DNS

Nmap discovered a DNS server on the port 53 of the dc01.heist.offsec(192.168.198.165) host. The running service is Simple DNS Plus.

Reverse Lookup

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nslookup                                                                  
> server 192.168.198.165
Default server: 192.168.198.165
Address: 192.168.198.165#53
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
> HEIST.OFFSEC
Server:		192.168.198.165
Address:	192.168.198.165#53
 
Name:	HEIST.OFFSEC
Address: 192.168.120.91
> dc01.heist.offsec
Server:		192.168.198.165
Address:	192.168.198.165#53
 
Name:	dc01.heist.offsec
Address: 192.168.198.165

dig

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ dig any dc01.heist.offsec @$IP     
 
; <<>> DiG 9.20.9-1-Debian <<>> any dc01.heist.offsec @192.168.198.165
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dc01.heist.offsec.		IN	ANY
 
;; ANSWER SECTION:
dc01.heist.offsec.	3600	IN	A	192.168.198.165
 
;; Query time: 24 msec
;; SERVER: 192.168.198.165#53(192.168.198.165) (TCP)
;; WHEN: Mon Jul 07 16:21:06 CEST 2025
;; MSG SIZE  rcvd: 62
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ dig any HEIST.OFFSEC @$IP     
 
; <<>> DiG 9.20.9-1-Debian <<>> any HEIST.OFFSEC @192.168.198.165
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53427
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;HEIST.OFFSEC.			IN	ANY
 
;; ANSWER SECTION:
HEIST.OFFSEC.		600	IN	A	192.168.120.91
HEIST.OFFSEC.		3600	IN	NS	dc01.HEIST.OFFSEC.
HEIST.OFFSEC.		3600	IN	SOA	dc01.HEIST.OFFSEC. hostmaster.HEIST.OFFSEC. 20 900 600 86400 3600
 
;; ADDITIONAL SECTION:
dc01.HEIST.OFFSEC.	3600	IN	A	192.168.198.165
 
;; Query time: 20 msec
;; SERVER: 192.168.198.165#53(192.168.198.165) (TCP)
;; WHEN: Mon Jul 07 16:21:12 CEST 2025
;; MSG SIZE  rcvd: 139

N/A

dnsenum

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ dnsenum HEIST.OFFSEC --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16 -r 
dnsenum VERSION:1.3.1
 
-----   heist.offsec   -----
 
 
Host's addresses:
__________________
 
heist.offsec.                            600      IN    A        192.168.120.91
 
 
Name Servers:
______________
 
dc01.heist.offsec.                       3600     IN    A        192.168.198.165
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: dc01.heist.offsec at /usr/bin/dnsenum line 892 thread 1.
 
Trying Zone Transfer for heist.offsec on dc01.heist.offsec ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
 
gc._msdcs.heist.offsec.                  600      IN    A        192.168.120.91
domaindnszones.heist.offsec.             600      IN    A        192.168.120.91
forestdnszones.heist.offsec.             600      IN    A        192.168.120.91
dc01.heist.offsec.                       3600     IN    A        192.168.198.165
 
 
Performing recursion:
______________________
 
 
 ---- Checking subdomains NS records ----
 
  Can't perform recursion no NS records.
 
 
heist.offsec class C netranges:
________________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
heist.offsec ip blocks:
________________________
 
 
done.

dnsrecon

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ dnsrecon -d HEIST.OFFSEC -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16  
[*] std: Performing General Enumeration against: HEIST.OFFSEC...
[-] DNSSEC is not configured for HEIST.OFFSEC
[*] 	 SOA dc01.HEIST.OFFSEC 192.168.198.165
[*] 	 NS dc01.HEIST.OFFSEC 192.168.198.165
[*] 	 A HEIST.OFFSEC 192.168.120.91
[*] Enumerating SRV Records
[+] 	 SRV _kerberos._tcp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 88
[+] 	 SRV _kerberos._udp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 88
[+] 	 SRV _gc._tcp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 3268
[+] 	 SRV _ldap._tcp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 389
[+] 	 SRV _ldap._tcp.pdc._msdcs.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 389
[+] 	 SRV _ldap._tcp.gc._msdcs.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 3268
[+] 	 SRV _ldap._tcp.dc._msdcs.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 389
[+] 	 SRV _kpasswd._tcp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 464
[+] 	 SRV _kerberos._tcp.dc._msdcs.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 88
[+] 	 SRV _ldap._tcp.ForestDNSZones.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 389
[+] 	 SRV _kpasswd._udp.HEIST.OFFSEC dc01.heist.offsec 192.168.198.165 464
[+] 11 Records Found

InfoSec LAB

Explorer

Heist_OffSec_DNS

DNS

Reverse Lookup

dig

dnsenum

dnsrecon

Interactive Graph View

Table of Contents

Backlinks