DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ nslookup
> server 10.10.11.174
Default server: 10.10.11.174
Address: 10.10.11.174#53
 
> 127.0.0.1
;; communications error to 10.10.11.174#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
 
> support
Server:		10.10.11.174
Address:	10.10.11.174#53
 
** server can't find support: SERVFAIL
 
> support.htb
;; communications error to 10.10.11.174#53: timed out
Server:		10.10.11.174
Address:	10.10.11.174#53
 
Name:	support.htb
Address: 10.10.11.174

Reverse lookup failed and no additional DNS information found

dig

dig found the hostname of the target system The FQDN is dc.support.htb

The /etc/hosts file on Kali has been updated accordingly from the previous configuration

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ dnsenum SUPPORT.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum VERSION:1.2.6
 
-----   support.htb   -----
 
 
Host's addresses:
__________________
 
support.htb.                             600      IN    A        10.10.11.174
 
 
Name Servers:
______________
 
dc.support.htb.                          3600     IN    A        10.10.11.174
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: dc.support.htb at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for support.htb on dc.support.htb ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
dc.support.htb.                          3600     IN    A        10.10.11.174
gc._msdcs.support.htb.                   600      IN    A        10.10.11.174
management.support.htb.                  1200     IN    A        10.10.10.4
domaindnszones.support.htb.              600      IN    A        10.10.11.174
forestdnszones.support.htb.              600      IN    A        10.10.11.174
 
 
support.htb class C netranges:
_______________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
support.htb ip blocks:
_______________________
 
 
done.

dnsenum found another hosts within the target domain; management The FQDN is management.support.htb with its IP address set to 10.10.10.4

management.support.htb

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ ping management                                                                                                     
PING management (10.10.10.4) 56(84) bytes of data.
^C
--- management ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1020ms

While I am unable to reach the management host, the /etc/hosts file on Kali has been updated

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ dig any @$IP management.support.htb
 
; <<>> DiG 9.18.16-1-Debian <<>> any @10.10.11.174 management.support.htb
; (1 server found)
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 37156
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;management.support.htb.		IN	ANY
 
;; answer section:
management.support.htb.	1200	IN	A	10.10.10.4
management.support.htb.	1200	in	aaaa	dead:beef::20ec:3412:41e9:2571
 
;; query time: 239 msec
;; server: 10.10.11.174#53(10.10.11.174) (TCP)
;; when: Wed Oct 04 06:50:18 CEST 2023
;; msg size  rcvd: 95
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ nslookup             
> server 10.10.11.174
default server: 10.10.11.174
address: 10.10.11.174#53
> management.support.htb
;; communications error to 10.10.11.174#53: timed out
server:		10.10.11.174
address:	10.10.11.174#53
 
name:	management.support.htb
address: 10.10.10.4
name:	management.support.htb
address: dead:beef::20ec:3412:41e9:2571

both dig and reverse lookup results show an additional ipv6 address assigned to the management host; dead:beef::20ec:3412:41e9:2571

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ ping dead:beef::20ec:3412:41e9:2571
ping dead:beef::20ec:3412:41e9:2571(dead:beef::20ec:3412:41e9:2571) 56 data bytes
from dead:beef:4::1 icmp_seq=1 Destination unreachable: Address unreachable
from dead:beef:4::1 icmp_seq=2 Destination unreachable: Address unreachable
from dead:beef:4::1 icmp_seq=3 Destination unreachable: Address unreachable
^C
--- dead:beef::20ec:3412:41e9:2571 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4072ms

Unable to reach the IPv6 address It is entirely possible that the management host can only be reached internally

InfoSec LAB

Explorer

Support_DNS

DNS

Reverse Lookup

dig

dnsenum

management.support.htb

Interactive Graph View

Table of Contents

Backlinks