Sub-domain enumeration using DNS records

DNS records sometimes reveal sub-domain information.

CNAME record

CNAME stands for Canonical Name. CNAME records can be used to alias one name to another. CNAME records will have a value of a hostname. Sometimes CNAMEs reveal an organization's sub-domains or reveal information about the sort of service that is running on a domain.

Following image shows the PTR record for flaws.cloud. The value of the record is a hostname that reveals that the application is hosted on Amazon EC2 instance and the region.

cname

SPF record

  • An Sender Policy Framework(SPF) record and is used to indicate to recieving mail exchanges which hosts are authorized to send mail for a given domain
  • Simply put, an SPF record lists all the hosts that are authorised send emails on behalf of a domain. SPF records can be used by client that recieve email to validate the authenticity of the message
  • SPF records are typically defined using the TXT record type. There is also an SPF record type, however it is deprecated and thus for most cases you'll have to look into TXT record for SPF record value
  • A sample SPF record looks like the following image:
$ dig +short TXT icann.org | grep spf                                                                                        
"v=spf1 ip4:192.0.32.0/20 ip4:199.91.192.0/21 ip4:64.78.40.0/27 ip4:162.216.194.0/27 ip6:2620:0:2d0::0/48 ip6:2620:0:2830::0/48 ip6:2620:0:2ed0::0/48 include:salesforce.icann.org -all"

spf

  • SPF record help attackers better understand the third-party service providers an organization is usuing for sending their emails
  • SPF records sometimes reveal information about internal netblocks and sub-domains of an organization

A study on SPF records for OSINT - https://blog.rapid7.com/2015/02/23/osint-through-sender-policy-framework-spf-records/

  • It is common among fintech applications to have internal netblocks listed in their SPF record

spf

  • We wrote a simple script to extract netblocks & domain names from SPF(Sender Policy Framework) DNS record. For every parsed asset, the script will also find and print Autonomous System Number(ASN) details. The script is available here https://github.com/0xbharath/assets-from-spf

spf-script

results matching ""

    No results matching ""