Academy - attacking common services - DNS

I hate DNS enumeration. Seems to be the simplest thing and this is where I get stuck each time for days…

I used subbrute exactly like shown in the lesson. This provided me with 9 results. I even used ns2 instead of ns1 in the resolvers.txt and got the exact same 9 results.

Then, I tried to do a zone transfer… And here nothing works. Editing the /etc/hosts with the target IP or even the IPs returned by the host command on each subdomain does not help.

I received a lot of connection timeouts despite the IP being resolved (One of the tools used said the ports are filtered)

dig AXFR
;; Connection to for failed: timed out.

Here I did it with ns1, but I tried a lot of various combinations. So many that I am now officially lost.

Please help, I really need it.

I’m sorry to hear that you’re facing difficulties with DNS enumeration. Let’s try to troubleshoot the issue and see if we can find a solution.

First, let’s address the timeout issue you’re experiencing when attempting a zone transfer. A timeout typically occurs when the connection to the DNS server takes too long to respond. There could be several reasons for this, including network connectivity issues or firewall restrictions.

Here are a few steps you can take to troubleshoot the timeout issue:

  1. Verify network connectivity: Ensure that you have a stable internet connection and that there are no network issues preventing you from accessing the DNS server. You can try pinging the DNS server IP address to check if there is a response. Also check your vpn connection.

  2. Check firewall settings: Determine if there are any firewalls or security measures in place that might be blocking the zone transfer request. Verify that outgoing connections to port 53, which is the default DNS port, are not blocked by your firewall or by any network infrastructure.

  3. Confirm zone transfer availability: Not all DNS servers allow zone transfers to arbitrary requesters. Zone transfers are typically restricted to authorized hosts for security reasons. Make sure that the DNS server you are targeting allows zone transfers from your IP address.

  4. Try different DNS servers: If you are unable to perform a zone transfer with one DNS server, you can try using a different DNS server that might have looser restrictions or allows zone transfers.

  5. Double-check syntax and domain names: Ensure that you are using the correct syntax and domain names in your zone transfer command. The command should be in the format dig AXFR @dns_server domain_name. Double-check that you are using the correct DNS server IP address and the correct domain name.

If you’ve exhausted these troubleshooting steps and are still unable to perform a zone transfer, it’s possible that the DNS server you’re targeting has further security measures in place or does not allow zone transfers at all.

DNS enumeration can be a complex process, and there are various other techniques you can explore if zone transfers are not available or successful. These include brute-forcing subdomains, using online reconnaissance tools, or performing reverse DNS lookups.

I hope these suggestions help you in resolving the issue you’re facing with DNS enumeration.

Thank you for your answer.

But I know all these common generalities. I need something more hands-on and closer to the actual issue.

Personally I haven’t done that module so I cannot answer this better. Maybe if you give a broader explanation I could help. Wanna get my disord so you can share your screen to further examine your situation?

Thanks I appreciate the help.

Please disregard the spaces I placed to separate the extensions from their domain names. The forum treated each domain as a link and complained that I put too many links… So I broke them apart to be able to post.

Let’s start by the start.

First the directions mention the enumeration of “inlanefreight. htb” but nothing seems to work with this “htb” extension. “inlanefreight. com” (mentioned in the lesson) seems to yield better results.


Here without /etc/hosts editing.

└──╼ [★]$ host -t ns inlanefreight. com
inlanefreight. com name server ns1.inlanefreight. com.
inlanefreight. com name server ns2.inlanefreight. com.
└──╼ [★]$ host -t ns inlanefreight. htb
Host inlanefreight. htb not found: 3(NXDOMAIN)

Editing the /etc/hosts does not help:

└──╼ [★]$ tail -2 /etc/hosts inlanefreight. htb

└──╼ [★]$ host -t ns inlanefreight. htb
Host inlanefreight. htb not found: 3(NXDOMAIN)

So my first question, should I try more with the “.htb” extension because I am not doing it right? Or there is a typo and ".com"is the way to go (like in the lesson)?

First of all. The is an actual company that requested the penetration test from HTB, it is a real company and you shouldn’t use that domain. The HTB just gives lessons from that site to give a real-world example. If you cannot connect to .htb site might wanna check your vpn connection or reinstall it. Please do not use a real site.

Marek, are you a kind of AI ?