Academy - Footprinting - DNS

Wow that was frustrating for sure. The hints help and try and try and try each subdomain. Eventually found .203. For sure be “fierce” about the list you use.

The wordlist used in the Subdomain Brute Forcing example doesn’t contain the correct word. Only 4 of the 13 wordlists in Discovery/DNS have the correct word. Why would you do that to us? :tired_face:

1 Like

Thank you. This helped me out a lot. I was in the right direction, but was missing the right wordlist.

I finally got it. It took a long time. I used the for loop because DNSenum kept giving me a failed query and timing out. I don’t know what I did wrong with the command but this is what i used:

dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt --threads 90 -v xxx.inlanefreight.htb

this did not work for me

Wow that took my ages the one thing I learned and will never forgot now regarding this is that the IP address you use is always the original target IP you are given. Wow if I had realeised this I would of solved the last question days ago. SOmetimes you have to take a step back and read what the commands are actually doing then Eurika thank everyone for you help

Please what command did you use. I have been struggling with this.

I dont know how to go about it. I even change the name server ip in /etc/resolv.con to that of the DNS Server.

This helped me, thank you.

  1. First of all find all zones; List them.

  2. Mark it down: zones are subdomains.

  3. now try AFXR on each zone, some works like showed in academy internal.inlanefreight.htb
    try for other all domains, it may fail but keep trying.

  4. i used gobuster
    gobuster dns -r <box IP / NS IP> -d <domain/sub-domain> -i -w < try small list>.txt

tried 4 hrs and then took a break and tried again above method, solved within 5min.

Zones are transferable by bind options set in /etc/bind/named.conf.local

allow-query by requster ip or domain which unfortunately attackers not belongs to.
allow-transfer which is sometimes unlikely due to restrictions.

if it present on individual zone/subdomain then it appear in AXFR transfer otherwise we need to do bruteforcing.

using tools like dnsenum, gobuster millions of wordlists can be solved under 10 min, you gotta be persistant. dont lose hope just after 5min.

I’m in the same steps, I’ve tried the same as you and I still can’t find the answer, I can’t find anything that ends in .203

if someone could guide me please D:

You need to find all zones

I DID IT! :sob: :sob: :sob: :sob: :sob:

The only advice I can give you is to follow the steps indicated by this forum, be “FIERCE” in the list you use

THANKS @PayloadBunny