RE: finding dyndns names for existing IP

From: Adrian Lazar (alazar@bripharm.com)
Date: Wed Nov 26 2003 - 11:30:48 EST

• Next message: Marcus Merrin: "Re: An excellent online pen-test tool"
• Previous message: Thomas Kerbl: "finding dyndns names for existing IP"
• Maybe in reply to: Thomas Kerbl: "finding dyndns names for existing IP"
• Next in thread: John Lampe: "Re: finding dyndns names for existing IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Have you tried doing DNS zone transfers? Sometimes DNS servers or only
domain zones are misconfigured and allow this.

anydomainname.com is hosted by ns.company.com where ns is primary,
secondary, ternary, etc.

nslookup
set q=any
server ns.company.com
ls -d anydomainname.com.

dig @ns.company.com axfr anydomainname.com

Hope this helps.

Cheers,
Adrian

PS: another thing I would do is to ask routers for subnet masks (SING,
hping), look at their web site pages' code to determine possible
internal IPs, analyze their e-mail headers - sometimes these leak
internal IP addresses.

-----Original Message-----
From: Thomas Kerbl [mailto:t.kerbl@weigl.de]
Sent: Wednesday, November 26, 2003 2:06 AM
To: pen-test@securityfocus.com
Subject: finding dyndns names for existing IP

Hello,

I'm searching for a way to find DynDns names to existing IPs. We are
working on a pen-test for a customer, who has a dynamic IP that changes
every day, and it is hard for us to keep track of their Gateway. We
simulate an attacker without intern knowledge, so we cannot simple ask
for a dyndns name. Social Engineering would be easy, but I'm locking for

a technical way to do it. We already tried obvious names like
companyname.dyndns.org and similar DNS names.

To try to summarize the problem:

1) We assume the company uses the DynDns service (or a similar service).
2) We got the actual valid IP through social engineering.
3) We want to find the dyndns name of this IP to keep track.

Is there a Database hostet by dyndns (or similar service) we can
consult? Or is there a way to do a reverse lookup on the IP?

thanks a lot for any pointers,
Thomas Kerbl

-- 
~ weigl interservice
~ www.weigl.de
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Marcus Merrin: "Re: An excellent online pen-test tool"
• Previous message: Thomas Kerbl: "finding dyndns names for existing IP"
• Maybe in reply to: Thomas Kerbl: "finding dyndns names for existing IP"
• Next in thread: John Lampe: "Re: finding dyndns names for existing IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT