DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ nslookup
> server 10.129.41.192
Default server: 10.129.41.192
Address: 10.129.41.192#53
> 127.0.0.1
1.0.0.127.in-addr.arpa  name = localhost.
> cicada-dc.cicada.htb
Server:         10.129.41.192
Address:        10.129.41.192#53
 
Name:   cicada-dc.cicada.htb
Address: 10.129.41.192
Name:   cicada-dc.cicada.htb
Address: dead:beef::29
Name:   cicada-dc.cicada.htb
Address: dead:beef::46c0:3971:5ebf:3844
> CICADA.HTB
Server:         10.129.41.192
Address:        10.129.41.192#53
 
Name:   CICADA.HTB
Address: 10.129.41.192
Name:   CICADA.HTB
Address: dead:beef::29
Name:   CICADA.HTB
Address: dead:beef::46c0:3971:5ebf:3844

nslookup found 2 additional IPv6 addresses;

dead:beef::29
dead:beef::46c0:3971:5ebf:3844

dig

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ dig any CICADA.HTB @$IP
 
; <<>> DiG 9.20.1-1-Debian <<>> any CICADA.HTB @10.129.41.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6481
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;CICADA.HTB.                    IN      ANY
 
;; ANSWER SECTION:
CICADA.HTB.             600     IN      A       10.129.41.192
CICADA.HTB.             3600    IN      NS      cicada-dc.CICADA.HTB.
CICADA.HTB.             3600    IN      SOA     cicada-dc.CICADA.HTB. hostmaster.CICADA.HTB. 415 900 600 86400 3600
CICADA.HTB.             600     IN      AAAA    dead:beef::46c0:3971:5ebf:3844
CICADA.HTB.             600     IN      AAAA    dead:beef::29
 
;; ADDITIONAL SECTION:
cicada-dc.CICADA.HTB.   3600    IN      A       10.129.41.192
cicada-dc.CICADA.HTB.   3600    IN      AAAA    dead:beef::46c0:3971:5ebf:3844
cicada-dc.CICADA.HTB.   3600    IN      AAAA    dead:beef::29
 
;; Query time: 40 msec
;; SERVER: 10.129.41.192#53(10.129.41.192) (TCP)
;; WHEN: Sat Sep 28 21:25:36 CEST 2024
;; MSG SIZE  rcvd: 254

dig found 2 AAAA records associated with those 2 IPv6 addresses found earlier

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ dnsenum CICADA.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
 
-----   cicada.htb   -----
 
 
Host's addresses:
__________________
 
cicada.htb.                              600      IN    A        10.129.41.192
 
 
Name Servers:
______________
 
cicada-dc.cicada.htb.                    3600     IN    A        10.129.41.192
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: cicada-dc.cicada.htb at /usr/bin/dnsenum line 892 thread 1.
 
Trying Zone Transfer for cicada.htb on cicada-dc.cicada.htb ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
 
gc._msdcs.cicada.htb.                    600      IN    A        10.129.41.192
domaindnszones.cicada.htb.               600      IN    A        10.129.41.192
forestdnszones.cicada.htb.               600      IN    A        10.129.41.192
 
 
cicada.htb class C netranges:
______________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
cicada.htb ip blocks:
______________________
 
 
done.

N/A

dnsrecon

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ dnsrecon -d CICADA.HTB -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16  
[*] std: Performing General Enumeration against: CICADA.HTB...
[-] DNSSEC is not configured for CICADA.HTB
[*] 	 SOA cicada-dc.CICADA.HTB 10.129.41.192
[*] 	 SOA cicada-dc.CICADA.HTB dead:beef::46c0:3971:5ebf:3844
[*] 	 SOA cicada-dc.CICADA.HTB dead:beef::29
[*] 	 NS cicada-dc.CICADA.HTB 10.129.41.192
[*] 	 NS cicada-dc.CICADA.HTB dead:beef::46c0:3971:5ebf:3844
[*] 	 NS cicada-dc.CICADA.HTB dead:beef::29
[*] 	 A CICADA.HTB 10.129.41.192
[*] 	 AAAA CICADA.HTB dead:beef::46c0:3971:5ebf:3844
[*] 	 AAAA CICADA.HTB dead:beef::29
[*] Enumerating SRV Records
[+] 	 SRV _kerberos._tcp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 88
[+] 	 SRV _kerberos._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 88
[+] 	 SRV _kerberos._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 88
[+] 	 SRV _gc._tcp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 3268
[+] 	 SRV _gc._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 3268
[+] 	 SRV _gc._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 3268
[+] 	 SRV _ldap._tcp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 389
[+] 	 SRV _ldap._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 389
[+] 	 SRV _ldap._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 389
[+] 	 SRV _kerberos._udp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 88
[+] 	 SRV _kerberos._udp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 88
[+] 	 SRV _kerberos._udp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 88
[+] 	 SRV _ldap._tcp.ForestDNSZones.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 389
[+] 	 SRV _ldap._tcp.ForestDNSZones.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 389
[+] 	 SRV _ldap._tcp.ForestDNSZones.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 389
[+] 	 SRV _ldap._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 389
[+] 	 SRV _ldap._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 389
[+] 	 SRV _ldap._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 389
[+] 	 SRV _kerberos._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 88
[+] 	 SRV _kerberos._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 88
[+] 	 SRV _kerberos._tcp.dc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 88
[+] 	 SRV _ldap._tcp.gc._msdcs.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 3268
[+] 	 SRV _ldap._tcp.gc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 3268
[+] 	 SRV _ldap._tcp.gc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 3268
[+] 	 SRV _ldap._tcp.pdc._msdcs.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 389
[+] 	 SRV _ldap._tcp.pdc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 389
[+] 	 SRV _ldap._tcp.pdc._msdcs.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 389
[+] 	 SRV _kpasswd._udp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 464
[+] 	 SRV _kpasswd._udp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 464
[+] 	 SRV _kpasswd._udp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 464
[+] 	 SRV _kpasswd._tcp.CICADA.HTB cicada-dc.cicada.htb 10.129.41.192 464
[+] 	 SRV _kpasswd._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::46c0:3971:5ebf:3844 464
[+] 	 SRV _kpasswd._tcp.CICADA.HTB cicada-dc.cicada.htb dead:beef::29 464
[+] 33 Records Found

N/A

InfoSec LAB

Explorer

Cicada_DNS

DNS

Reverse Lookup

dig

dnsenum

dnsrecon

Interactive Graph View

Table of Contents

Backlinks