DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ nslookup
> server 10.10.11.31
Default server: 10.10.11.31
Address: 10.10.11.31#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> dc01.infiltrator.htb
Server: 10.10.11.31
Address: 10.10.11.31#53
Name: dc01.infiltrator.htb
Address: 10.10.11.31
> infiltrator.htb
Server: 10.10.11.31
Address: 10.10.11.31#53
Name: infiltrator.htb
Address: 10.10.11.31dig
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ dig any INFILTRATOR.HTB @$IP
; <<>> DiG 9.20.0-Debian <<>> any INFILTRATOR.HTB @10.10.11.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21383
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;INFILTRATOR.HTB. IN ANY
;; ANSWER SECTION:
INFILTRATOR.HTB. 600 IN A 10.10.11.31
INFILTRATOR.HTB. 3600 IN NS dc01.INFILTRATOR.HTB.
INFILTRATOR.HTB. 3600 IN SOA dc01.INFILTRATOR.HTB. hostmaster.INFILTRATOR.HTB. 417 900 600 86400 3600
;; ADDITIONAL SECTION:
dc01.INFILTRATOR.HTB. 3600 IN A 10.10.11.31
;; Query time: 144 msecdnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ dnsenum INFILTRATOR.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
----- infiltrator.htb -----
Host's addresses:
__________________
infiltrator.htb. 600 IN A 10.10.11.31
Name Servers:
______________
dc01.infiltrator.htb. 3600 IN A 10.10.11.31
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dc01.infiltrator.htb at /usr/bin/dnsenum line 892 thread 1.
Trying Zone Transfer for infiltrator.htb on dc01.infiltrator.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
gc._msdcs.infiltrator.htb. 600 IN A 10.10.11.31
domaindnszones.infiltrator.htb. 600 IN A 10.10.11.31
forestdnszones.infiltrator.htb. 600 IN A 10.10.11.31
dc01.infiltrator.htb. 3600 IN A 10.10.11.31
infiltrator.htb class C netranges:
___________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
infiltrator.htb ip blocks:
___________________________
done.dnsrecon
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ dnsrecon -d INFILTRATOR.HTB -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
[*] std: Performing General Enumeration against: INFILTRATOR.HTB...
[-] DNSSEC is not configured for INFILTRATOR.HTB
[*] SOA dc01.INFILTRATOR.HTB 10.10.11.31
[*] NS dc01.INFILTRATOR.HTB 10.10.11.31
[*] A INFILTRATOR.HTB 10.10.11.31
[*] Enumerating SRV Records
[+] SRV _gc._tcp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 3268
[+] SRV _kerberos._tcp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 88
[+] SRV _ldap._tcp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 389
[+] SRV _kerberos._udp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 88
[+] SRV _kpasswd._udp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 464
[+] SRV _ldap._tcp.gc._msdcs.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 3268
[+] SRV _kerberos._tcp.dc._msdcs.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 88
[+] SRV _ldap._tcp.ForestDNSZones.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 389
[+] SRV _kpasswd._tcp.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 464
[+] SRV _ldap._tcp.pdc._msdcs.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 389
[+] SRV _ldap._tcp.dc._msdcs.INFILTRATOR.HTB dc01.infiltrator.htb 10.10.11.31 389
[+] 11 Records Found