Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Several Domains

From: Tim Brown <tmb () 65535 com>
Date: Fri, 12 Dec 2008 09:43:24 +0000
On Friday 12 December 2008 03:33:32 Ahmed Zaki wrote:

Thanks for your reply .

Apparently its my fault I should have made my question clearer.

Your target is Company X . The ip of the mail server turned to be
xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave
mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs ,
mail.companyxfs.com . As a pentester how would you go about identifying the
actual domain name that is being used internally .


Are the DNS servers under the control of your target?  Microsoft's DNS server 
implementation has an interesting default configuration where 
127.in-addr.arpa, 255.in-addr.arpa and 0.in-addr.arpa are automatically 
populated (this can be disabled from the registry).  The automatic population 
of these zones can often leak internal network information.  Likewise, bind 
has a similar issue, have a look at 
http://www.nth-dimension.org.uk/blog.php?id=56 which discusses this in more 
depth.

Cheers,
Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: