Active Subdomain Enumeration - HTB Academy

You are using the power shell instead of the terminal. I had the same issue.
image
Use the green one not the PS

Hi, I have the same question… how can we count the different zones? I tried also to follow the Footprinting course to better understand the concept of zones and DNS in general but with no luck! I think I got that a zone can contain domain and subdomain but I don’t know how to distinguish between zones. If you got a solution and you can help me I really appreciate it.
Thanks

hi TitaniumKnight
I know what it is 127.0.0.1
I meant that it shows in results of dig ns inlanefreight.htb that is remote server (not my own)
In the end I solved it, it was a bit confusing, but I figured it out

Edit /etc/hosts by adding ipaddress and dns name.

This was a bit hard due to the VPN requirement:

  • Prerequirements: export TARGET="inlanefreight.htb";export TARGET_IP="x.x.x.x"
  • Then edit /etc/hosts and add your target there, 10.123.21.121 inlanefreight.htb
  • Then get the name server with dig ns ${TARGET} @${TARGET_IP}
  • Add the nameserver to /etc/hosts
  • export NS="THE NAME SERVER YOU GET IN THE STEP BEFORE"
  • now is time to get the zones: nslookup -type=any -query=AXFR ${TARGET} ${NS}
  • After that I opened VSCodium and put those zones in a txt file, like this:
ftp.admin.inlanefreight.htb
careers.inlanefreight.htb
dc1.inlanefreight.htb
dc2.inlanefreight.htb
...
  • Now you have to discover which zone has a TXT record, you can run dig +short TXT DISCOVERED_ZONE ${NS} one by one… or you automatize this using code… I prefer to make a bash file for this kind of situation.
#!/bin/bash
file="subdomains_inlanefreight.htb.txt" #the txt file you created
while read -r line; do
   dig +short TXT "$line" ${NS}; echo "";
done <$file

Then run bash mybashfile.sh and you get the flag… the trick is to dig line by line against the nameserver… looking for the TXT record.

2 Likes

I think you missed a @ before the nameserver :grinning:

#!/bin/bash
file="subdomains_inlanefreight.htb.txt" #the txt file you created
while read -r line; do
   dig +short TXT "$line" @${NS}; echo "";
done <$file

That did the trick for me. :black_heart:

2 Likes

I get the exact same error. how did you solve it ?

Submit the number of all “A” records from all zones as the answer.

Did this:

Blockquote dig axfr inlanefreight.htb @ns2.inlanefreight.htb | grep “IN\sA\s” | wc -l + ig axfr inlanefreight.htb @ns2.inlanefreight.htb | grep “IN\sA\s” | wc -l

Added both outcomes up but that was not the good answer. What did i do wrong?

I would scrap whatever you have here. I did this and it worked nicely to calculate the A records for each ns. REMEMBER: DO THIS FOR EACH NS IF USING MY COMMAND.

dig axfr inlanefreight.htb @IPADDR | grep -E "IN      A|IN A" | wc -l

I’m sure there’s a better way to write this, but I’m tired and felt lazy and it worked.

2 Likes

set your vpn to use OpenVPN protocol

Same question for me. I guess it is the sum of the domains that have subdomains, i.e. inlanefreight.htb and internal.inlanefreight.htb. So it is 2.
Just my guess. If someone more experienced can confirm it, then thanks.

Hi,
Inlangreight.htb is a top domain. Than you have subdomains like admin.inlanefreight or ns.inlanefreight.htb, these represents zone 1 (I look at zone 1 as a subdomain of top domain). Than you have subdomains of these subdomains (zone1) like ftp.admin.inlanefreight.htb and that represents zone 2 (zone 2 is subdomain of zone 1).
If you had listed another subdomain of second subdomain, something like xxx.ftp.admin.inlanefreight.htb that would represent zone 3. So from this it is obvious you have only 2 zones.

Hi,
Inlangreight.htb is a top domain. Than you have subdomains like admin.inlanefreight or ns.inlanefreight.htb, these represents zone 1 (I look at zone 1 as a subdomain of top domain). Than you have subdomains of these subdomains (zone1) like ftp.admin.inlanefreight.htb and that represents zone 2 (zone 2 is subdomain of zone 1).
If you had listed another subdomain of second subdomain, something like xxx.ftp.admin.inlanefreight.htb that would represent zone 3. So from this it is obvious you have only 2 zones.

1 Like

Anyone else feel like these classes give more frustration than actual knowledge? With the last module, “Footprinting”, I ran into similar issues as this module. A lot of stuff isn’t covered in the modules, stuff that you need to complete the questions. The written explanations in the modules are not clear and leave much to be desired when trying to answer the questions. Having to search google and look through these forums to get through a course that is supposed to be teaching you just seems like a HTB isn’t pulling their weight when it comes to Academy and relying on users to teach eachother and themselves, which is in fact what I am paying them for. Nowhere in the Academy Modules does it give the commands that are found in the the forums. Just saying that HTB could do a lot better when it comes to the Academy. I get that looking things up is part of the role but when paying for a service to teach you something, part of that service should include the education to perform the given tasks that you will be tested on. Honestly the modules give me more of an imposter syndrome than a feeling of accomplishment and moving forward. I could never figure out the commands to run on my own without the help of the forum and google.

Now that my rant is done, and I’m obivously years behind these forums, if anyone’s out there, I need help on the last five questions. I’ve added the @TARGETIP and inlanefreight.htb to my /etc/hosts file and tried many of the commands listed on this page. The forums are confusing and no one seems to spellcheck or write in proper grammar and full sentences so I’m not sure if I’ve done it right. I’ve re-read the previous sections, tried their commands.

TIA

3 Likes

After trying many courses and platforms, I can definetely say that HTB has the best quality content out there. You can answer all exercises by just using the info presented in each section along with the provided resources (if the section has some).

Just to point out, within the IT domain in general, and penetration testing even more, frustration is part of the job even for experienced professionals. So, I would say to embrace it if you want to actually progress in any IT-related field.

Noone is forcing you to learn through HTB. There are a myriad other platforms out there to choose from. All of us learn in different ways, and I would suggest to you to try many until you find a platform you are pleased with.

The forum is a place that many spent their time voluntary in order to help others. For many of them, including myself, English is not their first language. I think we should appreciate people spending their free time answering other people’s questions instead of critising their grammar. It’s a forum after all, not an academic institution.

Hopefully, you have done the DNS footprinting module since it is before this one. The majority of us find DNS stuff, such as zone transfer, DNS servers, different records, etc. very confusing, especially when encountered for the first time.

If you follow the DNS footprinting module you will able to answer almost all of your questions with few commands. In order to find the content included in the TXT record you will have to do a zone transfer using the subdomain you have found on question 1:

$ dig axfr inlanefreight.htb @<subdomainFromQuestionOne>

You can also answer question 6 from the above output regarding the us.inlanefreight.htb.

After doing that you will have to do a similar process with each one of them until someone works:

$ dig axfr <subdomain> @<targetIpAddress>

One of them will work and will include a TXT record with the answer. Along with that you will also have the answer for questions 4 and 5.

When you find something you don’t understand, it is only logical to devote the time and read more for it until it sticks. Or just take a break and come back with a fresh mind. Hackersploit’s videos for DNS Enumeration and Zone Transfers as well as Brute Forcing and subdomain enumeration might help you understand and also add some more tools in your arsenal regarding DNS.

And remember to keep calm, penetration testing is not an easy field. You are here to learn in a safe environment where you can make as many mistakes as you want and take all the time in the world. If you get frustrated about some exercises here, imagine what will happen when you have deadlines in a live production environment where forums, discord, or any kind of external help won’t be there. You will have to Google and spent a lot of time reading!

3 Likes
  1. Open sudo nano /etc/hosts
  2. Add line to bottom XX.XXX.XXX.XXX ns.inlanefreight.htb
Summary

NAMESERVER="ns" && IP="XX.XXX.XXX.XXX" && TARGET="inlanefreight.htb" && ((dig axfr "@$IP" "$TARGET" | grep -E 'IN\s+A\s+' | grep -Eo "[a-zA-Z0-9.-]+.$TARGET" | sort -u) && (dig axfr "@$IP" "$TARGET" | grep -E 'IN\s+A\s+' | grep -Eo "[a-zA-Z0-9.-]+.$TARGET" | sort -u | while read -r line; do dig axfr "$line" "@$NAMESERVER.$TARGET"; done | grep -E 'IN\s+A\s+' | grep -Eo "[a-zA-Z0-9.-]+.$TARGET" | sort -u)) | wc -l | xargs echo "A Records found: "

  1. Give respect to HTB and community.
2 Likes

+1 we get to do dns bruteforce as well, quite an eye-opener for me at least

This really helpful, thanks

Hi Guys,

I’m turning crazy on this one…

I use the Pwnbox

I added in etc/hosts a line with 10.129.151.XXX inlanefreight.htb

But every time I use Dig or nslookup ohter, it doesn’t work…

I answered the firsts three questions, but I can’t display every subdomains anymore, don’t know why

Could someone help me ?

I did dig +short dc1.inlanefreight.htb ${NS}

and I did it with every subdomains I found but I didn’t find the TXT…