Tunnelling SSH/SCP through intermediate host when two hosts can’t directly communicate

Posted by & filed under Linux.


We need to scp a file between two hosts. The problem is that the two hosts (A & C) cannot directly communicate. We can solve this using a SSH tunnel and an intermediate host (B) that can communicate with both. This also means, the command for Host B needs to run first, then the scp command for host A.:


Host A (source)

This will scp to localhost on port 3000 which is actually our tunnel to host c — /destination_file is the path on host C

scp -P 3000 /source/file username@localhost:/destination_file

Host B (intermediate)

ssh -R 3000:ip.of.host.a:22 ip.of.host.c

Host C (destination)



Also, if you have spaces in the paths make sure to escape the space with \ e.g.

scp -P 3000 "/source/file/some\ directory/" username@localhost:/destination_file


Enumerating a DNS zone by brute force

Posted by & filed under Linux, Server Admin.

Sometimes a situation pops up where I need to retrieve the contents of a DNS zone but do not have access to the DNS servers. This is typically a situation where a client’s IT person is no longer available and before moving the name servers, we need to recreate the DNS zone on our name servers. If the current host of the DNS zone cannot release the records, we have a few options.

1. Try a zone transfer. I previously wrote about this. This is highly unlikely to work, but if the DNS server is poorly configured, it’s a possibility. This works rarely but if it does work will be the most accurate.

dig -t AXFR @dns.server.domains.is.on.com domain.name.to.dump.com

2. Brute force the zone. It sounds bad, but the reality of it is that most sysadmins don’t log or throttle DNS requests, and therefore with a decent enough dictionary of words it is possible to enumerate a large majority of the dns zone. I have mirrored the zip file containing bfdomain and the dictionaries here. (original source)

python bfdomain.py domain-to-test.com dictionaries/hostnames-big.txt
[*]-Using dictionairy: dictionaries/hostnames-lite.txt (Loaded 1399 words)
 |-mail (line: 690) ==> ('mail.domain-to-test.com', [], [''])
 |-webmail (line: 1294) ==> ('webmail.domain-to-test.com', [], [''])
 |-welcome (line: 1311) ==> ('welcome.domain-to-test.com', [], [''])
 |-www (line: 1362) ==> ('domain-to-test.com', ['www.domain-to-test.com'], [''])
[*]-Total assets found: 4

UPDATE: One other thing that I noticed later on is the fact that this is seemingly only capturing A records, so things like the MX record would not be tried. The python script could be modified easily to add this functionality. Also, the nmap version of this may already do this.

More dictionaries and wordlists: