Hello, and welcome to this course. And where we're talking about using Python for use cases that align with the pre attack matrix of the MITRE ATT&CK framework, namely the reconnaissance phase because that's the part where of this section where we can actually interact with the target environment, learn more about it, etcetera. And we have concrete goals to achieve. The resource development phase varies greatly depending on what we actually want to do in our attack. And so in this video, we're going to be talking about a way to use Python to perform reconnaissance and gain information about a target organisation using the domain name system or DNS. If you're not familiar with DNS, DNS is essentially the phonebook of the internet. So when you're visiting a web page in a browser or really doing anything involving web servers, you probably don't enter the IP address of the target page in most cases. Most the time you type in a domain name like infosecinstitute.com and that domain name gets converted in some way into the IP addresses that your computer, the routers, and the target web server use for routing your traffic to its destination and back again. And the way that conversion happens is through DNS infrastructure. DNS servers are organized in a hierarchy where you ask it top level names server, say for the.com domain, where to find infosecinstitute.com DNS server. And then by querying that DNS server, you can learn about a particular page on the InfoSec Institute website, and then send your traffic to the correct IP address to get the information that you want. And so we're going to be taking advantage of that infrastructure in this video to learn more about a target organizations public facing web infrastructure. Because there's all of this information the DNS system of the various domains and subdomains that a particular organization has defined. And so by taking a look at what's defined in the DNS infrastructure, we can learn about the IP ranges that belong to a particular organization, the types of systems that are at particular IP addresses etc. And this information is invaluable for planning an attack or a testing excercise against a particular organization. And so, for this demonstration our file that we'll be looking at is called DNSExploration.py. So, opening this up in nano we see a longer program here, where we're going to cut across two different pages. And so going to start down at the bottom here, because that's the equivalent of our main function. And so coming down here, the goal here is that we're going to be building a collection of subdomains, especially common subdomains, and then asking the DNS infrastructure if that particular subdomain exists. So for example, our base domain in this case is going to be google.com. And so if you're familiar with Google you know sites like mail.google.com are defined. And that's a fairly common subdomain, the mail subdomain for an organization's infrastructure because that's where a webmail client might be deployed. And so we're going to take our base domain here google.com and try common subdomains like mail to see if that particular system exists on Google's network, and if so, what the IP address is associated with it. And our list of common subdomains that we're going to be taking a look at is defined in subdomains.txt. So I'm going to close this real quick and take a look at subdomains.txt. And so, as you can see here, this is just a list of some common subdomains. You have like www, mail, webmail, and NS for name server for DNS server, VPN, etc. And so we'll be taking this list and concatenating the base domain that we'll be looking at, in this case google.com to find things to search for on the target network. And so these few lines here are designed to read in that file, break it into a list, and then we'll call the subdomain search function passing in the base domain, our list of domains and then a boolean variable true that I'll explain in just a minute. But first, let's go up to our subdomain search function right here. And so, this is what does the heavy lifting of searching through our list of subdomains, we've passed in a domain, a dictionary of common subdomains and a variable called nums. And what we're going to do is we're going to iterate over each of the subdomains in this dictionary, and create a full subdomain with that prefects like mail. And then.in this case google.com then we're going to perform a DNS request for that particular domain. But before we talk about that, let's talk about that Boolean variable that I just mentioned. So for some subdomains, it's common for them to have a number appended at the end, for example, having subdomains like ns1.google.com, ns2.google.com, etc, to indicate different name servers on Google's network, very common. And the list of subdomains that we put together doesn't have those numbers in it. And so what we're going to be doing is if we say nums equals true which we have set it that way, we're going to just iterate over the values 0 to 9, and build an additional subdomain consisting of that domain prefix like mail, add the number in. So mail1.google.com and make a request for that as well. And that way we can catch at least some of these ones that have just a number appended at the end. I can't guarantee we'll get all of them, but it gives more information about the target network. We want to move through more quickly and we don't want to test these various ones with the number appended, we can just simply set our Boolean down here to false. And so moving up further we see our DNS request function. So this is going to be taking advantage of Python's DNS library which we're importing up at the top of the file. And we're going to be using dns.resolver.resolve to look up a particular domain name. So in this case when we say domain we mean something like mail.google.com. And we're asking for the A record which is the most common type of record. And so this is going to result in DNS requests, to DNS infrastructure. And we're going to get back a response that goes and result. And so if our request results in the domain actually existing and we get an IP address back, then our if condition here is going to be triggered. If we don't get anything back, it means the DNS request was for a non existent domain. And so we won't have this trigger. And so if we get a result we're going to print out that IP