312-50V10 · Question #466
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com
The correct answer is D. The hacker successfully transfered the zone and enumerated the hosts.. The output shows a successful DNS zone transfer using the 'dig' tool with the AXFR query type, which exposed all internal host records for the domain.
Question
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)
Options
- AThe hacker used whois to gather publicly available records for the domain.
- BThe hacker used the "fierce" tool to brute force the list of available domains.
- CThe hacker listed DNS records on his own domain.
- DThe hacker successfully transfered the zone and enumerated the hosts.
How the community answered
(15 responses)- A7% (1)
- B13% (2)
- D80% (12)
Why each option
The output shows a successful DNS zone transfer using the 'dig' tool with the AXFR query type, which exposed all internal host records for the domain.
Whois queries public RDAP/WHOIS databases for registration info and does not return internal A records like vpn.domain.com or support.domain.com shown in the output.
The 'fierce' tool brute-forces subdomains by guessing names, while the output clearly shows a structured AXFR response with SOA and NS records, which is characteristic of a full zone transfer - not brute forcing.
The output targets 'domain.com' queried from an external IP (192.168.1.105), not a domain owned by the attacker, and the presence of internal hostnames confirms this is a target network.
The command 'dig axfr domain.com @192.168.1.105' requests a full DNS zone transfer (AXFR) from the target name server, and the output shows a complete dump of all DNS records including internal hostnames like vpn, server, office, remote, and support - information that should never be publicly accessible. A successful AXFR transfer gives an attacker a full map of the internal network topology, which is a critical reconnaissance finding. This is only possible when the DNS server is misconfigured to allow zone transfers from unauthorized hosts.
Concept tested: DNS zone transfer attack reconnaissance via AXFR
Source: https://owasp.org/www-community/attacks/DNS_Zone_Transfer
Topics
Community Discussion
No community discussion yet for this question.