312-50V11 · Question #466
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com
The correct answer is D. The hacker successfully transfered the zone and enumerated the hosts.. The output shows a successful DNS zone transfer (AXFR) using the dig tool, which exposed all internal hostnames and IP addresses mapped in the domain.
Question
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)
Options
- AThe hacker used whois to gather publicly available records for the domain.
- BThe hacker used the "fierce" tool to brute force the list of available domains.
- CThe hacker listed DNS records on his own domain.
- DThe hacker successfully transfered the zone and enumerated the hosts.
How the community answered
(13 responses)- B15% (2)
- C8% (1)
- D77% (10)
Why each option
The output shows a successful DNS zone transfer (AXFR) using the dig tool, which exposed all internal hostnames and IP addresses mapped in the domain.
Whois queries a registration database for domain ownership and registrar info, not DNS resource records, and its output looks entirely different from what is shown.
The 'fierce' tool performs DNS brute-forcing by guessing subdomain names, whereas the output clearly shows an AXFR zone transfer response returning the entire zone at once.
The query targets 'domain.com' directed at an internal IP (192.168.1.105), indicating this is a corporate internal zone being transferred without authorization, not a record listing on the attacker's own domain.
The command uses 'dig axfr domain.com @192.168.1.105', where AXFR is the DNS full zone transfer request type. Because the DNS server was misconfigured to allow zone transfers from any host, it responded with the complete zone file, including internal records for vpn, server, office, remote, support, and name servers - information an attacker can use to map the internal network for further attacks.
Concept tested: DNS zone transfer enumeration using AXFR
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-security#restrict-zone-transfers
Topics
Community Discussion
No community discussion yet for this question.