DNS
Nmap found a DNS service on the target port 53
The target host appears to be a domain controller in an Active Directory environment.
Through the SMB and LDAP service enumeration, I was able to identify the domain as well as the hostname of the target system
I will append the domain information as well as the FQDN of the target host to the /etc/hosts for local DNS resolution
nslookup
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ nslookup
> server 10.10.10.161
Default server: 10.10.10.161
Address: 10.10.10.161#53
> 127.0.0.1
;; communications error to 10.10.10.161#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> 10.10.10.161
;; communications error to 10.10.10.161#53: timed out
;; communications error to 10.10.10.161#53: timed out
;; communications error to 10.10.10.161#53: timed out
;; no servers could be reached
> htb.local
Server: 10.10.10.161
Address: 10.10.10.161#53
Name: htb.local
Address: 10.10.10.161Attempting a reverse lookup onlocalhost of the target host does not reveal any additional information
dig
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ dig any htb.local @$IP
; <<>> DiG 9.18.10-2-Debian <<>> any htb.local @10.10.10.161
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 50
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
; cookie: 4351107027273be5 (echoed)
;; question section:
;htb.local. IN ANY
;; answer section:
htb.local. 600 IN A 10.10.10.161
htb.local. 3600 IN NS forest.htb.local.
htb.local. 3600 IN SOA forest.htb.local. hostmaster.htb.local. 104 900 600 86400 3600
;; additional section:
forest.htb.local. 3600 IN A 10.10.10.161
;; query time: 31 msec
;; server: 10.10.10.161#53(10.10.10.161) (TCP)
;; when: Sun Jan 22 12:51:03 CET 2023
;; msg size rcvd: 150dig was also able to find the hostname of the target system
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ dig axfr htb.local @$IP
; <<>> DiG 9.18.10-2-Debian <<>> axfr htb.local @10.10.10.161
;; global options: +cmd
; Transfer failed.Zone transfer is not available
DNSEnum
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ dnsenum htb.local --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum VERSION:1.2.6
----- htb.local -----
Host's addresses:
__________________
htb.local. 600 IN A 10.10.10.161
Name Servers:
______________
forest.htb.local. 3600 IN A 10.10.10.161
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: forest.htb.local at /usr/bin/dnsenum line 900.
Trying Zone Transfer for htb.local on forest.htb.local ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.htb.local. 600 IN A 10.10.10.161
domaindnszones.htb.local. 600 IN A 10.10.10.161
forestdnszones.htb.local. 600 IN A 10.10.10.161
forest.htb.local. 3600 IN A 10.10.10.161
htb.local class C netranges:
_____________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
htb.local ip blocks:
_____________________
done.dnsenum does not find anything additional either
That’s about it for DNS enumeration.