Setup DNS Penetration testing Lab in Windows Server 2012

Domain Name System is used for name translation into IP address or you can say that it is used for name resolution.

This name is only for the benefit of the human. It is translated into IP addresses to reach the destination. The translation process of a name is called name resolution.

Name resolution starts from right to left. There is another "." after com but it is hidden. This is called root level domain. Winner request is sent to the root domain for translation it forwards this request to com domain which is called Top Level Domain. Com passes the request to yahoo domain which is called 2^ndlevel domain .Yahoo then sends the request to www which is called host name.

Structure of the DNS is distributed over the internet. It means that the name resolution task is not assigned to only computer rather it is distributed over the internet.

Steps to Install DNS server

Configure Static IP setting of your server; here we had assigned 192.168.1.104 IP to our machine moreover we had assign server IP also as preferred DNS server.

We have to open Server Manager and then click on Add Roles and Features in order to install role services and features. A new window will come up on screen. Now click on next as shown below in given image.

Select installation type “role based or feature based installation” which is also select as default option and then click on next for further step.

Select the desire server from server pool for configuration of DNS server. From given below image you can observe that  from inside pool 1 computer is found with IP 192.168.1.104 that has been selected as server, now click on next.

Select DNS server checkbox as role to install it on selected server and click on Next.

Now Just Click on Next after reading brief description of DNS.

To install selected role and feature on selected server click on install.

DNS server installation process begins which may takes few minute for installation, at last click on close once the installation has been completed.

This is all about DNS installation now in next step we will configure DNS server.

Zone

Database of DNS is called zone or partition of Domain Name Space represented by Domain Name is called Zone. When you click on zone then you will see two zones one is Forward Lookup Zone and Reverse Lookup Zone.

Forward Lookup Zone sends name and get IP address of the computer.

While Reverse Lookup Zone sends IP address of the computer then why we need name of the computer. The answer is that if firewall is installed on the computer then firewall stop or allow traffic on the basis of name that is why reverse lookup zone is used to convert IP address in the name.

Steps to create a Forward Lookup zone:

1)      Select DNS from drop down list server manger, this will open the server on which we have install DNS role.  Select your server (WIN-KSR8OM147HH ) make right click on it  and select DNS from that list.

When we select DNS in server Manager it will open a new window as DNS Manager.

Now we will configure Forward lookup zone as well as Reverse Lookup Zone. So to create Forward Lookup Zone, select Forward Lookup Zones and right click on it and select New Zone from menu box to take up the New Zone Wizard then click on next.

It will show the list of Different types of Zones and storage such as Primary Zone, Secondary Zone & Stub Zone.

Zone Types

Primary Zone:  A primary DNS zone has authority of read / writes for DNS server also known as master server. It stores the master copy of zone data in a local file or in AD DS. 

Secondary Zone:  A Secondary DNS Zone is Read-Only copy of a Primary Zone; this DNS server is a secondary resource for information about this zone.

Active Directory Integrated DNS Zone: It is also writeable zone. To make Active Directory Integrated zone the machine must be a domain Controller. RODC (read only domain controller).feature is only available in server 2008 R2.The domain controller must be writeable not read only because it is more secure. There is a security tab in the AD integrated zone, it is a multi master structured. In case of AD integrated zone, DNS database will be replicated as a part of domain replication.

Stub zone: It is nature secondary. It has no database of its own. Its load the database from master DNS. It only takes selective records not the complete database. Three records NS, SOA and Glue A will transfer into stub zone. Stub is read only.

DNS uses port 53 for communication and it uses both TCP and UDP protocols. Dynamic DNS (DDNS) is used to automatically update IP addresses in DNS when changed by DHCP. You will enable DDNS option in the zone properties to secure only.

Select primary zone and click on next.

Give desired Zone name like raj and click on next.

Save this into a new zone file as raj.dns and click on next.

Select Do not allow dynamic updates option, if you want to update these records manually .Click on next then Finish.

Now we had completed the configuration for Forward Lookup Zone; next we will configure reverse lookup zone.

Reverse Lookup Zone:

Domain Name system (DNS) servers can enable clients to determine the DNS name of a host based on the host's IP address by providing a special zone called a reverse lookup zone. A reverse lookup zone contains pointer (PTR) resource records that map IP addresses to the host name. Some applications, such as secure web applications, rely on reverse lookups.

A reverse lookup takes the form of a question, such as "can you tell me the DNS name of the computer that uses the IP address 192.168.1.120?"

