312-50V9 · Question #304
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com
The correct answer is D. The hacker successfully transfered the zone and enumerated the hosts.. The DiG output shows a successful AXFR DNS zone transfer that revealed all internal hostnames and IP addresses for domain.com.
Question
Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501)
Options
- AThe hacker used whois to gather publicly available records for the domain.
- BThe hacker used the "fierce" tool to brute force the list of available domains.
- CThe hacker listed DNS records on his own domain.
- DThe hacker successfully transfered the zone and enumerated the hosts.
How the community answered
(35 responses)- A3% (1)
- B9% (3)
- C14% (5)
- D74% (26)
Why each option
The DiG output shows a successful AXFR DNS zone transfer that revealed all internal hostnames and IP addresses for domain.com.
Whois queries registrar and IANA databases for domain registration details, not DNS zone data - the output format and DiG tool confirm this is not a whois lookup.
Fierce brute-forces DNS hostnames by guessing names; the structured, complete zone output with SOA record indicates a successful zone transfer, not a brute-force enumeration.
The query targets domain.com on 192.168.1.105, which is the victim's name server, not the attacker's own domain.
The command uses the 'axfr' flag with DiG, which requests a full DNS zone transfer from the target name server at 192.168.1.105. The output reveals all DNS resource records including SOA, A, and NS records, effectively enumerating the entire internal network structure. This is a classic DNS zone transfer attack used in the reconnaissance phase of an attack.
Concept tested: DNS zone transfer enumeration using AXFR
Source: https://attack.mitre.org/techniques/T1590/002/
Topics
Community Discussion
No community discussion yet for this question.