Scribd
Upload
2K views3 pages

Footprinting DNS - Dan Clancey

The document provides a walkthrough for performing DNS footprinting using Hack The Box, focusing on DNS zone transfers and enumeration techniques. It outlines steps to interact with a target DNS, check for zone transfer capabilities, and identify specific records. The author emphasizes the importance of thorough enumeration and using multiple wordlists for effective penetration testing.

Uploaded by

asifzea7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views3 pages

Footprinting DNS - Dan Clancey

The document provides a walkthrough for performing DNS footprinting using Hack The Box, focusing on DNS zone transfers and enumeration techniques. It outlines steps to interact with a target DNS, check for zone transfer capabilities, and identify specific records. The author emphasizes the importance of thorough enumeration and using multiple wordlists for effective penetration testing.

Uploaded by

asifzea7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Dan Clancey

Home - Tags - About - Resume

Cybersecurity Professional

Footprinting DNS
May 30, 2024
4 min read
HTB Cybersecurity Offensive Walkthrough

Now we will be working on the Footprinting DNS section in the Footprinting module on Hack The Box academy.

DNS Zone Transfers used to be one of my weakpoints; however, when I originally did this on Hack the Box, it helped
tremendously in understanding how DNS works. I highly recommend reading through the section if you struggle. And as always,
practice makes perfect!

1. Interact with the target DNS using its IP address and enumerate the FQDN of it for the
“inlanefreight.htb” domain.

First we must map the target IP to inlanefreight.htb via /etc/hosts

sudo vi /etc/hosts

127.0.0.1 localhost
127.0.1.1 kali.siffer.local kali

10.129.247.162 inlanefreight.htb

# The following lines are desirable for IPv6 capable hosts


::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now we can use dig to enumerate the domain. Remember to use the IP address as the name server!:

dig inlanefreight.htb @10.129.247.162

; <<>> DiG 9.19.21-1-Debian <<>> ns inlanefreight.htb @10.129.247.162


;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15982
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 592ef17f37c631600100000066591a67f2ecfe076c188838 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN NS

;; ANSWER SECTION:
inlanefreight.htb. 604800 IN NS [redacted]

;; ADDITIONAL SECTION:
ns.inlanefreight.htb. 604800 IN A 127.0.0.1

;; Query time: 39 msec


;; SERVER: 10.129.247.162#53(10.129.247.162) (UDP)
;; WHEN: Thu May 30 20:31:34 EDT 2024
;; MSG SIZE rcvd: 107

Excellent. We found the FQDN! Lets move on to the next question

2. Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format:
HTB{…))

Now lets check to see if we can do some zone transfers! We can use dig with axfr option to enumerate:

dig axfr inlanefreight.htb @10.129.247.162

; <<>> DiG 9.19.21-1-Debian <<>> axfr inlanefreight.htb @10.129.247.162


;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outl
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 39 msec
;; SERVER: 10.129.247.162#53(10.129.247.162) (TCP)
;; WHEN: Thu May 30 20:39:04 EDT 2024
;; XFR size: 11 records (messages 1, bytes 560)

Looks like there are a few records:

app.inlanefreight.htb
dev.inlanefreight.htb
internal.inlanefreight.htb
mail1.inlanefreight.htb

We can now try to transfer each record. Both app and dev failed; however, internal worked!

dig axfr internal.inlanefreight.htb @10.129.247.162

; <<>> DiG 9.19.21-1-Debian <<>> axfr internal.inlanefreight.htb @10.129.247.162


;; global options: +cmd
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN TXT "[Redacted]"
internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outl
<SNIP>
;; Query time: 35 msec
;; SERVER: 10.129.247.162#53(10.129.247.162) (TCP)
;; WHEN: Thu May 30 20:40:52 EDT 2024
;; XFR size: 15 records (messages 1, bytes 677

Several TXT records, and our flag is contained in one of them (redacted).

On to the next question..

3. What is the IPv4 address of the hostname DC1?

We can get the answer for this question in the internal transfer as well. It is part of the snipped portion above

4. What is the FQDN of the host where the last octet ends with “x.x.x.203”?

This one takes a bit of trial and error with the tool dnsenum. We need to enumerate the correct subdomain and use the right
wordlist. The proper command is:

dnsenum --dnsserver <DNS_SERVER_IP> --enum -p 0 -s 0 -o subdomains.txt -f </path/to/list.txt> <subdomain>.inlanefreight.htb

First I tried against the app subdomain and the NS query failed, so then I moved on to dev and started getting results; However,
the first few lists I tried were not returning an IP with the last octet 203. Finally got there using fierce-hostlist.txt

dnsenum --dnsserver 10.129.247.162 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlists/seclists/Discovery/DNS/fierce-hos


dnsenum VERSION:1.3.1

----- dev.inlanefreight.htb -----

Host's addresses:
__________________

Name Servers:
<SNIP>
Mail (MX) Servers:
<SNIP>
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
<SNIP>

Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt:


____________________________________________________________________________________

dev1.dev.inlanefreight.htb. 604800 IN A 10.12.3.6


ns.dev.inlanefreight.htb. 604800 IN A 127.0.0.1
[redacted]. 604800 IN A x.x.x.203

And there we have the answer!

This is an excellent example that you shouldn’t rely on a single wordlist. Always do a couple passes during enumeration with
differnt wordlists to paint a full picture! Enumeration is the most important step of a penetration test, so be as thorough as
possible.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy