Rekonesans DNSSEC-a z wykorzystaniem… hashcata

DNSSEC wielu osobom kojarzy się większym bezpieczeństwem usługi DNS. Tymczasem… różnie z tym bywa. Mało osób ma świadomość, że w przypadku korzystania z tej usługi dosyć łatwo można wykonać enumerację skonfigurowanych w DNS-ie nazw domen. Temat ten poruszamy w naszej książce jako jeden z wielu dotyczących możliwości realizacji rekonesansu poddomen:

Konkretny Przykład? Bardzo proszę:

$ ldns-walk paypal.com
...
a.paypal.com. A RRSIG NSEC 
accounts.paypal.com. CNAME RRSIG NSEC 
active-api-m.paypal.com. A RRSIG NSEC 
active-api-s.paypal.com. A RRSIG NSEC 
active-c.paypal.com. A RRSIG NSEC 
active-history.paypal.com. A RRSIG NSEC 
active-mobile.paypal.com. A RRSIG NSEC 
active-mobileclient.paypal.com. A RRSIG NSEC 
active-pics.paypal.com. A RRSIG NSEC 
active-www.paypal.com. A RRSIG NSEC 
adjvendor.paypal.com. A RRSIG NSEC 
admin.paypal.com. A RRSIG NSEC 
adnormserv.paypal.com. A RRSIG NSEC 
adnormserv-dft.paypal.com. A RRSIG NSEC 
adnormserv-phx.paypal.com. A RRSIG NSEC 
adnormserv-slc-a.paypal.com. A RRSIG NSEC 
adnormserv-slc-b.paypal.com. A RRSIG NSEC 
agw.paypal.com. A RRSIG NSEC 
aktest.paypal.com. CNAME RRSIG NSEC 
announcements.paypal.com. A RRSIG NSEC 
pp-dkim1._domainkey.apac.paypal.com. TXT RRSIG NSEC 
cors.api.paypal.com. A RRSIG NSEC 
api-3t.paypal.com. CNAME RRSIG NSEC 
api-3t-raz01-silo.paypal.com. A RRSIG NSEC 
api-aa.paypal.com. CNAME RRSIG NSEC 
api-aa-3t.paypal.com. CNAME RRSIG NSEC 
api-m.paypal.com. CNAME RRSIG NSEC 
api-pxp.paypal.com. CNAME RRSIG NSEC 
api-raz01-silo.paypal.com. A RRSIG NSEC 
api-s.paypal.com. CNAME RRSIG NSEC 
api-t.paypal.com. A RRSIG NSEC 
apiagw-a.paypal.com. A RRSIG NSEC 
apiagw-b.paypal.com. A RRSIG NSEC 
appmanagement.paypal.com. A RRSIG NSEC 
autodiscover.paypal.com. CNAME RRSIG NSEC 
av1.paypal.com. A RRSIG NSEC 
av2.paypal.com. A RRSIG NSEC 
avlb.paypal.com. A RRSIG NSEC 
batch.paypal.com. CNAME RRSIG NSEC 
mpco-serv.betasandbox.paypal.com. A RRSIG NSEC 
pp-marketo1._domainkey.biz.paypal.com. TXT RRSIG NSEC 
blueprint.paypal.com. A RRSIG NSEC 
...

Czy da się przed tym jakoś zabezpieczyć. Niby tak – można użyć rekordów NSEC3, ale tutaj z pomocą przychodzi nam hashcat:

$ n3map toshiba.com -o toshiba.txt
warning: timeout reached when waiting for response from 198.107.141.134:53 (tshba-dns-p01.tais.net.), 4 retries left
;; mapping toshiba.com.: ................................................................................................................................................................................ ;;
;; mapping toshiba.com.: ................................................................................................................................................................................ ;;
;; records = 2441; queries = 2449; hashes = 10957568;

$ hashcatify.py toshiba.txt toshiba.htxt

$ hashcat -m 8300 -a 3 -O toshiba.htxt ?l?l?l?l?l?l?l?l --increment

Session..........: hashcat
Status...........: Quit
Hash.Name........: DNSSEC (NSEC3)
Hash.Target......: toshiba.htxt
Time.Started.....: Mon Nov 18 12:33:53 2019 (3 secs)
Time.Estimated...: Mon Nov 18 12:33:57 2019 (1 sec)
Guess.Mask.......: ?l?l?l?l?l?l [6]
Guess.Queue......: 6/8 (75.00%)
Speed.#1.........: 63982.2 kH/s (10.01ms) @ Accel:1 Loops:42 Thr:1024 Vec:1
Recovered........: 599/2441 (24.54%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:0,0,0 (Min,Hour,Day)
Progress.........: 197918720/308915776 (64.07%)
Rejected.........: 0/197918720 (0.00%)
Restore.Point....: 278528/456976 (60.95%)
Restore.Sub.#1...: Salt:0 Amplifier:588-630 Iteration:0-42
Candidates.#1....: iiylnz -> pqhujp
Hardware.Mon.#1..: Temp: 45c Util: 99% Core:1177MHz Mem:2505MHz Bus:16

