Hostnames
Hostnames can provide valuable information to an attacker. Small companies, departments, or domains may use themed hostnames. Knowing the theme can provide information about the administrator. For example, if the hostnames eminiar, gothos, thasus, and vendikar appear in the hostname listing, then the administrator is likely a Star Trek fan (these are the names of Star Trek planets). This information is valuable to social engineers. A social engineer that contacts the administrator may create a friendship bond over a common trait. The bond can be exploited to gain trust and can be used as a conduit for collecting information leaks that can aid attacks. Similarly, passwords are frequently chosen based on themes. Knowing the computer theme may assist password discovery.
Whereas small companies use colorful themes, larger companies usually use employee names, phone numbers, or IDs along with department abbreviations. This information discloses employee information, department sizes, and contact points for social engineering.
Hostnames may also disclose the type of network service available. For example, most hosts named www (any domain) likely run Web servers. The host ftp runs an FTP server. Variations of ns, dns, and bind (e.g., ns1 or adns02) are likely primary or secondary name servers. If an attacker knows a vulnerability for mail servers, then the focus may be placed on hosts named mail or smtp (SMTP/email services) rather than hosts named ns or www.
Reconnaissance and Exploitation
DNS allows an attacker to gain insight about potential targets. Reconnaissance about a domain may come from hostnames, zone transfers, host listings, and DNS fields. Knowing information about a host can directly lead to exploitable risks and additional reconnaissance. Along with exploitation and information gathering, DNS can also be used to hide information.
In this tutorial:
- Domain Name System (DNS)
- DNS Common Uses
- Hostname-to-Address Mapping
- Common Lookup Tools
- Naming Confusion Attack Vectors
- Dotted Names
- Name Formatting
- Exploited Anonymity
- Mail Servers
- Sender Policy Framework Overloading
- Domain Keys Overloading
- DNS Protocol
- Packet Information
- Simple DNS Server
- Distributed Architecture
- Top Level Domain Servers
- Generic Top Level Domain (gTLD)
- Secondary Level Domain (SLD)
- Primary and Secondary Servers
- Caching Servers
- DNS Management
- DNS Direct Risks
- DNS Performance versus Security
- DNS Cache Poisoning
- Corrupt DNS Packets
- DNS Domain Hijacking
- DNS Server Hijacking
- Dynamic DNS
- Similar Hostnames
- Domain Renewals
- Hostnames
- Zone Transfers
- Host Listing
- DNS Fields
- Mitgation Option
- Technical Threat Mitigation
- Social Threat Mitigation
- Defining Trusted Replies