Active Subdomain Enumeration - HTB Academy

I think the question

“Identify how many zones exist on the target nameserver”

can be rephrased to

“focus on how many subdomains (or DNS zones) allow a zone transfer to occur”

for clarity.

basically my strategy of approaching to this specific question is to find the AXFR of the primary domain name which is given and then do it recursively on the A records found from the AXFR search.

Summary
awk '/IN\s+A/ {print $1}' <AXFR output from initial dig AXFR> | sort -u | while read subdomain; do
dig axfr $subdomain @$dns_server 2>&1
done

Oh, thanks a lot!

You are missing the @ sign before ${NS}

I tried it using dig command and boom ! , dig is more easy for me

i don’t find this module easy at all :joy::joy::joy: lack of DNS knowledge and linux command proficiency. couldn’t even understand the question about the number of zones and the module didn’t help clarify what exactly were zones. i put the module aside and went to do other ones related to DNS, especially the DNS Enumeration using Python. that one clarified a lot. basically zones are logical separations that allow those separations to be administrated, well, separately. each zone requires a SOA (and maybe one nameserver?). so to get the number of zones we need to do the zone transfer for inlanefreight.htb through the TARGET (DNS), then we need to go through each response and see if they have themselves a SOA.

the way i did it:

dig axfr inlanefreight.htb @TARGET | grep inlanefreight | awk '$1 ~ /^[[:alpha:]]/ {print $1}' | xargs -I % nslookup -query=soa % TARGET

  1. dig axfr inlanefreight.htb @TARGET does the zone transfer for inlanefreight.htb using the DNS (TARGET)
  2. grep inlanefreight catch only the lines that have a domain in it
  3. awk '$1 ~ /^[[:alpha::]]/ {print $1}' only prints the first column that starts by an alpha character (bye bye semicolons)
  4. xargs -I % nslookup -query=soa % TARGET does an nslookup with the result printed by awk

that’ll print the result of the SOA query from nslookup. we see that for most of them there’s none, except for two: inlanefreight.htb and internal.inlanefreight.htb.

i had no much understanding of DNS and even tho i kinda new the linux commands i’ve never used them properly in the past, so that required a few hours of research. good fun.

thanks dude… this time I finally got a result. Your efforts from 2022 shall not be forgotten

nslookup -query=AXFR inlanefreight.htb ns.inlanefreight.htb

Gives the first authoritative zone transfer

nslookup -query=AXFR inlanefreight.htb ns.inlanefreight.htb | grep Name | cut -d':' -f 2 | while read -r line; do nslookup -query=AXFR $line ns.inlanefreight.htb; done

Tries to do an authoritative zone transfer on all subdomains got.

After this, you can get all answers you need in the output. For count the A records, you need to add the two zones together. grep Name: | wc -l could be useful.
Reverse DNS lookup seems doesn’t work. You might need to find the FQDNs by yourself.
If you like, you don’t need to change your host file as said by above posts. Just using the name server’s IP is fine.

Late reply but thought I would answer in case anyone else needed help. Yes I believe the SOA record indicates the start of a new zone and is the authoritative source for that zone. Therefore out of all of the domains/subdomains there are only two with an SOA record.

Thanks, it helped though…

Add the given IP address, which is running as a local DNS server to the /etc/hosts and run the axfr command dig axfr inlanefreight.htb @{the_given_ip_address}

Thanks I was able to create a .sh script and complete the task. I struggled for 3 hrs before finally getting the answer.

WOW! Just WOW! Spend two days digging that section and doing the second step by adding ‘ns’ to the .htb domain did provide all the answers! Thank you!