InfoSec LAB

Mantis_DNS

Created: 2 min read

DNS

As previously discovered, the target host is a domain controller in Active Directory environment.

/etc/hosts

I will append the domain as well as the FQDN of the target host to the /etc/hosts for local DNS resolution

dig

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ dig any htb.local @$IP
 
; <<>> DiG 9.18.8-1-Debian <<>> any htb.local @10.10.10.52
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: FORMERR, id: 4989
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; warning: recursion requested but not available
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 1232
; cookie: b4555b1fbca70ad7 (echoed)
;; question section:
;htb.local.			IN	ANY
 
;; query time: 28 msec
;; server: 10.10.10.52#53(10.10.10.52) (TCP)
;; when: Tue Jan 10 14:01:31 CET 2023
;; msg size  rcvd: 50

dig does not find anything additional

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ dig axfr @$IP htb.local       
 
; <<>> DiG 9.18.8-1-Debian <<>> axfr @10.10.10.52 htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.

Zone Transfer fails as well

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ dnsenum htb.local --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt             
dnsenum VERSION:1.2.6
 
-----   htb.local   -----
 
 
Host's addresses:
__________________
 
htb.local.                               600      IN    A        10.10.10.52
 
 
Name Servers:
______________
 
mantis.htb.local.                        1200     IN    A        10.10.10.52
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: mantis.htb.local at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for htb.local on mantis.htb.local ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
mantis.htb.local.                        1200     IN    A        10.10.10.52
gc._msdcs.htb.local.                     600      IN    A        10.10.10.52
domaindnszones.htb.local.                600      IN    A        10.10.10.52
forestdnszones.htb.local.                600      IN    A        10.10.10.52
 
 
htb.local class C netranges:
_____________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
htb.local ip blocks:
_____________________
 
 
done.

dnsenum does not find anything additional either

That’s about it for DNS enumeration.

Interactive Graph View

Backlinks