DNS

Nmap discovered a DNS server on the target port 53 The running service is Microsoft DNS 6.1.7601 (1DB15D39)

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ nslookup       
> server 10.10.10.182
Default server: 10.10.10.182
Address: 10.10.10.182#53
> 127.0.0.1
;; communications error to 10.10.10.182#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
> cascade.local
;; communications error to 10.10.10.182#53: timed out
Server:		10.10.10.182
Address:	10.10.10.182#53
 
Name:	cascade.local
Address: 10.10.10.182
Name:	cascade.local
Address: 10.10.10.183
Name:	cascade.local
Address: dead:beef::8a8:d14d:1d23:bbe2
> CASC-DC1.CASCADE.LOCAL
;; communications error to 10.10.10.182#53: timed out
Server:		10.10.10.182
Address:	10.10.10.182#53
 
Name:	CASC-DC1.CASCADE.LOCAL
Address: 10.10.10.182
Name:	CASC-DC1.CASCADE.LOCAL
Address: dead:beef::e8dc:7157:1983:a2bd

While reverse lookup failed, nslookup discovered 3 additional IP addresses associated with the target host;

10.10.10.183 (unreachable)
dead:beef::8a8:d14d:1d23:bbe2 (unreachable)
dead:beef::e8dc:7157:1983:a2bd (same)

dig

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ dig any CASCADE.LOCAL @$IP
 
; <<>> DiG 9.18.10-2-Debian <<>> any CASCADE.LOCAL @10.10.10.182
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: FORMERR, id: 47767
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; warning: recursion requested but not available
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 1232
; cookie: 75aca35c2ea6afc0 (echoed)
;; question section:
;CASCADE.LOCAL.			IN	ANY
 
;; query time: 95 msec
;; server: 10.10.10.182#53(10.10.10.182) (TCP)
;; when: Mon Jun 26 03:58:53 CEST 2023
;; msg size  rcvd: 54

Nothing found

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ dnsenum CASCADE.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 
dnsenum VERSION:1.2.6
 
-----   cascade.local   -----
 
 
Host's addresses:
__________________
 
cascade.local.                           600      IN    A        10.10.10.182
cascade.local.                           600      IN    A        10.10.10.183
 
 
Name Servers:
______________
 
casc-dc1.cascade.local.                  3600     IN    A        10.10.10.182
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: casc-dc1.cascade.local at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for cascade.local on casc-dc1.cascade.local ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
gc._msdcs.cascade.local.                 600      IN    A        10.10.10.183
gc._msdcs.cascade.local.                 600      IN    A        10.10.10.182
domaindnszones.cascade.local.            600      IN    A        10.10.10.183
domaindnszones.cascade.local.            600      IN    A        10.10.10.182
forestdnszones.cascade.local.            600      IN    A        10.10.10.183
forestdnszones.cascade.local.            600      IN    A        10.10.10.182
 
 
cascade.local class C netranges:
_________________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
cascade.local ip blocks:
_________________________
 
 
done.

There is the other IPv4 address associated with the target host.

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ ping 10.10.10.183
PING 10.10.10.183 (10.10.10.183) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
From 10.10.14.1 icmp_seq=2 Destination Host Unreachable
From 10.10.14.1 icmp_seq=3 Destination Host Unreachable
^C
--- 10.10.10.183 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3056ms
pipe 4

It’s unreachable from Kali for now

InfoSec LAB

Explorer

Cascade_DNS

DNS

Reverse Lookup

dig

dnsenum

Interactive Graph View

Table of Contents

Backlinks