Academy - Footprinting - DNS

Does somebody got the answer for the last question in DNS part?
What is the FQDN of the host where the last octet ends with “x.x.x.203”?
tried all the wordlists in the attack box, but none of them got the FQDN domain that ends with .203

1 Like

Stuck here as well.

  • Used different wordlist but still not able to find the answer
  • Tried with mail3.inlanefreight.htb since mail1.inlanefreight.htb ends with .201 but no.

Anyone completed this question??

Hey man. I’ve completed this question. you are on right track. :wink:

which wordlist did you use or which method since nothing I try is working?

let’s say, you need to dig :wink:
bruteforce not required

2 Likes

Can you specify that a little bit?
With “dig axfr domain.tld @10.10.10.10” I found two zones which allow a transfer.
But none contains a subdomain, which would have a 203 in the last octet.


Okay, I could now find all zones.

There are zones that allow transfer and there are zones that allow transfer only from certain machines (allow-transfer).
Zones that do not allow transfer from your machine can be found manually. For example with DNSenum.

OK guys any pointers on this other than what’s here already. Going around in circles with it now :tired_face: :tired_face:

It’s OK I got it…HINT…enumerate ALL subdomains :slight_smile:

I have exactly the same problems. I have (hopefully) found all the zones. Iterate through the hostnames. No success. Can you give me another spoiler? I’m really stuck right now.

DIG around and try to TRANSFER everything you find :thinking:

someone dm me pls, I stuck with this problem for two days…

I have found:
dev1.dev.inlanefreight.htb,
dev2.dev.inlanefreight.htb,
mail1.dev.inlanefreight.htb.
None of them is correct and they’re not transferable. Actually only the main and internal domains were transferable. Am I on the right path?
I think this part of module should be more detailed.

Yes, you are on the right track, but you are probably using the wrong list.

Bro, I need help, I’m so tired to try solve this question. I did AXFR or Zone Transfer through dig, with any subdomian that showed in the first dig command issue. The only subdomain that I can to did a Zone Transfer or AXFR is the subdomain was internal.inlanefreight.htb but none one domain in that subdomain (like dc1.internal.inlanefreight.htb, dc2.internal.inlanefreight.htb,…) failed to try a Zone Transfer or AXFR. What should I do? Any one know what should I do? Really I becoming mad with this question.

1 Like

You can solve this question by bruteforcing the domains discovered in first step (axfr on inlanefreight.htb), just try using different wordlists, not necessarily the largest ones.

There are various security settings on a DNS server. Among other things, you can specify whether a zone transfer should be allowed for all servers or only for certain servers (allow-transfer).

If a zone transfer is allowed, you can transfer the zone with “dig axfr”. If the zone transfer is not allowed, you have to bruteforce the zone.

Are you sure about that I can solve this with bruteforcing only? I see that somebody was able to solve this using only with “dig” through zone transfers with the another subdomains.

I tried with almost all wordlists in the SecLists DNS directory and only have two results in the bruteforcing with that wordlists, 1) The wordlist is to big and the machine that I spawned it time finish before that the bruteforcing enumeration finish. 2) None one of the results is the answer and not see another new domain, all the subdomains that I have as result (in the bruteforcing enum) is the same subdomains that I seen before in the zone transfer with “dig”.

I need another wordlist outside of the SecLists?

I tried with almost all wordlist in the SecLists DNS directory. And none one of the results with that bruteforcing is the answer, and not see another new subdomain that not have seen before in the zone transfer with dig. I see one comment that somebody was able to solve this answer without bruteforcing only with “dig” through zone transfer.

I need another wordlist outside of the SecLists wordlists? Or, could be the syntax of the “dnsenum”?
The syntax that I using is the next:
dnsenum --dnsserver <IP Target> --enum -p 0 -s 0 -o subdomains.txt -f <SecList Wordlist> --threads 90 inlanefreight.htb

Perhaps I need to change the inlanefreight.htb with another subdomain that I found before like internal.inlanefreight.htb subdomain?

Yes, I am sure.
Sure you solve it with dig. Manual or automated.

The main zone allows a zone transfer.
One of the subdomains also allows a zone transfer.
But another zone does not allow zone transfer from your PC.

Either you just try all possible word combinations with dig, or you do it automatically. Either with the bash script as described in the chapter or with a tool like DNSEnum.

Start with the smallest list of SecLists. If you don’t find what you are looking for, use the next larger one.

Remember that you don’t need to bruteforce the main domain. This zone allows a zone transfer.

There are four or five subdomains. Two of them are own zones. One allows a zone transfer, the other one does not.

I spent several days on it, impossible to have the domain x.x.x.203. :confused:
Do you have a hint please?

1 Like