Cybersecurity Lab Setup and Tools

Questions and Answers

What is the function of the command 'dnsrecon -D'?

Check the version of the BIND nameserver

Perform reverse DNS scans

Include dictionaries for DNS brute force scans (correct)

Display available options for dnsrecon

Which of the following statements about 'nslookup' is true?

It has more functionality than 'dig'.

It is usually installed on compromised hosts. (correct)

It is a fully featured DNS client.

It cannot confirm blind command injection.

What is the primary advantage of using 'dig' over 'nslookup'?

It provides more detailed querying options. (correct)

It is built into Metasploit.

It is the only tool that performs a zone transfer.

It is available on all platforms.

Which script is used with Nmap for discovering CNAMEs?

dns-brute.nse

What is the default port number for Burp Suite?

8080

Which of the following is a benefit of using OWASP ZAP?

It is a full-featured open-source interception proxy.

In Metasploit, which module is used for DNS brute forcing?

dns_bruteforce

What does the command 'dig @ nameserver version.bind chaos txt' do?

Retrieves the version of the BIND nameserver.

What is the default username and password used for logging into the provided virtual image?

student / cybr

Which of the following tools is NOT included in the lab setup?

Fiddler

Which command-line tool is used to perform WHOIS lookups?

whois

What TCP port is used for WHOIS queries?

43

What is the purpose of a DNS Zone Transfer?

To mirror DNS information between servers

What should be done when performing large DNS brute force scans?

Always scan with permission

Which of the following is a reconnaissance tool included in the lab setup?

Sqlmap

What is the root password for MySQL in the provided virtual image setup?

mutillidae

Which web browsers are available in the lab setup?

Firefox and Chromium

What are the types of DNS Zone Transfers mentioned?

AXFR and IXFR

Study Notes

Lab Setup

• Virtual Image: Students will receive a virtual image file called cybrKali.ova.
• Import: Use VirtualBox or VMWare to import the file.
• Kali: Alternatively, students can use Kali directly.

Log In

• Username: student
• Password: cybr (case sensitive)
• Root Access: Use sudo with the same password for root access.

Included Tools

• Operating System: Kali, 64-bit
• Web Server: Apache HTTP Server
• Database: MySQL (root password: mutillidae)
• Programming Language: PHP
• Java: Java Runtime Environment (JRE)
• Web Browsers: Firefox and Chromium
• Reconnaissance Tools:
  • whois, dig, nslookup
  • Nmap (Zenmap)
  • DNSRecon
  • Metasploit
  • Netcat (nc)
  • curl
  • Nikto
  • Wireshark
  • sqlmap
• Interception Proxies:
  • Burp Suite (default port 8080)
  • OWASP Zed Attack Proxy (ZAP) (default port 8082)

Targets

• Mutillidae: A vulnerable web application designed for penetration testing training.
• Altoro Mutual: Use the provided credentials (jsmith, Demo1234) to access the web application.
• Zero Bank: Use the provided credentials (username, password) to access the web application.

WHOIS

• Protocol: TCP port 43
• Stealth: Helps with reconnaissance.
• Output:
  • Name(s) and phone number(s)
  • Physical address
  • DNS server (Names and IP addresses)
  • Public netblocks
• Helpful Use: Iterating Whois/DNS lookups can be beneficial.

Domain Name System (DNS)

• Database: A hierarchical database of domain names.
• Protocol: UDP port 53 with a payload size of 512 bytes, particularly for zone transfers.
• Information: Provides various information valuable for virtual host discovery during penetration tests.

DNS Zone Transfer

• Functionality: Allows secondary DNS servers to mirror data from a primary server.
• Security: Ideally, zone transfer should be restricted.
• Exceptions:
  • ISPs managing DNS for customers.
  • Internal DNS servers permitting zone transfers within internal networks.
• Types:
  • AXFR: Full transfer.
  • IXFR: Incremental transfer.

When Zone Transfers Are Unavailable

• Reverse DNS (PTR) Scans:
  • Many DNS administrators create reverse (PTR) records for every A record.
  • Perform a whois lookup for IP addresses, then perform a reverse DNS lookup for each IP.
• DNS Brute Force Scans:
  • Discover names, virtual hosts, and CNAMEs.
  • Utilize a dictionary of potential DNS names and attempt to resolve entries.
  • Useful for virtual host discovery.
  • Seek permission before performing comprehensive brute force scans.

DNSRecon

• Function: A tool by Carlos Perez (@darkoperator) for various DNS reconnaissance tasks.
• Location: /usr/share/dnsrecon in the VM.
• Basic Usage: dnsrecon -d <domain>
• Options:
  • -n: Perform a brute force domain scan.
  • -r: Perform a reverse DNS scan.
  • -D: Use included dictionaries (wordlists) for brute force scans.
• Wordlist: /usr/share/dnsrecon/namelist.txt (contains 1,909 entries)

nslookup

• Pros:
  • Widely available.
  • Often installed on compromised hosts.
  • Useful for confirming blind command injection (outbound DNS may be unfiltered).
• Cons:
  • Limited functionality compared to dig.
  • Reduced functionality in newer versions.

dig

• Functionality: A comprehensive DNS client.
• Availability: Native on OS X and most UNIX/Linux distributions.
• Included: In the BIND (Berkeley Internet Name Domain) DNS server package.
• Usage: dig @example.com options…
• Options:
  • -t any: Query all record types.
  • -t ns: Query for name server records.
  • -x: Perform a reverse DNS lookup (PTR records).
  • -t axfr: Attempt a zone transfer.
  • dig @nameserver version.bind chaos txt: Query the nameserver’s BIND version.

Nmap DNS NSE Scripts

• Nmap NSE Scripts: Nmap includes several DNS-oriented NSE (Nmap Scripting Engine) scripts.
• Functionality:
  • Some replicate dig functionality, including dns-zone-transfer.nse.
  • dns-brute.nse helps discover CNAMEs.
• Location: /usr/share/nmap/scripts/dns*

Metasploit

• Popularity: A widely used exploitation framework.
• Web Testing: Offers substantial web testing capabilities, especially for off-the-shelf software.
• Exploits: Includes exploits for common platforms like Wordpress, Joomla, Drupal, Oracle DB, and SQL Server.
• DNS Information Gathering:
  • Modules located in /opt/metasploit-framework/embedded/framework/modules/post/multi/gather:
    • dns_bruteforce.
    • dns_reverse_lookup.
    • dns_srv_lookup.

Burp Suite

• Default Port: 8080 (can be changed in Proxy->Options).
• Versions:
  • Older version available as a desktop shortcut (includes scan functionality).
  • Newer version in favorites (lacks scan function).

OWASP Zed Attack Proxy (ZAP)

• Functionality: A comprehensive open-source interception proxy.
• Access: Available via desktop shortcut, Favorites, or command line (zap.sh).
• Port Number: Set in Tools->Options->Local Proxies->Port (default 8082).
• Certificate Setup: ZAP's CA certificate can be configured in Firefox.
• Documentation: OWASP ZAP Desktop User Guide at https://www.zaproxy.org/docs/desktop/.

Description

This quiz covers the setup and tools required for a cybersecurity lab using Kali Linux. Students will learn how to import a virtual image, log in, and utilize various reconnaissance and interception tools effectively. The focus is on practical skills essential for cybersecurity training.