address because it's good to know what IP addresses are associated with the target infrastructure. And then we're going to take advantage of the fact that forward DNS lookups, like we're doing here aren't our only option for taking advantage of DNS infrastructure. We're also going to try reverse DNS lookups. And so the logic here is that say we know that a particular IP address belongs to a particular organization, there's nothing that says that they can only run one type of system on that particular server. For example, it's completely possible to run both an email server and a web server on the same computer. Similarly, once we get into cloud computing and everything like that, you can have a bunch of different things happening on the same IP address. And so what we're going to do is, if we've learned that a particular IP address belongs to an organization, or in this case, potentially a list of IP addresses, we're going to iterate over each of those and test what DNS or domain names are associated with that particular IP address. And so how are we going to do that is calling our reverse DNS function and passing in one of the IP addresses that we've learned at a time. And this takes us to the final function up at the top of our code reverse DNS which takes an IP address as input. And so in this case, we're going to be using socket.gethostbyaddr, and then passing in the IP address to get the domain names associated with that particular address. And we're going to unpack them because it turns out that the structure that will return, we might get one domain name in result 0, and then there can be a list of alternative domain names and result one. So we're going to build a list from the values in zeroth position of result and the first position to result in a list of domain names associated with that particular IP address. And so, taking this all together, the goal of this file is to take a base domain and a list of subdomains and take advantage of DNS infrastructure to identify IP addresses and other domains associated with a target domain. And so now let's see this in action. So what I'm going to do first is just run this with Python DNSExploration.py and we see here that we are getting results. And so we've got a rather long list of subdomains that we've specified in here. And so now that we've completed here, we can go through and see what we've learned. So going to bring our server and scroll up to where we started running this. And here we see that there's quite a list of domain names and in fact, specifying the num flag here, paid off for us. So our first one, we know that www.google.com exists and we know this because that's the base Google page for their search engine. And so in this particular case, it's returning an IP address of 172.217.4.36. Are talking about an organization as big as Google, you've definitely got the potential for load balancing and so if you run the same script, you might get a different IP address than me. We also see as I said that our use of the num flag pays off because we got hits for www4,5,6 and 9.google.com. And these provide information on additional IP addresses associated with Google's web infrastructure. We then get our mail.google.com and in this case 172.217.9.37 and then additional domains associated with Google. So I have a blog page, we have our list of name servers associated with Google here. Moving down, we have smtp.google.com. So that's an email server and doing some reverse DNS lookups on that doesn't present anything additional. However, if we search for admin.google.com, we get an IP address and then there's this domain name associated with that IP. We see that they have a VPN portal set up. Here's another result for dns.google.com with the two main Google DNS servers, support.google.com, web.google.com, email, cloud, admin, and API. And so we've gotten a ton on a different results simply by taking that list of common domain names, appending them, or sorry, common subdomain prefixes appending them to our base domain google.com and taking advantage of the DNS infrastructure to learn what we can about the target network. And so based off of this, we have some potential places to look. Maybe for example, for doing a penetration test on Google, knowing about this vpn.google.com page could be useful because VPNs often have vulnerabilities and if Google's not up to date on patching it, that could be a potential entry point during an engagement. Additionally, there's a lot of other sites that we've found here and so we can perform additional reconnaissance and investigation on them to learn about, again, potential access points into Google's network for an engagement. And this provides a good high level look at Google's network. And there's some limitations. Namely, we only could find what we knew to look for, and only things that are publicly exposed, and so there's almost certainly more google infrastructure that we can't find in this way. Also, we're limited by the list of subdomains that we use. It could be that google has a vpn10.google.com or VPN A or something like that and we didn't search for that, so we don't know it exists. And so there's a couple of options for expanding what we can learn about Google's infrastructure, namely by taking advantage of brute force searches. So one thing we can notice is that Google tends to have ranges of IP addresses that it owns. 64.9.224 and then we got 68,69,70. And so what about 67, 71? Etc. We could perform reverse DNS lookups there and see if we get any results that might point to additional systems and domain names associated with Google. Alternatively, we could perform a brute-force search on the subdomains that we're searching for. We used common ones and common words here but you could perform additional searches searching through the set of possible subdomain names and see if you find something that's not included in this particular list. And like any reconnaissance tool, you've got a balance there between the amount of information that you learn and the amount of noise that you make and detectability. The more request you make the more obvious you become and the more likely you're hard to be protected, however, also the more information you can possibly learn about the target network. And so, this video was designed to demonstrate how to use Python and the DNS infrastructure for network reconnaissance. Thank you
