Penetration Testing mailing list archives
Re: Several Domains
From: Tim Brown <tmb () 65535 com>
Date: Fri, 12 Dec 2008 09:43:24 +0000
On Friday 12 December 2008 03:33:32 Ahmed Zaki wrote:
Thanks for your reply . Apparently its my fault I should have made my question clearer. Your target is Company X . The ip of the mail server turned to be xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs , mail.companyxfs.com . As a pentester how would you go about identifying the actual domain name that is being used internally .
Are the DNS servers under the control of your target? Microsoft's DNS server implementation has an interesting default configuration where 127.in-addr.arpa, 255.in-addr.arpa and 0.in-addr.arpa are automatically populated (this can be disabled from the registry). The automatic population of these zones can often leak internal network information. Likewise, bind has a similar issue, have a look at http://www.nth-dimension.org.uk/blog.php?id=56 which discusses this in more depth. Cheers, Tim -- Tim Brown <mailto:tmb () 65535 com> ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Several Domains Ahmed Zaki (Dec 11)
- Re: Several Domains tony_l_turner (Dec 11)
- Message not available
- RE: Several Domains Ahmed Zaki (Dec 11)
- Re: Several Domains Todd Haverkos (Dec 12)
- Re: Several Domains Tim Brown (Dec 12)
- Re: Several Domains David Howe (Dec 12)
- Re: Several Domains Adam Thompson (Dec 12)
- Re: Several Domains ArcSighter (Dec 12)
- RE: Several Domains Ahmed Zaki (Dec 11)