon in question 4.1?2286067945 5: Submitting the LabBring a printed copy with your name on it to class after the class period on which it was given. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download