We consider a few roaming methods, and other types of information. There are many roaming tools, but I limit the discussion to some common types.
The simplest way to roam is to use the 'nslookup' client, usually due to UNIX and NT execution. We apply 'nslookup' in interactive mode:
[bash] $ nslookup
Default Server: ns1.example.net
Address: 10.10.20.2
> 216.182.1.1
Default Server: [10.10.20.2]
Address: 10.10.20.2
Name: gate.tellurian.net
Address: 10.10.20.2
> set type = nào
> ls –d tellurian.net. >> / tmp / zone_out
First we run 'nslookup' in interactive mode. Once it is booted, it will indicate the default server name, usually the organization's DNS server or the service provider's DNS server. However, the DNS server (10.10.20.2) has no authority for the destination area, so there will not be all DNS records. Therefore, we need to hand it to 'nslookup' to know that it will query the machine. Which DNS server. In this example, we use the primary DNS server for Tellurian network (10.10.20.2).
Next we define the type of message as 'any'. This allows you to pull any DNS message (man nslookup) for the complete list.
Finally, list all region-related records with the 'ls' .'- d' option listing all region records. We add '.' At the end of the sentence to indicate the region's eligibility. - Most of the part is so. Let's change the result and file direction '/ tmp / zone_out' to be able to manipulate later.
When roaming, we look in the file to see if any interesting information is allowed to target the specific system. See the following result:
[bash] more zone_out
acct18 1D IN A 192.168.230.3
1D IN HINFO
1D IN MX 0 tellurianadmin-smtp
1D IN RP- bsmith.rci bsmith.who
1D IN TXT 'Location: Telephone Room'
ce 1D INESO CNAME
au 1D IN A 192.168.230.4
1D IN HINFO 'aspect' 'MS-DOS'
1D IN MX 0 andromeda
1D IN RP jcoy.erebus jcoy.who
1D IN TXT 'Location: Library'
acct21 1D IN A 192.168.230.5
1D IN HINFO 'Gateway2000' 'WinWKGRPS'
1D IN MX 0 tellurianadmin-smtp
1D IN RP bsmith.rci bsmith.who
1D IN TXT 'Location: Acounting'
We will not go into every detail, just note some important types. For each entry, we have a record A that indicates the IP address of the system name on the right. Also, each server all have HINFO newsletter that identifies the background or the type of operating system running (RFC-952). Although the HINFO message is not necessary, it provides a lot of information for the attacker. Output files should be easy to manipulate results with UNIX programs such as grep, sed, awk, or Perl.
Assuming we are experts in SunOS or Solaris, we can find out the IP address with the HINFO newsletter regarding SPARC, Sun, or Solaris.
[bash] $ grep -i solaris zone_out | wc -1
388
We have 388 references "Solaris". Needless to say, we have too many goals.
Suppose we want to find a test system, accidentally an option for an attacker. Why? It's simple - they often don't trigger multiple security or encryption features to guess, administrators don't notice or bother anyone who logs on to them. An ideal place for intruders. Find the test system as follows:
[bash] $ grep -i test / tmp / zone_out | wc -1
96
There should be about 96 entries in the zone file containing the word "test". It should be equal to the number of real test systems. These are just a few simple examples. Most intruders will dissect this data to focus on the specific type of system with known weaknesses.
There are a few points to keep in mind. The method above only accesses the name server in turn. That is, you must perform the same task for all authoritative name servers for the destination area. Tellurian.net domain queries only. If there are subdirectories, you will have to perform the same query type for each subdomain (such as greenhouse.tellurian.net). After you receive the notification that you cannot list the region or decline queries.This usually shows that the server has been configured to disable illegal user roaming. Therefore, it is difficult for you to roam from this server. But if there are multiple servers DNS, you will have a chance to find a machine that allows roaming.
There are many tools to accelerate this process, including: host, Sam Spade, axfr and dig (not mentioned here).
The "host" command has many flavors of UNIX. How to use the "host" command is as follows:
host -1 tellurian.net
or
host -1 -v -t any tellurian.net
If you need each IP address to include in the shell script, cut (cut) the IP address from the "host" command.
host -1 tellurian.net | cut -f 4 -d "" >> / tmp / ip_out
Not every footprint function is required to perform the UNIX command. Some Windows products also provide such information.
You will eventually roam with Gaius's super-powerful tools, axfr. This utility will transfer region information, zone databases and server files to each region to be queried in compressed form. you can switch to high level com and edu to get all the regions related to "com" and "edu". However, it should not be done. Want to run axfr, type the following "
[bash] $ axfr tellurian.net
axfr: Using default directory: / root / axfrdb
Found 2 name servers for domain "Tellurian.net";
Text deleted.
Nhận được XXX câu trả lời (xxx mục).
To query the information just taken in the "axfr" database, type the following:
[bash] $ axfr tellurian.net