1
00:00:00,790 --> 00:00:08,160
Another script in them backtracks which is DNS rekon this is a script written in Perl that allows among

2
00:00:08,160 --> 00:00:15,870
other things to ask for a zone transfer.

3
00:00:15,910 --> 00:00:21,790
However if the transfer is not successful the script will certainly send further queries about individual

4
00:00:21,790 --> 00:00:25,060
computers with a brute force attack.

5
00:00:25,060 --> 00:00:27,270
This script will check all the possibilities.

6
00:00:29,120 --> 00:00:34,760
If a server does not want to send you the entire zone then you ask him for the data concerning individual

7
00:00:34,760 --> 00:00:36,230
computers one by one

8
00:00:39,700 --> 00:00:43,570
will now run the script and ask about the same domain as before.

9
00:00:43,630 --> 00:00:44,960
Agent that be

10
00:00:51,560 --> 00:01:01,280
refund the information about the DNS servers in the servers that are the Kerberos key distribution center.

11
00:01:01,280 --> 00:01:06,200
Now let's see how you can learn something about a specific computer.

12
00:01:06,240 --> 00:01:13,480
For example we would like to find the skewl servers or mail servers of specific companies.

13
00:01:13,650 --> 00:01:20,730
We could search for mail servers by Amex addresses but it won't work with skewl servers.

14
00:01:20,790 --> 00:01:26,760
Now we'd like to ask the DNS server if in the zone it manages there are any computers containing certain

15
00:01:26,760 --> 00:01:28,250
characters in their names.

16
00:01:29,640 --> 00:01:35,390
If we obtain this information we could use it later to identify the infrastructure of a specific company

17
00:01:38,920 --> 00:01:46,650
only need to ask such a query is encoded in the fierce script this script will help us to obtain information

18
00:01:46,650 --> 00:01:53,310
about the DNS servers of our test domain ujian that be.

19
00:01:53,490 --> 00:01:59,950
Then we should specify a dictionary containing expressions will be looking for.

20
00:02:00,190 --> 00:02:08,940
Let's use the standard dictionary that is host that TXI the file this dictionary contains many expressions

21
00:02:09,030 --> 00:02:12,240
and that's why the result is similar to the one we've had earlier.

22
00:02:14,090 --> 00:02:19,160
You can prepare your own TXI script with only those expressions that are especially interesting for

23
00:02:19,160 --> 00:02:19,770
you.

24
00:02:22,690 --> 00:02:27,730
This would allow you to ask the DNS servers about computers whose names could be telling in some ways

25
00:02:29,700 --> 00:02:32,060
this information is publicly available.

26
00:02:34,080 --> 00:02:34,840
To search for it.

27
00:02:34,860 --> 00:02:42,950
You do not need to use Digg or any scripts you can use various web services for this.

28
00:02:43,130 --> 00:02:50,780
One of them is a service available at HTP colon forward slash forward slash server sniff dot net.

29
00:02:50,840 --> 00:02:55,770
It has visualization options.

30
00:02:55,880 --> 00:03:01,190
It will enable you to see that the main DNS server has a particular name and sub servers responsible

31
00:03:01,190 --> 00:03:06,760
for their own domains.

32
00:03:06,790 --> 00:03:12,510
The report will feature as much information as can be collected for an exercise.

33
00:03:12,530 --> 00:03:18,590
You can connect with the service and send a query about your favorite domain.

34
00:03:18,840 --> 00:03:23,820
The first threat associated with application layer protocols is that the attacker can gain information

35
00:03:23,820 --> 00:03:29,630
you'd like to remain private further problems relate to subsequent protocols of this layer.