DNS
Nmap discovered a DNS
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ nslookup
> server 192.168.187.172
Default server: 192.168.187.172
Address: 192.168.187.172#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> dc.vault.offsec
Server: 192.168.187.172
Address: 192.168.187.172#53
Name: dc.vault.offsec
Address: 192.168.187.172
> dc
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; no servers could be reached
> vault.offsec
Server: 192.168.187.172
Address: 192.168.187.172#53
Name: vault.offsec
Address: 192.168.120.98
Name: vault.offsec
Address: 192.168.120.116
> 192.168.120.98
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; no servers could be reached
> 192.168.120.116
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; communications error to 192.168.187.172#53: timed out
;; no servers could be reachednslookup revealed 2 additional IP addresses assigned to the domain; VAULT.OFFSEC
192.168.120.98192.168.120.116
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ ping -c 1 192.168.120.98
PING 192.168.120.98 (192.168.120.98) 56(84) bytes of data.
--- 192.168.120.98 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ ping -c 1 192.168.120.116
PING 192.168.120.116 (192.168.120.116) 56(84) bytes of data.
--- 192.168.120.116 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0msUnable to reach them
dig
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ dig any VAULT.OFFSEC @$IP
; <<>> DiG 9.20.4-4-Debian <<>> any VAULT.OFFSEC @192.168.187.172
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11972
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;VAULT.OFFSEC. IN ANY
;; ANSWER SECTION:
VAULT.OFFSEC. 600 IN A 192.168.120.116
VAULT.OFFSEC. 600 IN A 192.168.120.98
VAULT.OFFSEC. 3600 IN NS dc.VAULT.OFFSEC.
VAULT.OFFSEC. 3600 IN SOA dc.VAULT.OFFSEC. hostmaster.VAULT.OFFSEC. 34 900 600 86400 3600
;; ADDITIONAL SECTION:
dc.VAULT.OFFSEC. 3600 IN A 192.168.187.172
;; Query time: 36 msec
;; SERVER: 192.168.187.172#53(192.168.187.172) (TCP)
;; WHEN: Thu May 01 20:01:06 CEST 2025
;; MSG SIZE rcvd: 153Those 2 IP addresses are returned again.
dnsenum
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ dnsenum VAULT.OFFSEC --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
----- vault.offsec -----
Host's addresses:
__________________
vault.offsec. 600 IN A 192.168.120.116
vault.offsec. 600 IN A 192.168.120.98
Name Servers:
______________
dc.vault.offsec. 3600 IN A 192.168.187.172
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dc.vault.offsec at /usr/bin/dnsenum line 892 thread 1.
Trying Zone Transfer for vault.offsec on dc.vault.offsec ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
dc.vault.offsec. 3600 IN A 192.168.187.172
gc._msdcs.vault.offsec. 600 IN A 192.168.120.98
gc._msdcs.vault.offsec. 600 IN A 192.168.120.116
domaindnszones.vault.offsec. 600 IN A 192.168.120.98
domaindnszones.vault.offsec. 600 IN A 192.168.120.116
forestdnszones.vault.offsec. 600 IN A 192.168.120.98
forestdnszones.vault.offsec. 600 IN A 192.168.120.116
vault.offsec class C netranges:
________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
vault.offsec ip blocks:
________________________
done.Those 2 IP addresses are returned again.
dnsrecon
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ dnsrecon -d VAULT.OFFSEC -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
[*] std: Performing General Enumeration against: VAULT.OFFSEC...
[-] DNSSEC is not configured for VAULT.OFFSEC
[*] SOA dc.VAULT.OFFSEC 192.168.187.172
[*] NS dc.VAULT.OFFSEC 192.168.187.172
[*] A VAULT.OFFSEC 192.168.120.98
[*] A VAULT.OFFSEC 192.168.120.116
[*] Enumerating SRV Records
[+] SRV _kerberos._tcp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 88
[+] SRV _gc._tcp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 3268
[+] SRV _kerberos._udp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 88
[+] SRV _ldap._tcp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 389
[+] SRV _ldap._tcp.gc._msdcs.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 3268
[+] SRV _ldap._tcp.ForestDNSZones.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 389
[+] SRV _ldap._tcp.dc._msdcs.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 389
[+] SRV _ldap._tcp.pdc._msdcs.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 389
[+] SRV _kerberos._tcp.dc._msdcs.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 88
[+] SRV _kpasswd._tcp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 464
[+] SRV _kpasswd._udp.VAULT.OFFSEC dc.vault.offsec 192.168.187.172 464
[+] 11 Records FoundThose 2 IP addresses are returned again.