DNS
Nmap discovered a DNS server on the target UDP port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ nslookup
> server 10.10.11.205
Default server: 10.10.11.205
Address: 10.10.11.205#53Setting up the server for reverse lookup
Checking
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.127.0.0.1 is indeed localhost
Web host
> icinga.cerberus.local
Server: 10.10.11.205
Address: 10.10.11.205#53
** server can't find icinga.cerberus.local: NXDOMAINSending out a DNS query for the discovered web server host, icinga.cerberus.local
The response, marked by “NXDOMAIN”, indicates that the server cannot find a corresponding domain entry.
This would indicate that icinga.cerberus.local is most likely just a virtual host dedicated to running a web application, rather than a full-on system host that is domain-joint
Domain
> CERBERUS.LOCAL
server: 10.10.11.205
address: 10.10.11.205#53
name: CERBERUS.LOCAL
address: 10.10.11.205
name: CERBERUS.LOCAL
address: 172.16.22.1
name: CERBERUS.LOCAL
address: dead:beef::138
name: CERBERUS.LOCAL
address: dead:beef::c349:4d0f:4db0:880Executing a DNS query for the suspected domain itself, CERBERUS.LOCAL, yields multiple associated IP addresses.
Interestingly, it also includes an IPv4 address, 172.16.22.1, commonly used by containers (Docker, Hyper-V, etc)
This may explain the presence of Apache web server for Ubuntu
> dc.cerberus.local
server: 10.10.11.205
address: 10.10.11.205#53
name: dc.cerberus.local
address: 172.16.22.1
name: dc.cerberus.local
address: 10.10.11.205
name: dc.cerberus.local
address: dead:beef::138
name: dc.cerberus.local
address: dead:beef::c349:4d0f:4db0:880Aha! there is the DC host; dc.cerberus.local
The /etc/hosts file on Kali has been updated for record keeping since “internal” host cannot be reached from the current subnet and 10.10.11.205 cab be addressed by both the discovered web host and dc.cerberus.local
Additionally, 2 IPv6 addresses have been identified, associated with both CERBERUS.LOCAL and dc.cerberus.local
dead:beef::138dead:beef::c349:4d0f:4db0:880
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ rustscan -a dead:beef::138 dead:beef::c349:4d0f:4db0:880 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] Looks like I didn't find any open ports for dead:beef::138. This is usually caused by a high batch size.
[!] Looks like I didn't find any open ports for dead:beef::c349:4d0f:4db0:880. This is usually caused by a high batch size.
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ nmap -Pn -6 dead:beef::138 dead:beef::c349:4d0f:4db0:880
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-17 08:54 CET
Nmap scan report for dead:beef::138
Host is up.
All 1000 scanned ports on dead:beef::138 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Nmap scan report for dead:beef::c349:4d0f:4db0:880
Host is up.
