DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ nslookup
> server 10.10.11.158
Default server: 10.10.11.158
Address: 10.10.11.158#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> streamIO.htb
Server: 10.10.11.158
Address: 10.10.11.158#53
Name: streamIO.htb
Address: 10.10.11.158
Name: streamIO.htb
Address: dead:beef::24a
Name: streamIO.htb
Address: dead:beef::9ce4:405a:c517:5838Reverse lookup with nslookup for the domain returned 2 additional IPv6 addresses;
dead:beef::24adead:beef::9ce4:405a:c517:5838
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ rustscan -a dead:beef::24a -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
0day was here ♥
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::24a]:53
open [dead:beef::24a]:80
open [dead:beef::24a]:88
open [dead:beef::24a]:135
open [dead:beef::24a]:389
open [dead:beef::24a]:443
open [dead:beef::24a]:445
open [dead:beef::24a]:464
open [dead:beef::24a]:593
open [dead:beef::24a]:636
open [dead:beef::24a]:3268
open [dead:beef::24a]:3269
open [dead:beef::24a]:5985
open [dead:beef::24a]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ rustscan -a dead:beef::9ce4:405a:c517:5838 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::9ce4:405a:c517:5838]:53
open [dead:beef::9ce4:405a:c517:5838]:80
open [dead:beef::9ce4:405a:c517:5838]:88
open [dead:beef::9ce4:405a:c517:5838]:135
open [dead:beef::9ce4:405a:c517:5838]:389
open [dead:beef::9ce4:405a:c517:5838]:443
open [dead:beef::9ce4:405a:c517:5838]:445
open [dead:beef::9ce4:405a:c517:5838]:464
open [dead:beef::9ce4:405a:c517:5838]:593
open [dead:beef::9ce4:405a:c517:5838]:636
open [dead:beef::9ce4:405a:c517:5838]:3268
open [dead:beef::9ce4:405a:c517:5838]:3269
open [dead:beef::9ce4:405a:c517:5838]:5985
open [dead:beef::9ce4:405a:c517:5838]:9389No additional service found
dig
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ dig any STREAMIO.HTB @$IP
; <<>> DiG 9.19.17-1-Debian <<>> any STREAMIO.HTB @10.10.11.158
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10686
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;STREAMIO.HTB. IN ANY
;; ANSWER SECTION:
STREAMIO.HTB. 600 IN A 10.10.11.158
STREAMIO.HTB. 3600 IN NS dc.STREAMIO.HTB.
STREAMIO.HTB. 3600 IN SOA dc.STREAMIO.HTB. hostmaster.STREAMIO.HTB. 285 900 600 86400 3600
STREAMIO.HTB. 600 IN AAAA dead:beef::9ce4:405a:c517:5838
STREAMIO.HTB. 600 IN AAAA dead:beef::24a
;; ADDITIONAL SECTION:
dc.STREAMIO.HTB. 1200 IN A 10.10.11.158
dc.STREAMIO.HTB. 1200 IN AAAA dead:beef::24a
dc.STREAMIO.HTB. 1200 IN AAAA dead:beef::9ce4:405a:c517:5838
;; Query time: 169 msec
;; SERVER: 10.10.11.158#53(10.10.11.158) (TCP)
;; WHEN: Mon Nov 13 19:02:45 CET 2023
;; MSG SIZE rcvd: 249dig returned a new hostname with both NS and SOA records, dc.STREAMIO.HTB
This indicates that dc.STREAMIO.HTB is the FQDN of the target system
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ dnsenum STREAMIO.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
----- streamio.htb -----
host's addresses:
__________________
streamio.htb. 600 IN A 10.10.11.158
name servers:
______________
dc.streamio.htb. 3600 IN A 10.10.11.158
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: dc.streamio.htb at /usr/bin/dnsenum line 900.
Trying Zone Transfer for streamio.htb on dc.streamio.htb ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
dc.streamio.htb. 3600 IN A 10.10.11.158
gc._msdcs.streamio.htb. 600 IN A 10.10.11.158
domaindnszones.streamio.htb. 600 IN A 10.10.11.158
forestdnszones.streamio.htb. 600 IN A 10.10.11.158
streamio.htb class c netranges:
________________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
streamio.htb ip blocks:
________________________
done.dnsenum also finds the hostname of the target system, but that’s about it