top of page
OTW

OSINT: How to Use the DNS Cache to Determine the Target's AV Software

Updated: Dec 30, 2022


Welcome back, my greenhorn hackers!

In previous tutorials, we have looked at ways to re-encode your payloads and other malware to evade AV software. We have also looked at the inner workings of Clam AV to better understand how this type of software works. Sometimes, we can encode our malware with applications such as Shellter and Veil-Evasion and it will successfully evade one type of AV software and not another.

In our efforts to evade AV, it may not be possible to evade all AV software. On the other hand, we may not need to evade ALL AV software, just the AV software that the target is using. If we could decipher what AV they are using, we could make certain that our malware is undetectable by that AV. That's all we need.

In an earlier tutorial, I introduced you to recon-ng. Recon-ng is a powerful modular reconnaissance framework. One of the modules enables us to detect what AV software the target is using. It relies upon sending non-recursive DNS queries to the corporate DNS server to determine whether that DNS server has a cache that includes that AV manufacturer's website. If it does, that means that someone within the organization is using that AV software (someone is the organization has had to go to the website to update signatures) If it doesn't, it means that no one has queried for that AV manufacturers site and is likely not using that software.

1. Fire Up Kali and Start Recon-Ng

Let's start my firing up Kali and starting recon-ng by typing in a terminal;

kali >recon-ng

When recon-ng starts, you will be greeted with a welcome screen like that above.

2. Show Modules

Remember, recon-ng works very similarly to Metasploit. The commands in some cases are identical and if not, very close. Like Metasploit, we can see all the modules by typing;

recon-ng > show modules

As you can see, the first group of modules displayed are the discovery modules and the first discovery module is "cache snoop". That is the module we want to use here.

3. Use

To use the cache snoop module the syntax is identical to Metasploit. Simply type;

recon-ng > use discovery/info_disclosure/cache_snoop

Once this module is loaded, type;

recon-ng >show info

In this info screen, we can see the basics of this module. It's really quite simple. It requires two inputs; (1) a file containing the AV software domains, and (2) the IP address of the NAMESERVER we are snooping on.

Recon-ng includes a default list of AV softwarre domains. It is a simple text file at;

/usr/share/recon-ng/data/avdomains

We can view its contents by simply opening it in a text editor or using one of the many commands in Linux that displays the contents of a file such as cat, less and more. Here, I have displayed its contents using more.

As you can see, it contains the domains of many of the major AV software companies, but not all. If you want to add a domain, simply open this file in a text editor, add the domain and save the file. Voila! You are done.

4. Getting the Nameservers

To get the nameserver of the domain you are targeting, simply use the dig command in Linux. The syntax is simple, simply dig <domainname> ns where ns indicates that you want the nameserver. Let's try it for , www.wonderhowto.com.

kali > dig wonderhowto.com ns

As you can see in the screenshot above, this command displays the nameservers for wonderhowto.com. Let's try the same for a major information security training company, www.infosecinstitute.com.

kali > dig infosecinstitute.com ns

As you can see, we found the nameservers for www.infosecinstitute.com. Let's write down all these nameservers for use in recon-ng.

5. Set NAMESERVER and Run

Let's start by using infosecinstitute's nameserver and see whether the DNS server has any evidence of anyone in this organization using these AV software

recon-ng > set NAMESERVER 216.92.3.91

recon-ng > run

As you can see, recon-ng found each of these AV software developers products had been used by someone within that organization. Not surprising that an information security firm would have tried all the software manufacturers.

Let's try the same with wonderhowto.com.

recon-ng > set NAMESERVER 208.78.70.29

recon-ng > run

We can see that the nameserver for wonderhowto.com does not have ANY entries for the AV software on our list. This doesn't mean that wonderhowto.com is not using any AV software, but simply that it is using AV software not on the list included in recon-ng. That means that malware detected by one of these developers on our list may not be detected by the target.

Conclusion

What can we conclude from these results? Let's begin by saying that this module is not perfect, but it can useful. In the case of www.infosecinstitute.com, we can conclude that someone recently has used or updated each other AV software on our list. As for wonderhowto.com, we can conclude that no one within that organization using that nameserver has used or updated AV software on that list. That could make them vulnerable.


12,612 views
bottom of page