DNS reconnaissance

Login to linux.cs.pdx.edu. Examine /etc/resolv.conf to find the local DNS server for the client resolver on the machine. Examine the man page for dig to find the syntax for specifying a server to query, a flag for specifying the type of record to query, and queryopt(ions) to specify the use of TCP for the query.

Answer the following for your lab notebook.

DNS iterative lookups

Examine the man page for dig to find the query option that allows one to specify whether a query can recurse or whether it should be iterative. On linux.cs.pdx.edu, simulate the operation of a local DNS server. Choose a DNS name containing at least 4 parts (e.g. www.cs.pdx.edu , console.cloud.google.com , www.unsw.edu.au , www.amazon.co.uk ). Start by running dig with no arguments to list all root DNS servers that have been hard-coded into the tool. Locate the IPv4 address of the F root server.

Starting with the F root server, perform the iterative queries a local DNS server would perform on a lookup. In performing this sequence of queries, ensure the queries are iterative and use TCP. (MCECS networks block UDP DNS traffic). Ensure that you are traveling down the hierarchy with the servers being specified via the @. Ensure you use the appropriate DNS record type for specifying that the authoritative server should be returned.

On linux.cs.pdx.edu, practice some shell (bash) preliminaries.

First, perform the following commands and examine the output to understand what egrep, awk, and the pipes (|) are doing:

ls -l /dev
ls -l /dev | egrep vcs
ls -l /dev | egrep vcs | awk '{print $10}'

You can save the standard output of a command and use it in subsequent command-line arguments. One way is to save it to an environment variable using back-ticks `command` or $(command)

X=`ls -l /dev | egrep loop | awk '{print $10}'`
echo $X
X=$(ls -l /dev | egrep loop | awk '{print $10}')
echo $X

Then, you can use a for loop in bash to iterate over each value that is returned

for i in `echo $X`
do
  file /dev/$i
done

Aliases and reverse lookups

Examine the man page for dig to find the flag for doing simplified reverse lookups on IPv4 addresses. Given the flag and the shell tutorial above, perform the following and include the results in your lab notebook:

On linux.cs.pdx.edu, practice some more shell (bash) preliminaries.

Ranges in the shell can be specified via { } notation. Perform the following two commands to see how it works.

echo {0..2}{0..9}
for i in {1..20}
do
  echo $i
done

Using a for loop, perform a reverse DNS lookup for each IP address on the 131.252.220.0/24 subnet. Note that some addresses on the subnet do not have names bound to them and will not return a record. Take the output of the loop and pipe it to egrep and awk to list just the names of the hosts, then redirect the final output to a file called 220hosts.txt output using the > character to perform output redirection to a file.

Within the range of hosts is a set of car manufacturer names. Using the head and tail commands, craft a command in the format below that returns their names.

cat 220hosts.txt | head -<number_of_lines_1> | tail -<number_of_lines_2>

Content distribution networks (CDNs), covered later in this course, are a way of forward-deploying content to locations that are close to those who need access to it. Such networks can be implemented using DNS by replicating content across multiple servers and then having the authoritative DNS server for the site point resolutions to the replica nearest to the user.

To show how this is done, we will use dig to resolve www.google.com from different local name servers in order to see how resolution differs from different locations. After each step, answer the questions for in your lab notebook.

Visit https://www.iplocation.net/ and lookup the geographical location of the following DNS servers: 131.252.208.53 and 198.82.247.66.

Then, using dig, resolve www.google.com from each of the DNS servers (dig @<DNS_server_IP> www.google.com).

Go back to https://www.iplocation.net/ and lookup the geographical location of each IP address returned. What geographic locations do ipinfo.io and DB-IP return?

Perform a traceroute to all 4 IP addresses from a PSU network.

In this lab, we will perform a full-trace analysis that recaps the protocols you have learned. To begin with, on your local Linux VM

Perform a reverse DNS lookup on the DNS server to find its name

Dump ARP table

To begin with, we will use the shell to delete all entries in the ARP table for the VM. Examine the output of the command below to see all of the entries in the table and their numeric IP addresses.

arp -an

In order to delete the ARP entry of a particular IP address we simply run the command:

sudo arp -d <IP_address>

Given this, we first need to generate a list of IP addresses with entries in the table. Note that the IP address in the output of the command is enclosed in parentheses. By default, awk uses the space character as a delimiter between output fields. We can use the -F flag of awk to specify alternate characters instead. The flag accepts a regular expression so the following expression -F '[()]' passed to awk instructs it to use either parenthesis character as a delimiter.

Use a single command-line to create a file that contains each IP address that appears in the machine's ARP table and places the results in a file called arp_entries. The command should be similar to the one below:

arp -an | awk -F '...' '{print ...}' > arp_entries

Clear ARP table and retrieve site

Before clearing the cache, launch wireshark and begin capturing all traffic on the virtual ethernet interface found earlier.

sudo wireshark

Then clear the ARP table and immediately retrieve http://<OdinId>.oregonctf.org (replacing <OdinId> with your Odin Id).

for i in $(cat arp_entries)
do
  sudo arp -d $i
done ; wget http://<OdinId>.oregonctf.org

Analyze trace

Stop the packet capture and inspect it. Ensure the ARP packets and DNS request and response packets for the request show up in the trace. If not, you are using a cached lookup. Run the lab again using random characters after the <OdinID> in the DNS name you are fetching.

Answer the following questions:

Some helpful display filters include dns, tcp.flags.syn, and http.request