Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Several Domains
From: Tim Brown <tmb () 65535 com>
Date: Fri, 12 Dec 2008 09:43:24 +0000

On Friday 12 December 2008 03:33:32 Ahmed Zaki wrote:
Thanks for your reply .

Apparently its my fault I should have made my question clearer.

Your target is Company X . The ip of the mail server turned to be
xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave
mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs ,
mail.companyxfs.com . As a pentester how would you go about identifying the
actual domain name that is being used internally .

Are the DNS servers under the control of your target?  Microsoft's DNS server 
implementation has an interesting default configuration where 
127.in-addr.arpa, 255.in-addr.arpa and 0.in-addr.arpa are automatically 
populated (this can be disabled from the registry).  The automatic population 
of these zones can often leak internal network information.  Likewise, bind 
has a similar issue, have a look at 
http://www.nth-dimension.org.uk/blog.php?id=56 which discusses this in more 

Tim Brown
<mailto:tmb () 65535 com>

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]