DNS Reconnaissance against wildcard domains

Wed 24th Oct 12

I recently did a test against a company and in the debrief they asked how I managed to enumerate so many of their subdomains as they were using a wildcard DNS setup and the previous tester had commented that it prevented DNS enumeration. When I explained to them how the wildcard only obscured valid domains they had a few choice words for the previous tester and I figured it would make a nice little blog post.

A quick scene setter, a wildcard DNS record is one which will match a request when there is no record explicitly defined for that request. It is usually defined as *.domain.com, here is an example of it in use:

www.domain.com		A	1.2.3.4
hidden.domain.com	A	1.2.3.4
test.domain.com		A	1.2.3.5
staging.domain.com	A	1.2.3.6
*.domain.com		A	1.2.3.4

Here if I request the IP for www.domain.com I'll be given the IP 1.2.3.4, if I request test.domain.com I'll get 1.2.3.5 but if I request mail.domain.com, as there is no record explicitly defined, I'll get the wildcard response of 1.2.3.4.

Why would this prevent enumeration? One of the starting points of most enumeration is to do a brute force lookup against the name servers looking for a list of common names. There are plenty of tools out there to do this, my preferred is dnsrecon by Carlos Perez but there is also Fierce by Jabra and dnssenum. When a brute force like this is performed against a domain using a wildcard record every request is going to come back as successful, either with a real result or that of the default record. The amount of data this generated must have overwhelmed the previous tester which is why he believed the wildcard was adding security.

So why is this not a problem? First, by making a request for a record which will never exist, e.g. fkrusfk9374Fs.domain.com, I can determine whether a wildcard is in use. If I get a result then it is and I know the default IP that the wildcard returns. Next I simply filter out any results which have that IP. If I get the following results:

www.domain.com		A	1.2.3.4
hidden.domain.com	A	1.2.3.4
test.domain.com		A	1.2.3.5
test1.domain.com	A	1.2.3.4
test2.domain.com	A	1.2.3.4
staging.domain.com	A	1.2.3.6
lab.domain.com		A	1.2.3.4
mail.domain.com		A	1.2.3.4
owa.domain.com		A	1.2.3.4

I can filter them down to this list:

test.domain.com		A	1.2.3.5
staging.domain.com	A	1.2.3.6

As these records do not match the wildcard IP they must be ones that are explicitly defined on the name server. You will notice I've lost two valid results, www and hidden. As most domains would have a www record I would generally assume that that exists anyway. As for hidden, well, that is one that has slipped through the net but I'd rather lose one record and be left with two to test than to give up completely as soon as I see a wildcard is in use.

If you want to know how to find the two entries lost in the above filtering the next step in DNS enumeration is to take a look at Google and what it knows about your target. Rather than try to document this I'll point you at a talk and tool by Tim Tomes (lanmaster53) from this years Hack3rcon, Next Generation Web Reconnaissance.

Good luck, and hopefully next time you see a wildcard record you will look though the chaff and be able to pick out the juicy bits it only obscures.