DNS
Nmap discovered a DNS server running on the target port 53
The service running is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ nslookup
> server 10.10.10.169
Default server: 10.10.10.169
Address: 10.10.10.169#53
> 127.0.0.1
;; communications error to 10.10.10.169#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> megabank.local
;; communications error to 10.10.10.169#53: timed out
Server: 10.10.10.169
Address: 10.10.10.169#53
Name: megabank.local
Address: 10.10.10.169
Name: megabank.local
Address: dead:beef::b803:885a:b665:b183
> resolute.megabank.local
;; communications error to 10.10.10.169#53: timed out
Server: 10.10.10.169
Address: 10.10.10.169#53
Name: resolute.megabank.local
Address: 10.10.10.169While reverse lookup failed to resolve the loopback address, I found an additional IPv6 address associated with the domain;
dead:beef::b803:885a:b665:b183
dig
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ dig any MEGABANK.LOCAL @$IP
; <<>> DiG 9.18.10-2-Debian <<>> any MEGABANK.LOCAL @10.10.10.169
;; global options: +cmd
;; got answer:
;; warning: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 6222
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;MEGABANK.LOCAL. IN ANY
;; answer section:
MEGABANK.LOCAL. 600 IN A 10.10.10.169
MEGABANK.LOCAL. 3600 IN NS resolute.MEGABANK.LOCAL.
MEGABANK.LOCAL. 3600 IN SOA resolute.MEGABANK.LOCAL. hostmaster.MEGABANK.LOCAL. 152 900 600 86400 3600
megabank.local. 600 in aaaa dead:beef::b803:885a:b665:b183
;; additional section:
resolute.MEGABANK.LOCAL. 3600 IN A 10.10.10.169
;; query time: 96 msec
;; server: 10.10.10.169#53(10.10.10.169) (TCP)
;; when: Sat Jun 10 16:23:50 CEST 2023
;; msg size rcvd: 173dig also does find the ipv6 address; dead:beef::b803:885a:b665:b183
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ dnsenum MEGABANK.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum VERSION:1.2.6
----- megabank.local -----
Host's addresses:
__________________
megabank.local. 600 IN A 10.10.10.169
Name Servers:
______________
resolute.megabank.local. 3600 IN A 10.10.10.169
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: resolute.megabank.local at /usr/bin/dnsenum line 900.
Trying Zone Transfer for megabank.local on resolute.megabank.local ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.megabank.local. 600 IN A 10.10.10.169
domaindnszones.megabank.local. 600 IN A 10.10.10.169
forestdnszones.megabank.local. 600 IN A 10.10.10.169
megabank.local class C netranges:
__________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
megabank.local ip blocks:
__________________________
done.No additional domain information
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ rustscan -a dead:beef::b803:885a:b665:b183 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] looks like i didn't find any open ports for dead:beef::b803:885a:b665:b183. This is usually caused by a high batch size.
*I used 10000 batch size, consider lowering it with 'rustscan -b <batch_size> -a <ip address>' or a comfortable number for your system.
Alternatively, increase the timeout if your ping is high. Rustscan -t 2000 for 2000 milliseconds (2s) timeout.It appears that I am unable to reach the IPv6 address.