All 1000 scanned ports on dead:beef::c349:4d0f:4db0:880 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Nmap done: 2 IP addresses (2 hosts up) scanned in 401.68 secondsNothing found on those 2 IPv6 addresses
dig
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dig a CERBERUS.LOCAL @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> a CERBERUS.LOCAL @10.10.11.205
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 37914
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;CERBERUS.LOCAL. IN A
;; answer section:
CERBERUS.LOCAL. 600 IN A 172.16.22.1
CERBERUS.LOCAL. 600 IN A 10.10.11.205
;; query time: 23 msec
;; server: 10.10.11.205#53(10.10.11.205) (UDP)
;; when: Wed Jan 17 09:52:40 CET 2024
;; msg size rcvd: 75
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dig aaaa CERBERUS.LOCAL @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> aaaa CERBERUS.LOCAL @10.10.11.205
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 26152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;CERBERUS.LOCAL. IN AAAA
;; answer section:
cerberus.local. 600 in aaaa dead:beef::c349:4d0f:4db0:880
cerberus.local. 600 in aaaa dead:beef::138
;; query time: 28 msec
;; server: 10.10.11.205#53(10.10.11.205) (UDP)
;; when: Wed Jan 17 09:52:44 CET 2024
;; msg size rcvd: 99
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dig txt CERBERUS.LOCAL @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> txt CERBERUS.LOCAL @10.10.11.205
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 33672
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;CERBERUS.LOCAL. IN TXT
;; authority section:
CERBERUS.LOCAL. 3600 IN SOA dc.CERBERUS.LOCAL. hostmaster.CERBERUS.LOCAL. 502 900 600 86400 3600
;; query time: 28 msec
;; server: 10.10.11.205#53(10.10.11.205) (UDP)
;; when: Wed Jan 17 09:52:52 CET 2024
;; msg size rcvd: 93
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dig mx CERBERUS.LOCAL @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> mx CERBERUS.LOCAL @10.10.11.205
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 8991
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;CERBERUS.LOCAL. IN MX
;; authority section:
CERBERUS.LOCAL. 3600 IN SOA dc.CERBERUS.LOCAL. hostmaster.CERBERUS.LOCAL. 502 900 600 86400 3600
;; query time: 24 msec
;; server: 10.10.11.205#53(10.10.11.205) (UDP)
;; when: Wed Jan 17 09:53:04 CET 2024
;; msg size rcvd: 93
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dig ns CERBERUS.LOCAL @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> ns CERBERUS.LOCAL @10.10.11.205
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 16292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;CERBERUS.LOCAL. IN NS
;; answer section:
CERBERUS.LOCAL. 3600 IN NS dc.CERBERUS.LOCAL.
;; additional section:
dc.CERBERUS.LOCAL. 3600 IN A 172.16.22.1
dc.CERBERUS.LOCAL. 3600 IN A 10.10.11.205
dc.cerberus.local. 3600 in aaaa dead:beef::138
dc.cerberus.local. 3600 in aaaa dead:beef::c349:4d0f:4db0:880
;; query time: 28 msec
;; server: 10.10.11.205#53(10.10.11.205) (UDP)
;; when: Wed Jan 17 09:53:06 CET 2024
;; msg size rcvd: 148dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dnsenum CERBERUS.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.2.6
----- cerberus.local -----
Host's addresses:
__________________
cerberus.local. 600 IN A 10.10.11.205
cerberus.local. 600 IN A 172.16.22.1
Name Servers:
______________
dc.cerberus.local. 3600 IN A 172.16.22.1
dc.cerberus.local. 3600 IN A 10.10.11.205
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dc.cerberus.local at /usr/bin/dnsenum line 900 thread 1.
Trying Zone Transfer for cerberus.local on dc.cerberus.local ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
dc.cerberus.local. 3600 IN A 10.10.11.205
dc.cerberus.local. 3600 IN A 172.16.22.1
gc._msdcs.cerberus.local. 600 IN A 10.10.11.205
gc._msdcs.cerberus.local. 600 IN A 172.16.22.1
domaindnszones.cerberus.local. 600 IN A 10.10.11.205
domaindnszones.cerberus.local. 600 IN A 172.16.22.1
forestdnszones.cerberus.local. 600 IN A 10.10.11.205
forestdnszones.cerberus.local. 600 IN A 172.16.22.1
cerberus.local class C netranges:
__________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
cerberus.local ip blocks:
__________________________
done.dnsrecon
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ dnsrecon -d CERBERUS.LOCAL -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
[*] std: Performing General Enumeration against: CERBERUS.LOCAL...
