nerdexam
EC-Council

312-50V11 · Question #466

Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com

The correct answer is D. The hacker successfully transfered the zone and enumerated the hosts.. The output shows a successful DNS zone transfer (AXFR) using the dig tool, which exposed all internal hostnames and IP addresses mapped in the domain.

Enumeration

Question

Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)

Options

  • AThe hacker used whois to gather publicly available records for the domain.
  • BThe hacker used the "fierce" tool to brute force the list of available domains.
  • CThe hacker listed DNS records on his own domain.
  • DThe hacker successfully transfered the zone and enumerated the hosts.

How the community answered

(13 responses)
  • B
    15% (2)
  • C
    8% (1)
  • D
    77% (10)

Why each option

The output shows a successful DNS zone transfer (AXFR) using the dig tool, which exposed all internal hostnames and IP addresses mapped in the domain.

AThe hacker used whois to gather publicly available records for the domain.

Whois queries a registration database for domain ownership and registrar info, not DNS resource records, and its output looks entirely different from what is shown.

BThe hacker used the "fierce" tool to brute force the list of available domains.

The 'fierce' tool performs DNS brute-forcing by guessing subdomain names, whereas the output clearly shows an AXFR zone transfer response returning the entire zone at once.

CThe hacker listed DNS records on his own domain.

The query targets 'domain.com' directed at an internal IP (192.168.1.105), indicating this is a corporate internal zone being transferred without authorization, not a record listing on the attacker's own domain.

DThe hacker successfully transfered the zone and enumerated the hosts.Correct

The command uses 'dig axfr domain.com @192.168.1.105', where AXFR is the DNS full zone transfer request type. Because the DNS server was misconfigured to allow zone transfers from any host, it responded with the complete zone file, including internal records for vpn, server, office, remote, support, and name servers - information an attacker can use to map the internal network for further attacks.

Concept tested: DNS zone transfer enumeration using AXFR

Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-security#restrict-zone-transfers

Topics

#DNS zone transfer#AXFR#DiG#DNS enumeration

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice