DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ nslookup                                     
> server 192.168.169.175
Default server: 192.168.169.175
Address: 192.168.169.175#53
> 127.0.0.1
1.0.0.127.in-addr.arpa	name = localhost.
> 192.168.169.175
;; communications error to 192.168.169.175#53: timed out
;; communications error to 192.168.169.175#53: timed out
;; communications error to 192.168.169.175#53: timed out
;; no servers could be reached
> ResourceDC.resourced.local
Server:		192.168.169.175
Address:	192.168.169.175#53
 
Name:	ResourceDC.resourced.local
Address: 192.168.169.175
> ResourceDC
;; communications error to 192.168.169.175#53: timed out
;; communications error to 192.168.169.175#53: timed out
;; communications error to 192.168.169.175#53: timed out
;; no servers could be reached
> RESOURCED.LOCAL
Server:		192.168.169.175
Address:	192.168.169.175#53
 
Name:	RESOURCED.LOCAL
Address: 192.168.120.181

N/A

dig

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ dig any RESOURCED.LOCAL @$IP 
 
; <<>> DiG 9.20.4-4-Debian <<>> any RESOURCED.LOCAL @192.168.169.175
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46872
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;RESOURCED.LOCAL.		IN	ANY
 
;; ANSWER SECTION:
RESOURCED.LOCAL.	600	IN	A	192.168.120.181
RESOURCED.LOCAL.	3600	IN	NS	resourcedc.RESOURCED.LOCAL.
RESOURCED.LOCAL.	3600	IN	SOA	resourcedc.RESOURCED.LOCAL. hostmaster.RESOURCED.LOCAL. 62 900 600 86400 3600
 
;; ADDITIONAL SECTION:
resourcedc.RESOURCED.LOCAL. 3600 IN	A	192.168.169.175
 
;; Query time: 24 msec
;; SERVER: 192.168.169.175#53(192.168.169.175) (TCP)
;; WHEN: Tue Apr 22 20:22:13 CEST 2025
;; MSG SIZE  rcvd: 148

A, NS, SOA records

dnsenum

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ dnsenum RESOURCED.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
 
-----   resourced.local   -----
 
 
Host's addresses:
__________________
 
resourced.local.                         600      IN    A        192.168.120.181
 
 
Name Servers:
______________
 
resourcedc.resourced.local.              3600     IN    A        192.168.169.175
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: resourcedc.resourced.local at /usr/bin/dnsenum line 892 thread 1.
 
Trying Zone Transfer for resourced.local on resourcedc.resourced.local ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
 
gc._msdcs.resourced.local.               600      IN    A        192.168.120.181
domaindnszones.resourced.local.          600      IN    A        192.168.120.181
forestdnszones.resourced.local.          600      IN    A        192.168.120.181
 
 
resourced.local class C netranges:
___________________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
resourced.local ip blocks:
___________________________
 
 
done.

N/A

dnsrecon

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ dnsrecon -d RESOURCED.LOCAL -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16  
[*] std: Performing General Enumeration against: RESOURCED.LOCAL...
[-] DNSSEC is not configured for RESOURCED.LOCAL
[*] 	 SOA resourcedc.RESOURCED.LOCAL 192.168.169.175
[*] 	 NS resourcedc.RESOURCED.LOCAL 192.168.169.175
[*] 	 A RESOURCED.LOCAL 192.168.120.181
[*] Enumerating SRV Records
[+] 	 SRV _ldap._tcp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 389
[+] 	 SRV _kerberos._tcp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 88
[+] 	 SRV _gc._tcp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 3268
[+] 	 SRV _kerberos._udp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 88
[+] 	 SRV _ldap._tcp.pdc._msdcs.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 389
[+] 	 SRV _ldap._tcp.dc._msdcs.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 389
[+] 	 SRV _kpasswd._udp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 464
[+] 	 SRV _ldap._tcp.ForestDNSZones.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 389
[+] 	 SRV _kpasswd._tcp.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 464
[+] 	 SRV _ldap._tcp.gc._msdcs.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 3268
[+] 	 SRV _kerberos._tcp.dc._msdcs.RESOURCED.LOCAL resourcedc.resourced.local 192.168.169.175 88
[+] 11 Records Found

N/A

InfoSec LAB

Explorer

Resourced_DNS

DNS

Reverse Lookup

dig

dnsenum

dnsrecon

Interactive Graph View

Table of Contents

Backlinks