$ hashcat -m 8300 -a 3 -O toshiba.htxt ?l?l?l?l?l?l?l?l --increment --show
snsb4v80p917p4sgfejh5km6aim7msao:.toshiba.com:7a8dfcc3c0a1706b:50:sdram
u3f74l80t912390ou07406cdcvihit76:.toshiba.com:7a8dfcc3c0a1706b:50:taismdm
6qi5mp01fn159l6k9pbhfme40d73h9in:.toshiba.com:7a8dfcc3c0a1706b:50:tdf
oab6ffo273bsbpvjbt8mppuqn5g33l0m:.toshiba.com:7a8dfcc3c0a1706b:50:dm2015
ai0ev0g2knvmhajunudm1pglsgqstp2c:.toshiba.com:7a8dfcc3c0a1706b:50:txrisc
bl4iico2lot40c5qrffjh0st2nqusodf:.toshiba.com:7a8dfcc3c0a1706b:50:toyota
5ru5de047igtf8pi2jdbg38cpmuf7in6:.toshiba.com:7a8dfcc3c0a1706b:50:gt
kss749o4v7utbooten9ahep2haorkhdm:.toshiba.com:7a8dfcc3c0a1706b:50:msepp
r1u3av8570beangtgu8h9e70g6hgjnqs:.toshiba.com:7a8dfcc3c0a1706b:50:att
meualcg5vjj1h7l4vl2d93fc0nj9s6k9:.toshiba.com:7a8dfcc3c0a1706b:50:movies
lu5eu6870ilejn5g5luvdcqhitqosic2:.toshiba.com:7a8dfcc3c0a1706b:50:mzc
h0vfolg78dpmhhir2n73v0a0gj9e6lgn:.toshiba.com:7a8dfcc3c0a1706b:50:travel
kfn41687ltkimtsgoma74spevmoukrq5:.toshiba.com:7a8dfcc3c0a1706b:50:medpower
f0i24h07mr5ah2uja9kshsmfln7er3v9:.toshiba.com:7a8dfcc3c0a1706b:50:xbox
jv1oo107n947nbchmtj6scj8vomdujq9:.toshiba.com:7a8dfcc3c0a1706b:50:icmmpeg
8ls2ga07sd619stad1t15j0nmmm8bv9q:.toshiba.com:7a8dfcc3c0a1706b:50:askiris
mn9u6p88iitoeddf8ni9hk5ph1205p6p:.toshiba.com:7a8dfcc3c0a1706b:50:pim
ne3515898k5ga1k02ofotdd9psrkmee6:.toshiba.com:7a8dfcc3c0a1706b:50:asia
vl9ckho9gf9nevns30b6al8aen289oe2:.toshiba.com:7a8dfcc3c0a1706b:50:en
gd06n0g9h1fto5c2odf139nmntmi2b13:.toshiba.com:7a8dfcc3c0a1706b:50:taiyo
23gj50g9jq82dbecj5mfj3287kgm6jqr:.toshiba.com:7a8dfcc3c0a1706b:50:mcu
0co7h3o9qfvdmhkuqv8bo7mmaoutf0hm:.toshiba.com:7a8dfcc3c0a1706b:50:icmsram
b8auehga5pof4vdhkid4nhs45a58jlff:.toshiba.com:7a8dfcc3c0a1706b:50:8bit
2jt9s48ahmai8cpl75it2c3ov1gqorpg:.toshiba.com:7a8dfcc3c0a1706b:50:comdex
2noqmj8ante3hsrqah35ligbfb13nli2:.toshiba.com:7a8dfcc3c0a1706b:50:biddesk
ucdnnjgb2pdhtrmkbd0h9ghndr4ag1hc:.toshiba.com:7a8dfcc3c0a1706b:50:extreme
84qh9nob626akhsfn1gm2eo8o3beo8bi:.toshiba.com:7a8dfcc3c0a1706b:50:sap
...

Czy jest to podatność? Raczej powiedzielibyśmy, że mniej znany ficzer…

–ms