Academy - Footprinting - DNS

decrypto · March 25, 2023, 7:47pm

Wow that was frustrating for sure. The hints help and try and try and try each subdomain. Eventually found .203. For sure be “fierce” about the list you use.

haxez · March 25, 2023, 11:27pm

The wordlist used in the Subdomain Brute Forcing example doesn’t contain the correct word. Only 4 of the 13 wordlists in Discovery/DNS have the correct word. Why would you do that to us?

cybersapper · April 1, 2023, 1:30am

Thank you. This helped me out a lot. I was in the right direction, but was missing the right wordlist.

QuickFix914 · April 4, 2023, 1:34am

I finally got it. It took a long time. I used the for loop because DNSenum kept giving me a failed query and timing out. I don’t know what I did wrong with the command but this is what i used:

dnsenum --dnsserver 10.129.145.94 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt --threads 90 -v xxx.inlanefreight.htb

this did not work for me

james.clare · April 5, 2023, 3:44pm

Wow that took my ages the one thing I learned and will never forgot now regarding this is that the IP address you use is always the original target IP you are given. Wow if I had realeised this I would of solved the last question days ago. SOmetimes you have to take a step back and read what the commands are actually doing then Eurika thank everyone for you help

koleademola · April 8, 2023, 11:04pm

Please what command did you use. I have been struggling with this.

koleademola · April 8, 2023, 11:06pm

I dont know how to go about it. I even change the name server ip in /etc/resolv.con to that of the DNS Server.

0B5CUR3 · April 14, 2023, 2:38am

This helped me, thank you.

narutowindy · May 27, 2023, 12:11am

First of all find all zones; List them.
Mark it down: zones are subdomains.
now try AFXR on each zone, some works like showed in academy internal.inlanefreight.htb
try for other all domains, it may fail but keep trying.
i used gobuster
gobuster dns -r <box IP / NS IP> -d <domain/sub-domain> -i -w < try small list>.txt

tried 4 hrs and then took a break and tried again above method, solved within 5min.

learnings:
Zones are transferable by bind options set in /etc/bind/named.conf.local

allow-query by requster ip or domain which unfortunately attackers not belongs to.
allow-transfer which is sometimes unlikely due to restrictions.

if it present on individual zone/subdomain then it appear in AXFR transfer otherwise we need to do bruteforcing.

narutowindy · May 27, 2023, 3:22am

using tools like dnsenum, gobuster millions of wordlists can be solved under 10 min, you gotta be persistant. dont lose hope just after 5min.

citrihack · May 27, 2023, 6:09pm

I’m in the same steps, I’ve tried the same as you and I still can’t find the answer, I can’t find anything that ends in .203

if someone could guide me please D:

PayloadBunny · May 28, 2023, 6:00pm

You need to find all zones

citrihack · May 29, 2023, 1:47am

I DID IT!

The only advice I can give you is to follow the steps indicated by this forum, be “FIERCE” in the list you use

THANKS @PayloadBunny