InfoSec LAB

DNS

Nmap discovered a DNS server on the target port 53 It also enumerated the hostname as well as the domain by running the smb-os-discovery NSE script on the target SMB server

Those are appended to the /etc/hosts file on Kali for local DNS resolution

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ nslookup               
> server 10.10.10.193
Default server: 10.10.10.193
Address: 10.10.10.193#53
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
> 10.10.10.193
;; communications error to 10.10.10.193#53: timed out
;; communications error to 10.10.10.193#53: timed out
;; communications error to 10.10.10.193#53: timed out
;; no servers could be reached

Reverse lookup operation with nslookup doesn’t reveal anything additional

dig

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ dig any fabricorp.local @$IP
 
; <<>> DiG 9.18.10-2-Debian <<>> any fabricorp.local @10.10.10.193
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 4755
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;fabricorp.local.		IN	ANY
 
;; answer section:
fabricorp.local.	600	IN	A	10.10.10.85
fabricorp.local.	3600	IN	NS	fuse.fabricorp.local.
fabricorp.local.	3600	IN	SOA	fuse.fabricorp.local. hostmaster.fabricorp.local. 28 900 600 86400 3600
fabricorp.local.	600	in	aaaa	dead:beef::dd7a:e177:e722:c295
 
;; additional section:
fuse.fabricorp.local.	3600	IN	A	10.10.10.193
fuse.fabricorp.local.	3600	in	aaaa	dead:beef::b941:4d7d:7396:e75c
fuse.fabricorp.local.	3600	in	aaaa	dead:beef::bb
 
;; query time: 31 msec
;; server: 10.10.10.193#53(10.10.10.193) (TCP)
;; when: Thu Feb 02 14:38:26 CET 2023
;; msg size  rcvd: 226

There is a A-Record IP for the domain; 10.10.10.85

I tried ping the IP address but the host was un-reachable I will keep my eyes on it

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ dnsenum FABRICORP.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum VERSION:1.2.6
 
-----   fabricorp.local   -----
 
 
Host's addresses:
__________________
 
fabricorp.local.                         600      IN    A        10.10.10.85
 
 
Name Servers:
______________
 
fuse.fabricorp.local.                    3600     IN    A        10.10.10.193
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: fuse.fabricorp.local at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for fabricorp.local on fuse.fabricorp.local ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
gc._msdcs.fabricorp.local.               600      IN    A        10.10.10.85
domaindnszones.fabricorp.local.          600      IN    A        10.10.10.85
forestdnszones.fabricorp.local.          600      IN    A        10.10.10.85
 
 
fabricorp.local class C netranges:
___________________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
fabricorp.local ip blocks:
___________________________
 
 
done.

Nothing found.

It doesn’t seem like there is any additional domain zone or sub-domain

InfoSec LAB

Explorer

Fuse_DNS

DNS

Reverse Lookup

dig

dnsenum

Interactive Graph View

Table of Contents

Backlinks