DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ nslookup              
> server 10.10.11.187
Default server: 10.10.11.187
Address: 10.10.11.187#53
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
> localhost
Server:		10.10.11.187
Address:	10.10.11.187#53
 
Non-authoritative answer:
Name:	localhost
Address: 127.0.0.1
** server can't find localhost: SERVFAIL
 
> 10.10.11.187
;; communications error to 10.10.11.187#53: timed out
** server can't find 187.11.10.10.in-addr.arpa: SERVFAIL
 
> flight.htb
Server:		10.10.11.187
Address:	10.10.11.187#53
 
Name:	flight.htb
Address: 192.168.22.180

While reverse lookup did not reveal the hostname of the target system, it resolved to an unfamiliar IP address of 192.168.22.180 when prompted for the domain There is a chance that 192.168.22.180 might be an internal host

dig

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ dig any FLIGHT.HTB @$IP
 
; <<>> DiG 9.19.17-1-Debian <<>> any FLIGHT.HTB @10.10.11.187
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 20952
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;FLIGHT.HTB.			IN	ANY
 
;; answer section:
FLIGHT.HTB.		600	IN	A	192.168.22.180
FLIGHT.HTB.		3600	IN	NS	g0.FLIGHT.HTB.
FLIGHT.HTB.		3600	IN	SOA	g0.FLIGHT.HTB. hostmaster.FLIGHT.HTB. 41 900 600 86400 3600
 
;; additional section:
g0.FLIGHT.HTB.		3600	IN	A	10.10.11.187
g0.flight.htb.		3600	in	aaaa	dead:beef::b1d9:efc7:61e1:4d02
g0.flight.htb.		3600	in	aaaa	dead:beef::23d
 
;; query time: 184 msec
;; server: 10.10.11.187#53(10.10.11.187) (TCP)
;; when: Mon Dec 11 10:13:28 CET 2023
;; msg size  rcvd: 191

While dig returned the FQDN of the target system, g0.flight.htb, it also finds an A record for 192.168.22.180 Additionally, 2 AAAA records were returned;

dead:beef::b1d9:efc7:61e1:4d02
dead:beef::23d

The /etc/hosts file on Kali has been updated for local DNS resolution

IPv6

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ rustscan -a dead:beef::23d -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::23d]:53
Open [dead:beef::23d]:80
Open [dead:beef::23d]:88
Open [dead:beef::23d]:135
Open [dead:beef::23d]:389
Open [dead:beef::23d]:445
Open [dead:beef::23d]:464
Open [dead:beef::23d]:593
Open [dead:beef::23d]:636
Open [dead:beef::23d]:3268
Open [dead:beef::23d]:3269
Open [dead:beef::23d]:5985
Open [dead:beef::23d]:9389
 
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ rustscan -a dead:beef::b1d9:efc7:61e1:4d02 -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::b1d9:efc7:61e1:4d02]:53
Open [dead:beef::b1d9:efc7:61e1:4d02]:80
Open [dead:beef::b1d9:efc7:61e1:4d02]:88
Open [dead:beef::b1d9:efc7:61e1:4d02]:135
Open [dead:beef::b1d9:efc7:61e1:4d02]:389
Open [dead:beef::b1d9:efc7:61e1:4d02]:445
Open [dead:beef::b1d9:efc7:61e1:4d02]:464
Open [dead:beef::b1d9:efc7:61e1:4d02]:593
Open [dead:beef::b1d9:efc7:61e1:4d02]:636
Open [dead:beef::b1d9:efc7:61e1:4d02]:3268
Open [dead:beef::b1d9:efc7:61e1:4d02]:3269
Open [dead:beef::b1d9:efc7:61e1:4d02]:5985
Open [dead:beef::b1d9:efc7:61e1:4d02]:9389

Those 2 IPv6 addresses are not hosting any additional services Moving on

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ dnsenum FLIGHT.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
 
-----   flight.htb   -----
 
 
host's addresses:
__________________
 
flight.htb.                              600      IN    A        192.168.22.180
 
 
name servers:
______________
 
g0.flight.htb.                           3600     IN    A        10.10.11.187
 
 
mail (mx) servers:
___________________
 
 
 
trying zone transfers and getting bind versions:
_________________________________________________
 
unresolvable name: g0.flight.htb at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for flight.htb on g0.flight.htb ... 
axfr record query failed: no nameservers
 
 
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
gc._msdcs.flight.htb.                    600      IN    A        192.168.22.180
domaindnszones.flight.htb.               600      IN    A        192.168.22.180
forestdnszones.flight.htb.               600      IN    A        192.168.22.180
 
 
flight.htb class c netranges:
______________________________
 
 
 
performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
flight.htb ip blocks:
______________________
 
 
done.

dnsenum shows that the domain zone is pointed to the IP address of 192.168.22.180 This alone raises a speculation that 192.168.22.180 is the actual domain host, which is resolved by the nameserver at the 10.10.11.187 host

InfoSec LAB

Explorer

Flight_DNS

DNS

Reverse Lookup

dig

IPv6

dnsenum

Interactive Graph View

Table of Contents

Backlinks