RE: finding dyndns names for existing IP

From: Adrian Lazar (alazar_at_bripharm.com)
Date: 11/26/03

  • Next message: Marcus Merrin: "Re: An excellent online pen-test tool" 
    To: <pen-test@securityfocus.com>
Date: Wed, 26 Nov 2003 08:30:48 -0800

    Have you tried doing DNS zone transfers? Sometimes DNS servers or only
    domain zones are misconfigured and allow this.

    anydomainname.com is hosted by ns.company.com where ns is primary,
    secondary, ternary, etc.

    nslookup
    set q=any
    server ns.company.com
    ls -d anydomainname.com.

    dig @ns.company.com axfr anydomainname.com

    Hope this helps.

    Cheers,
    Adrian

    PS: another thing I would do is to ask routers for subnet masks (SING,
    hping), look at their web site pages' code to determine possible
    internal IPs, analyze their e-mail headers - sometimes these leak
    internal IP addresses.

    -----Original Message-----
    From: Thomas Kerbl [mailto:t.kerbl@weigl.de]
    Sent: Wednesday, November 26, 2003 2:06 AM
    To: pen-test@securityfocus.com
    Subject: finding dyndns names for existing IP

    Hello,

    I'm searching for a way to find DynDns names to existing IPs. We are
    working on a pen-test for a customer, who has a dynamic IP that changes
    every day, and it is hard for us to keep track of their Gateway. We
    simulate an attacker without intern knowledge, so we cannot simple ask
    for a dyndns name. Social Engineering would be easy, but I'm locking for

    a technical way to do it. We already tried obvious names like
    companyname.dyndns.org and similar DNS names.

    To try to summarize the problem:

    1) We assume the company uses the DynDns service (or a similar service).
    2) We got the actual valid IP through social engineering.
    3) We want to find the dyndns name of this IP to keep track.

    Is there a Database hostet by dyndns (or similar service) we can
    consult? Or is there a way to do a reverse lookup on the IP?

    thanks a lot for any pointers,
    Thomas Kerbl 

    -- 
~ weigl interservice
~ www.weigl.de
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Marcus Merrin: "Re: An excellent online pen-test tool"

    Relevant Pages

    • Re: hosting a domain name
      ... even if they are serious small or personal sites. ... This is why there are usually not just two DNS servers, ... as does DynDNS (operates on donations ...
      (RedHat)
    • Re: getting remote m/c to see my IP address
      ... 3G network to accept the IP address changes from Dyndns? ... Your dongle thingy will be doing a DNS lookup against 3's DNS servers. ...
      (uk.telecom.broadband)
    • Re: Dynamic DNS "Spoofing" & IRC
      ... Well you dont even have to have dyndns... ... This dosn't have anything to do with dns & irc really... ... allowing a denial attack being made more easily against one server. ...
      (Bugtraq)
    • postfix enabler e imap
      ... lo ho configurato per un DNS su ... Ovviamente devo usare DynDNS Updater per uscire online. ... Nel pannello "Server Mail" ho attivato IMAP e messo NomeDomu ... assegnato al DNS)? ...
      (it.comp.macintosh)
    • Re: Recommended DDNS?
      ... pointing to the DynDNS hostname for the sbs server. ... IN CNAME mydomain.dyndns.org. ... Why not just use DynDNS as your DNS host so you don't need their domain name at all? ...
      (microsoft.public.windows.server.sbs)