Networking / Beginners

Hostnames

Hostnames can provide valuable information to an attacker. Small companies, departments, or domains may use themed hostnames. Knowing the theme can provide information about the administrator. For example, if the hostnames eminiar, gothos, thasus, and vendikar appear in the hostname listing, then the administrator is likely a Star Trek fan (these are the names of Star Trek planets). This information is valuable to social engineers. A social engineer that contacts the administrator may create a friendship bond over a common trait. The bond can be exploited to gain trust and can be used as a conduit for collecting information leaks that can aid attacks. Similarly, passwords are frequently chosen based on themes. Knowing the computer theme may assist password discovery.

Whereas small companies use colorful themes, larger companies usually use employee names, phone numbers, or IDs along with department abbreviations. This information discloses employee information, department sizes, and contact points for social engineering.

Hostnames may also disclose the type of network service available. For example, most hosts named www (any domain) likely run Web servers. The host ftp runs an FTP server. Variations of ns, dns, and bind (e.g., ns1 or adns02) are likely primary or secondary name servers. If an attacker knows a vulnerability for mail servers, then the focus may be placed on hosts named mail or smtp (SMTP/email services) rather than hosts named ns or www.

Reconnaissance and Exploitation

DNS allows an attacker to gain insight about potential targets. Reconnaissance about a domain may come from hostnames, zone transfers, host listings, and DNS fields. Knowing information about a host can directly lead to exploitable risks and additional reconnaissance. Along with exploitation and information gathering, DNS can also be used to hide information.

[Previous] [Contents] [Next]

In this tutorial:

  1. Domain Name System (DNS)
  2. DNS Common Uses
  3. Hostname-to-Address Mapping
  4. Common Lookup Tools
  5. Naming Confusion Attack Vectors
  6. Dotted Names
  7. Name Formatting
  8. Exploited Anonymity
  9. Mail Servers
  10. Sender Policy Framework Overloading
  11. Domain Keys Overloading
  12. DNS Protocol
  13. Packet Information
  14. Simple DNS Server
  15. Distributed Architecture
  16. Top Level Domain Servers
  17. Generic Top Level Domain (gTLD)
  18. Secondary Level Domain (SLD)
  19. Primary and Secondary Servers
  20. Caching Servers
  21. DNS Management
  22. DNS Direct Risks
  23. DNS Performance versus Security
  24. DNS Cache Poisoning
  25. Corrupt DNS Packets
  26. DNS Domain Hijacking
  27. DNS Server Hijacking
  28. Dynamic DNS
  29. Similar Hostnames
  30. Domain Renewals
  31. Hostnames
  32. Zone Transfers
  33. Host Listing
  34. DNS Fields
  35. Mitgation Option
  36. Technical Threat Mitigation
  37. Social Threat Mitigation
  38. Defining Trusted Replies