Academy - Footprinting - DNS

How to know what zones are not allowed?

Basically you should perform the zone transfer of inlanefreight.htb (dig axfr) based on the data it delivers (A) list one by one (dig axfr) when it does not deliver information proceed to brute force with dnsenum and using a dictionary that above deliver the track (ls /opt/useful/SecLists/Discovery/DNS/).

1 Like

Not all (A) deliver information with dnsenum, list one by one.

Hallo all,
I need help here as well. I was able to solve all the questions but the last one. I tried different wordlists as well but that didn’t help either.

  1. I added the IP to my /etc/host with the domainname
  2. dig axfr internal.inlanefreight.htb @IP gave me the zones. → dc1,dc2,mail1,ns,vpn,ws1,ws2,wsus
  3. I couldn’t get more zones of the subdomains so i tried to bruteforce.
  4. dnsenum --dnsserver IP OF THE BOX --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/wordlist inlanefreight.htb

Do I have to add the other A Records (IPs) I found to the --dnsserver? Do I have to add another domain at the end of the command? I wonder because it won’t work with anything other than inlanefreight.htb.

nsenum --dnsserver IP --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt inlanefreight.htb gave me threehostnames:
app.inlanefreight.htb. 604800 IN A
mail1.inlanefreight.htb. 604800 IN A
but neither of them have the .203 IP.

Edit: @camlen92 answer helped me. Read it carefully.

1 Like

Finally Got it
Guys i Think So Many Of You Have Stuck At This Point You No need To Wast Your Time I Am Going To Help You With Correct Method You Have To Follow
–>first start with zone transfer with dig axfr inlanefreight.htb @[ip]
–>you will get lots of subdomains so we need to remove junk and throw all subdomains in one txt folder
–>dig axfr inlanefreight.htb @ | cut -d “6” -f 1 | cut -d “;” -f 1 |rev | cut -d “.” -f2- | rev | grep . | uniq -u | > subdom.txt
–>now again try zone transfer with this subdomains
–>the result you get at this step wont contain fully qualified domain of ip ending with .203 but we get near to the answer. see properly some of subdomains have failed Transfer. so copt those subdomains and make new txt and Bruteforce
->run this command
→ dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
You Get This Finally :slight_smile: 604800 IN A


I wonder if anyone can help.

When runing dnsenum on given dns server why I get following error:

unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 1.

Trying Zone Transfer for inlanefreight.htb on ns.inlanefreight.htb …
AXFR record query failed: no nameservers

Any advice would be helpful.

P.S. No help needed to find FQDN (that part was easy)

Can you pls tell us how you solve it?

I finally got it! I was able to follow the chats and replies. Key things to note:

  • you have to brute-force eventually but not on “inlanefreight.htb”, it allows zone transfers (so dig axfr… works to give subdomains).

  • use fi3rc3-h0stlist.txt (check the github repo for seclists for the proper spelling) as the word list, so just change the path you’re using for your dnsenum

  • lastly, you need to try dnsenum with that wordlist change on the subdomains that don’t allow zone transfers from “inlanefreight.htb” (like app.inlanefreight.htb, dev.inlanefreight.htb, etc. and most importantly don’t get distracted by “internal.inlanefreight.htb”, that’s not where to go…not even close.

@camlen92 @PayloadBunny really helped me here. Thanks so much guys!

So, I don’t know if anyone already posted the same answer but I will try to explain how I did it in a way that doesn’t spoil and that connects back to things explained in the module itself.

  1. The first thing they talk about is the “dangerous options”. A DNS server can be set to allow queries, allow transfers or both. With “dig axfr…” you do a transfer. With dnsenum or using “dig any/ns/…” you do a query. If I am wrong here, please someone correct me so I don’t spread misinformation.

  2. Now, the primary name server is inlanefreight.htb. It allows to be both queried and transferred. It has many secondary name servers but only 2 are dangerous. Each one of them has only one of the “dangerous options” enabled.

  3. The key moment is to enumerate fiercely.

1 Like

I also got stuck for several hours in the last exercise of this topic. Something that helped me was going back to the beginning. Look at the pictures and diagrams. Try to understand them. That will give you a hint for the answer. Use the dictionary that everyone talks about, the fierce on.

Thanks to all for the help, i was stuck for a couple hours but finally got it.