Penetration Testing mailing list archives
RE: finding dyndns names for existing IP
From: "Adrian Lazar" <alazar () bripharm com>
Date: Wed, 26 Nov 2003 08:30:48 -0800
Have you tried doing DNS zone transfers? Sometimes DNS servers or only domain zones are misconfigured and allow this. anydomainname.com is hosted by ns.company.com where ns is primary, secondary, ternary, etc. nslookup set q=any server ns.company.com ls -d anydomainname.com. dig @ns.company.com axfr anydomainname.com Hope this helps. Cheers, Adrian PS: another thing I would do is to ask routers for subnet masks (SING, hping), look at their web site pages' code to determine possible internal IPs, analyze their e-mail headers - sometimes these leak internal IP addresses. -----Original Message----- From: Thomas Kerbl [mailto:t.kerbl () weigl de] Sent: Wednesday, November 26, 2003 2:06 AM To: pen-test () securityfocus com Subject: finding dyndns names for existing IP Hello, I'm searching for a way to find DynDns names to existing IPs. We are working on a pen-test for a customer, who has a dynamic IP that changes every day, and it is hard for us to keep track of their Gateway. We simulate an attacker without intern knowledge, so we cannot simple ask for a dyndns name. Social Engineering would be easy, but I'm locking for a technical way to do it. We already tried obvious names like companyname.dyndns.org and similar DNS names. To try to summarize the problem: 1) We assume the company uses the DynDns service (or a similar service). 2) We got the actual valid IP through social engineering. 3) We want to find the dyndns name of this IP to keep track. Is there a Database hostet by dyndns (or similar service) we can consult? Or is there a way to do a reverse lookup on the IP? thanks a lot for any pointers, Thomas Kerbl -- ~ weigl interservice ~ www.weigl.de ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- finding dyndns names for existing IP Thomas Kerbl (Nov 26)
- Re: finding dyndns names for existing IP John Lampe (Nov 26)
- Re: finding dyndns names for existing IP Jeff Bryner (Nov 26)
- Re: finding dyndns names for existing IP Thomas Kerbl (Nov 28)
- Re: finding dyndns names for existing IP Jimi Thompson (Nov 28)
- Re: finding dyndns names for existing IP Thomas Kerbl (Nov 28)
- Re: finding dyndns names for existing IP Kurt Seifried (Nov 30)
- <Possible follow-ups>
- RE: finding dyndns names for existing IP Adrian Lazar (Nov 26)
- Re: finding dyndns names for existing IP John Lampe (Nov 26)