[-] DNSSEC is not configured for CERBERUS.LOCAL
[*] SOA dc.CERBERUS.LOCAL 10.10.11.205
[*] SOA dc.CERBERUS.LOCAL 172.16.22.1
[*] soa dc.cerberus.local dead:beef::138
[*] soa dc.cerberus.local dead:beef::c349:4d0f:4db0:880
[*] NS dc.CERBERUS.LOCAL 10.10.11.205
[*] NS dc.CERBERUS.LOCAL 172.16.22.1
[*] ns dc.cerberus.local dead:beef::138
[-] recursion enabled on ns server dead:beef::138
[*] ns dc.cerberus.local dead:beef::c349:4d0f:4db0:880
[*] A CERBERUS.LOCAL 172.16.22.1
[*] A CERBERUS.LOCAL 10.10.11.205
[*] aaaa cerberus.local dead:beef::138
[*] aaaa cerberus.local dead:beef::c349:4d0f:4db0:880
[*] Enumerating SRV Records
[+] SRV _gc._tcp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 3268
[+] SRV _gc._tcp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 3268
[+] srv _gc._tcp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 3268
[+] srv _gc._tcp.cerberus.local dc.cerberus.local dead:beef::138 3268
[+] SRV _kerberos._udp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 88
[+] SRV _kerberos._udp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 88
[+] srv _kerberos._udp.cerberus.local dc.cerberus.local dead:beef::138 88
[+] srv _kerberos._udp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 88
[+] SRV _ldap._tcp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 389
[+] SRV _ldap._tcp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 389
[+] srv _ldap._tcp.cerberus.local dc.cerberus.local dead:beef::138 389
[+] srv _ldap._tcp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 389
[+] SRV _kerberos._tcp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 88
[+] SRV _kerberos._tcp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 88
[+] srv _kerberos._tcp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 88
[+] srv _kerberos._tcp.cerberus.local dc.cerberus.local dead:beef::138 88
[+] SRV _ldap._tcp.ForestDNSZones.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 389
[+] SRV _ldap._tcp.ForestDNSZones.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 389
[+] srv _ldap._tcp.forestdnszones.cerberus.local dc.cerberus.local dead:beef::138 389
[+] srv _ldap._tcp.forestdnszones.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 389
[+] SRV _ldap._tcp.dc._msdcs.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 389
[+] SRV _ldap._tcp.dc._msdcs.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 389
[+] srv _ldap._tcp.dc._msdcs.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 389
[+] srv _ldap._tcp.dc._msdcs.cerberus.local dc.cerberus.local dead:beef::138 389
[+] SRV _kerberos._tcp.dc._msdcs.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 88
[+] SRV _kerberos._tcp.dc._msdcs.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 88
[+] srv _kerberos._tcp.dc._msdcs.cerberus.local dc.cerberus.local dead:beef::138 88
[+] srv _kerberos._tcp.dc._msdcs.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 88
[+] SRV _ldap._tcp.gc._msdcs.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 3268
[+] SRV _ldap._tcp.gc._msdcs.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 3268
[+] srv _ldap._tcp.gc._msdcs.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 3268
[+] srv _ldap._tcp.gc._msdcs.cerberus.local dc.cerberus.local dead:beef::138 3268
[+] SRV _kpasswd._udp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 464
[+] SRV _kpasswd._udp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 464
[+] srv _kpasswd._udp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 464
[+] srv _kpasswd._udp.cerberus.local dc.cerberus.local dead:beef::138 464
[+] SRV _kpasswd._tcp.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 464
[+] SRV _kpasswd._tcp.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 464
[+] srv _kpasswd._tcp.cerberus.local dc.cerberus.local dead:beef::138 464
[+] srv _kpasswd._tcp.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 464
[+] SRV _ldap._tcp.pdc._msdcs.CERBERUS.LOCAL dc.cerberus.local 172.16.22.1 389
[+] SRV _ldap._tcp.pdc._msdcs.CERBERUS.LOCAL dc.cerberus.local 10.10.11.205 389
[+] srv _ldap._tcp.pdc._msdcs.cerberus.local dc.cerberus.local dead:beef::138 389
[+] srv _ldap._tcp.pdc._msdcs.cerberus.local dc.cerberus.local dead:beef::c349:4d0f:4db0:880 389
[+] 44 Records Found