A special domain, the in-addr.arpa  domain, was defined in the DNS standards and reserved in the internet DNS namespace to provide a practical and reliable way to perform reverse queries . In reverse lookup zone the address is written in reverse order.

Step to create a Reverse Lookup Zone:

To create Reverse Lookup Zone, make right click on it and click on New Zone from the inside the menu box to take up the New Zone Wizard.

Select primary zone and click on next.

Click on first radio button for IPv4 reverse Lookup Zone to translate IP address into DNS name then click on next.

Type Network ID field as 192.168.1 which is the first three octets of IP-address of our DNS Server then click on next.

Save this in a new zone file and select first radio button for this step then click on next.

Select Do not allow dynamic updates option, if you want to update these record manually. Click on next.

We have successfully completed configuration for new zone of reverse Lookup. Now just click on finish.

Now you can observe that on the right side of DNS Manager Window, Reverse Lookup Zone is now created that contains two records i.e. SOA and NS in it.

1)      Now we are going to create a new pointer in our new zone file i.e. 1.168.192.in-addr.arpa, as shown in given below image

Here we require host name in order to create new resource record, click on browse to select the record.

Resource Records

Resource records are the DNS database entries to answer DNS client queries. Name, type and data. The client query is always shown under the name title; DNS server answer always shown under the data title, in type different types of records is shown. Common recorded in DNS are A (Name to IP), PTR (reverse of A), SRV, MX, MS, SOA, etc.

Select 2^ndfile i.e. name server (NS) record as shown in given below image and click on OK.

DNS Queries

There are two types of queries in DNS:

·         Recursive Query: - It goes from DNS client to DNS server. It answer is complete means processing is complete.

·         Iterative Query: - It goes from DNS server to DNS server. It answer is not complete means its reply is referral. Iterative query is used to reach from one DNS to another DNS. It keeps the reply for 60minutes in his cache.

Verify DNS configuration

Open command prompt and type following command which will search for the Domain Name System (DNS) to find domain name or IP address mapping.

Nslookup 192.168.1.104 (server’s ip)

From given below image you can read the name of NS record/domain name i.e. raj.

Similarly using command nslookup raj we found host IP i.e. 192.168.1.104

How to Secure Port using Port Knocking

Port knocking is a technique use for sending of information through closed ports on a connected computer in a network behind a firewall. It will add security in your network for establishing connection with a particular port until the correct sequence of port is not knocked. The network administer configure port knocking using iptable which act like firewall.

Iptable chain allows a client who is familiar with the secret knock to enter the network through a specific port by performing a sequence of connection attempts. 

The main reason of port knocking is to avoid an attacker from scanning a system for potentially vulnerable services by performing a port scan, because if the attacker will not sends the accurate knock sequence, the protected ports will appear closed.

Port knocking with Iptables

Iptables is a command-line firewall service in Linux kernel that uses rule chains to permit or obstruct traffic. It defined various tables that contain a number of integrated chains which may be containing user-defined chains also. Iptable chain is a list of policy that is used to match a set of packets. Every rule/policy specifies the function that should be done with packets that matches

Type given below command with the help of following option which will create a new iptable chain:

-F: --flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X: delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

-Z: --zero [chain [rulenum]]

Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. 

-N: --new-chain chain

Create a new user-defined chain by the given name. There must be no target of that name already.

-A: --append chain rule-specification

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

-p: --protocol protocol

The protocol of the rule or the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. All will match with all protocols and is taken as default when this option is omitted.

-m: --match match

Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.

-j: --jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special built-in targets which decide the fate of the packet immediately, or an extension. For example ACCEPT DROP and REJECT.

