DNS

Nmap discovered a DNS server on the target port 53 The running service is unknown at this time

Reverse Lookup

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ nslookup       
> server 192.168.187.122
Default server: 192.168.187.122
Address: 192.168.187.122#53
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
> 192.168.120.108
;; communications error to 192.168.187.122#53: timed out
;; communications error to 192.168.187.122#53: timed out
;; communications error to 192.168.187.122#53: timed out
;; no servers could be reached
> HUTCH.OFFSEC
Server:		192.168.187.122
Address:	192.168.187.122#53
 
Name:	HUTCH.OFFSEC
Address: 192.168.120.108
> hutchdc.hutch.offsec
Server:		192.168.187.122
Address:	192.168.187.122#53
 
Name:	hutchdc.hutch.offsec
Address: 192.168.187.122
> hutchdc
;; communications error to 192.168.187.122#53: timed out
;; Got SERVFAIL reply from 192.168.187.122
Server:		192.168.187.122
Address:	192.168.187.122#53
 
** server can't find hutchdc.lan: SERVFAIL

N/A

dig

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ dig any HUTCH.OFFSEC @$IP                                                                                                      
 
; <<>> DiG 9.20.4-4-Debian <<>> any HUTCH.OFFSEC @192.168.187.122
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24507
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;HUTCH.OFFSEC.			IN	ANY
 
;; ANSWER SECTION:
HUTCH.OFFSEC.		600	IN	A	192.168.120.108
HUTCH.OFFSEC.		3600	IN	NS	hutchdc.HUTCH.OFFSEC.
HUTCH.OFFSEC.		3600	IN	SOA	hutchdc.HUTCH.OFFSEC. hostmaster.HUTCH.OFFSEC. 20 900 600 86400 3600
 
;; ADDITIONAL SECTION:
hutchdc.HUTCH.OFFSEC.	3600	IN	A	192.168.187.122
 
;; Query time: 15 msec
;; SERVER: 192.168.187.122#53(192.168.187.122) (TCP)
;; WHEN: Thu May 01 14:42:45 CEST 2025
;; MSG SIZE  rcvd: 142

A,NS,SOA records for the domain itself found, pointing to an IP address of 192.168.120.108

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ ping -c 1 192.168.120.108
PING 192.168.120.108 (192.168.120.108) 56(84) bytes of data.
 
--- 192.168.120.108 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Unreachable

dnsenum

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ dnsenum HUTCH.OFFSEC --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
 
-----   hutch.offsec   -----
 
 
Host's addresses:
__________________
 
hutch.offsec.                            600      IN    A        192.168.120.108
 
 
Name Servers:
______________
 
hutchdc.hutch.offsec.                    3600     IN    A        192.168.187.122
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: hutchdc.hutch.offsec at /usr/bin/dnsenum line 892 thread 1.
 
Trying Zone Transfer for hutch.offsec on hutchdc.hutch.offsec ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
 
gc._msdcs.hutch.offsec.                  600      IN    A        192.168.120.108
domaindnszones.hutch.offsec.             600      IN    A        192.168.120.108
forestdnszones.hutch.offsec.             600      IN    A        192.168.120.108
 
 
hutch.offsec class C netranges:
________________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
hutch.offsec ip blocks:
________________________
 
 
done.

Same result that the domain is pointing to the 192.168.120.108 address

dnsrecon

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ dnsrecon -d HUTCH.OFFSEC -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16  
[*] std: Performing General Enumeration against: HUTCH.OFFSEC...
[-] DNSSEC is not configured for HUTCH.OFFSEC
[*] 	 SOA hutchdc.HUTCH.OFFSEC 192.168.187.122
[*] 	 NS hutchdc.HUTCH.OFFSEC 192.168.187.122
[*] 	 A HUTCH.OFFSEC 192.168.120.108
[*] Enumerating SRV Records
[+] 	 SRV _gc._tcp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 3268
[+] 	 SRV _kerberos._udp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 88
[+] 	 SRV _ldap._tcp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 389
[+] 	 SRV _kerberos._tcp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 88
[+] 	 SRV _ldap._tcp.ForestDNSZones.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 389
[+] 	 SRV _kerberos._tcp.dc._msdcs.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 88
[+] 	 SRV _ldap._tcp.gc._msdcs.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 3268
[+] 	 SRV _ldap._tcp.pdc._msdcs.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 389
[+] 	 SRV _kpasswd._tcp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 464
[+] 	 SRV _kpasswd._udp.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 464
[+] 	 SRV _ldap._tcp.dc._msdcs.HUTCH.OFFSEC hutchdc.hutch.offsec 192.168.187.122 389
[+] 11 Records Found

N/A

InfoSec LAB

Explorer

Hutch_DNS

DNS

Reverse Lookup

dig

dnsenum

dnsrecon

Interactive Graph View

Table of Contents

Backlinks