DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

nslookup

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ nslookup
> server 10.10.10.192
Default server: 10.10.10.192
Address: 10.10.10.192#53
 
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
 
> dc01.blackfield.local
Server:		10.10.10.192
Address:	10.10.10.192#53
 
Name:	dc01.blackfield.local
Address: 10.10.10.192
Name:	dc01.blackfield.local
Address: dead:beef::119
Name:	dc01.blackfield.local
Address: dead:beef::2870:d540:af59:9698
 
> blackfield.local
Server:		10.10.10.192
Address:	10.10.10.192#53
 
Name:	blackfield.local
Address: 10.10.10.192
Name:	blackfield.local
Address: dead:beef::119
Name:	blackfield.local
Address: dead:beef::2870:d540:af59:9698

Employing the reverse lookup technique returned 2 AAAA records;

dead:beef::119
dead:beef::2870:d540:af59:9698

AAAA (IPv6)

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ rustscan -a dead:beef::119,dead:beef::2870:d540:af59:9698 -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] looks like i didn't find any open ports for dead:beef::119. This is usually caused by a high batch size.
 
*I used 10000 batch size, consider lowering it with 'rustscan -b <batch_size> -a <ip address>' or a comfortable number for your system.
 
[!] looks like i didn't find any open ports for dead:beef::2870:d540:af59:9698. This is usually caused by a high batch size.
        
*I used 10000 batch size, consider lowering it with 'rustscan -b <batch_size> -a <ip address>' or a comfortable number for your system.

Nothing returned

dig

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ dig any BLACKFIELD.LOCAL @$IP 
 
; <<>> DiG 9.19.17-1-Debian <<>> any BLACKFIELD.LOCAL @10.10.10.192
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3450
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;BLACKFIELD.LOCAL.		IN	ANY
 
;; ANSWER SECTION:
BLACKFIELD.LOCAL.	600	IN  A	10.10.10.192
BLACKFIELD.LOCAL.	3600	IN	NS	dc01.BLACKFIELD.LOCAL.
BLACKFIELD.LOCAL.	3600	IN	SOA	dc01.BLACKFIELD.LOCAL. hostmaster.BLACKFIELD.LOCAL. 159 900 600 86400 3600
BLACKFIELD.LOCAL.	600	IN	AAAA	dead:beef::2870:d540:af59:9698
BLACKFIELD.LOCAL.	600	IN	AAAA	dead:beef::119
 
;; ADDITIONAL SECTION:
dc01.BLACKFIELD.LOCAL.	3600	IN	A	10.10.10.192
dc01.BLACKFIELD.LOCAL.	3600	IN	AAAA	dead:beef::2870:d540:af59:9698
dc01.BLACKFIELD.LOCAL.	3600	IN	AAAA	dead:beef::119
 
;; Query time: 27 msec
;; SERVER: 10.10.10.192#53(10.10.10.192) (TCP)
;; WHEN: Wed Dec 20 22:35:02 CET 2023
;; MSG SIZE  rcvd: 255

dig did not find any additional domain information

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ dnsenum BLACKFIELD.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt             
dnsenum version:1.2.6
 
-----   blackfield.local   -----
 
 
host's addresses:
__________________
 
blackfield.local.                        600      IN    A        10.10.10.192
 
 
name servers:
______________
 
dc01.blackfield.local.                   3600     IN    A        10.10.10.192
 
 
mail (mx) servers:
___________________
 
 
 
trying zone transfers and getting bind versions:
_________________________________________________
 
unresolvable name: dc01.blackfield.local at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for blackfield.local on dc01.blackfield.local ... 
axfr record query failed: no nameservers
 
 
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
gc._msdcs.blackfield.local.              600      IN    A        10.10.10.192
domaindnszones.blackfield.local.         600      IN    A        10.10.10.192
forestdnszones.blackfield.local.         600      IN    A        10.10.10.192
 
 
blackfield.local class c netranges:
____________________________________
 
 
 
performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
blackfield.local ip blocks:
____________________________
 
 
done.

Nothing found

InfoSec LAB

Explorer

Blackfield_DNS

DNS

nslookup

AAAA (IPv6)

dig

dnsenum

Interactive Graph View

Table of Contents

Backlinks