From ipset.netfilter.org

Iptables -F

Iptables -X

Iptables -Z

Iptables -N STATE0

Iptables -A STATE0 -p tcp -dport 1200 -m recent -name KNOCK1 -set -j DROP

Iptables -A STATE0 -j DROP

Iptables -N STATE1

Iptables -A STATE1 -m recent -name KNOCK1 -remove

Iptables -A STATE1 -p tcp -dport 1300 -m recent -name KNOCK2 -set -j DROP

Iptables -A STATE1 -j STATE0

Iptables -N STATE2

Iptables -A STATE2 -m recent -name KNOCK2 -remove

Iptables -A STATE2 -p tcp -dport 1400 -m recent -name KNOCK3 -set -j DROP

Iptables -A STATE2 -j STATE0

Iptables -N STATE3

Iptables -A STATE3 -m recent -name KNOCK3 -remove

Iptables -A STATE3 -p tcp -dport 22 -j ACCEPT

Iptables -A STATE3 -j STATE0

Iptables -A INPUT -m state - state ESTABLISHED,RELATED -j ACCEPT

Iptables -A INPUT -s 127.0.0.1/8 -j ACCEPT

Iptables -A INPUT -p icmp -j ACCEPT

Iptables -A INPUT -p tcp -dport 80 -j ACCEPT

Iptables -A INPUT -m recent -name KNOCK3 -rcheck -j STATE3

Iptables -A INPUT -m recent -name KNOCK2 -rcheck -j STATE2

Iptables -A INPUT -m recent -name KNOCK1 -rcheck -j STATE1

Iptables -A INPUT -j STATE0

Let’s verify it through port scanning using NMAP command.

Nmap -ST 192.168.0.25

From given below image you can observe that NMAP found only PORT 80 is open.

Type apt-get install knockd command to install knockd.

Knockd is a port-knock command-line utility. It snoops to all traffic on an Ethernet interface, come across for particular "knock" sequences of port knocks. A client makes these port-hits through sending a TCP or UDP packet to a port on the server.

Now type following command for port knocking

Knock -v 192.168.0.25 1200 1300 1400

From given image you can observe that it will start hitting on a particular port which is actually known as port knocking. Since client is aware of sequence he can make correct knocked sequence for connection attempts.

Again use port scanning with NMAP on same target

Nmap -p 192.168.0.25

Hence you can see the difference between both NMAP’s result as this time we got port 22 open for SSH service.

Now client will use credential for login into SSH server.

Conclusion! Network admin adds the filter with specific port that will wait for correct knock sequence which will then open the port to establish the connection otherwise it will remain closed the port until correct port knocked

How to Perform Local SSH Tunneling

Hello Friends! Previously we have discussed on SSH tunnel and step to perform dynamic tunneling (port forwarding) which you can read from here. Today we will talk on same scenario and perform local tunneling (port forwarding).

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

1.      SSH server (two Ethernet interface) 

                 i.   IP 192.168.1.217 connected to remote system 192.168.1.219

               ii.   IP 192.168.10.2 connected to local network system 192.168.10.2

2.      SSH client (local network) holds IP 192.168.10.2

3.      Remote system (outside network) holds IP 192.168.1.219

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.217 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.219) is trying to connect to SSH server (192.168.1.217) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.219) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH Local tunneling

·         Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.

·         Give new port forwarded as 7000 and connection type as local 

·         Destination address as 192.168.10.2:22 for establishing connection with specific client and click on ADD at last.

·         Click on open when all things are set.

 This will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

·         Give hostname as localhost and port 7000 and connection type SSH.

·         Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Beginner Guide to SSL Tunneling (Dynamic Tunneling)

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:

1.      Dynamic SSH tunneling

2.      Local SSH tunneling

3.      Remote ssh tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

1.      SSH server (two Ethernet interface)

                    i.         IP 192.168.1.22 connected to remote system 192.168.1.21

                  ii.         IP 192.168.10.2 connected to local network system 192.168.10.2

2.      SSH client (local network) holds IP 192.168.10.2

3.      Remote system (outside network) holds IP 192.168.1.21

In following image we are trying to explain SSH tunneling procees where a remote PC of IP 192.168.1.21 is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client, remote Pc will create SSH tunnel which will connect with the local system via SSH server.

NOTE: Service SSH must be activated on server as well as client machine.

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.22 and another 192.168.0.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.21) is trying to connect to SSH server (192.168.1.22) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.21) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH tunneling

·         Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.

·         Give new port forwarded as 7000 and connection type as Dynamic and click on ADD at last.

·         Click on open when all things are set.

This will establish connection between remote pc and SSH server.

Open previous running window of putty choose Proxy option from category and follow given below step:

·         Select proxy type as SOCKS 5

·         Give proxy hostname as 127.0.0.1 and port 7000

·         Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Fuzzing SQL,XSS and Command Injection using Burp Suite

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS

Start burp suite in order to intercept the request and then send intercepted data into Intruder.

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)

Attack type: Sniper (for one payload)

Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp's predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.

Fuzzing OS command injection

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postion and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

Similarly repeat the same process to set payload option for second payload position.

It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.