InfoSec LAB

Active_DNS

Created: 2 min read

DNS

Nmap discovered a DNS server running on the target port 53 It uses Microsoft DNS 6.1.7601

One of the scripts that Nmap used during the initially scan for the LDAP services returned a domain information

I appended the domain information to the /etc/hosts file on Kali for local DNS resolution

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ nslookup            
> server 10.10.10.100
Default server: 10.10.10.100
Address: 10.10.10.100#53
> 127.0.0.1
;; communications error to 10.10.10.100#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
> 10.10.10.100
;; communications error to 10.10.10.100#53: timed out
;; communications error to 10.10.10.100#53: timed out
;; communications error to 10.10.10.100#53: timed out
;; no servers could be reached
 
> active.htb
Server:		10.10.10.100
Address:	10.10.10.100#53
 
Name:	active.htb
Address: 10.10.10.100

There’s nothing to enumerate from the reverse lookup technique

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ dnsenum ACTIVE.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt  
dnsenum VERSION:1.2.6
 
-----   active.htb   -----
 
 
Host's addresses:
__________________
 
active.htb.                              600      IN    A        10.10.10.100
 
 
Name Servers:
______________
 
dc.active.htb.                           3600     IN    A        10.10.10.100
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: dc.active.htb at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for active.htb on dc.active.htb ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
dc.active.htb.                           3600     IN    A        10.10.10.100
gc._msdcs.active.htb.                    600      IN    A        10.10.10.100
domaindnszones.active.htb.               600      IN    A        10.10.10.100
forestdnszones.active.htb.               600      IN    A        10.10.10.100
 
 
active.htb class C netranges:
______________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
active.htb ip blocks:
______________________
 
 
done.

dnsenum found the hostname THE FQDN is DC.ACTIVE.HTB

I appended it to the /etc/hosts/ file on Kali for local DNS resolution

Other than that, it doesn’t seem like there is a domain zone or sub-domain in this domain.

Interactive Graph View

Backlinks