DNS
Nmap [[Access_Recon#|discovered]] a DNS server on the target port 53
The running service is unknown at this time
Reverse Lookup
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nslookup
> server 192.168.224.187
Default server: 192.168.224.187
Address: 192.168.224.187#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> 192.168.224.187
;; communications error to 192.168.224.187#53: timed out
;; communications error to 192.168.224.187#53: timed out
;; communications error to 192.168.224.187#53: timed out
;; no servers could be reached
> ACCESS.OFFSEC
Server: 192.168.224.187
Address: 192.168.224.187#53
Name: ACCESS.OFFSEC
Address: 192.168.120.65
> dc.access.offsec
Server: 192.168.224.187
Address: 192.168.224.187#53
** server can't find dc.access.offsec: NXDOMAIN
> dc1.access.offsec
Server: 192.168.224.187
Address: 192.168.224.187#53
** server can't find dc1.access.offsec: NXDOMAINN/A
dig
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ dig any server.access.offsec @$IP
; <<>> DiG 9.20.4-4-Debian <<>> any server.access.offsec @192.168.224.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59431
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;server.access.offsec. IN ANY
;; ANSWER SECTION:
server.access.offsec. 3600 IN A 192.168.224.187
;; Query time: 27 msec
;; SERVER: 192.168.224.187#53(192.168.224.187) (TCP)
;; WHEN: Mon Apr 21 14:02:47 CEST 2025
;; MSG SIZE rcvd: 65A single A-Record
dnsenum
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ dnsenum ACCESS.OFFSEC --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
----- access.offsec -----
Host's addresses:
__________________
access.offsec. 600 IN A 192.168.120.65
Name Servers:
______________
server.access.offsec. 3600 IN A 192.168.224.187
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: server.access.offsec at /usr/bin/dnsenum line 892 thread 1.
Trying Zone Transfer for access.offsec on server.access.offsec ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
server.access.offsec. 3600 IN A 192.168.224.187
gc._msdcs.access.offsec. 600 IN A 192.168.120.65
domaindnszones.access.offsec. 600 IN A 192.168.120.65
forestdnszones.access.offsec. 600 IN A 192.168.120.65
access.offsec class C netranges:
_________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
access.offsec ip blocks:
_________________________
done.server.access.offsec
dnsrecon
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ dnsrecon -d ACCESS.OFFSEC -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16 -t brt
[*] Using the dictionary file: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt (provided by user)
[*] brt: Performing host and subdomain brute force against ACCESS.OFFSEC...
[+] 0 Records Found