nerdexam
EC-Council

312-50V10 · Question #466

Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com

The correct answer is D. The hacker successfully transfered the zone and enumerated the hosts.. The output shows a successful DNS zone transfer using the 'dig' tool with the AXFR query type, which exposed all internal host records for the domain.

Enumeration

Question

Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)

Options

  • AThe hacker used whois to gather publicly available records for the domain.
  • BThe hacker used the "fierce" tool to brute force the list of available domains.
  • CThe hacker listed DNS records on his own domain.
  • DThe hacker successfully transfered the zone and enumerated the hosts.

How the community answered

(15 responses)
  • A
    7% (1)
  • B
    13% (2)
  • D
    80% (12)

Why each option

The output shows a successful DNS zone transfer using the 'dig' tool with the AXFR query type, which exposed all internal host records for the domain.

AThe hacker used whois to gather publicly available records for the domain.

Whois queries public RDAP/WHOIS databases for registration info and does not return internal A records like vpn.domain.com or support.domain.com shown in the output.

BThe hacker used the "fierce" tool to brute force the list of available domains.

The 'fierce' tool brute-forces subdomains by guessing names, while the output clearly shows a structured AXFR response with SOA and NS records, which is characteristic of a full zone transfer - not brute forcing.

CThe hacker listed DNS records on his own domain.

The output targets 'domain.com' queried from an external IP (192.168.1.105), not a domain owned by the attacker, and the presence of internal hostnames confirms this is a target network.

DThe hacker successfully transfered the zone and enumerated the hosts.Correct

The command 'dig axfr domain.com @192.168.1.105' requests a full DNS zone transfer (AXFR) from the target name server, and the output shows a complete dump of all DNS records including internal hostnames like vpn, server, office, remote, and support - information that should never be publicly accessible. A successful AXFR transfer gives an attacker a full map of the internal network topology, which is a critical reconnaissance finding. This is only possible when the DNS server is misconfigured to allow zone transfers from unauthorized hosts.

Concept tested: DNS zone transfer attack reconnaissance via AXFR

Source: https://owasp.org/www-community/attacks/DNS_Zone_Transfer

Topics

#DNS zone transfer#AXFR#dig command#DNS enumeration

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice