Active Subdomain Enumeration

jydn879 · January 14, 2022, 3:57am

Hi all I’m stuck again, but Now, on literally the next question which is:
What is the FQDN of the IP address 10.10.34.136?

Someone, please help! No spoilers plz.

0xh4rtz · January 14, 2022, 6:46am

You need found out the “Pointer”. Its all that will say.

jydn879 · January 14, 2022, 3:39pm

Wait what do you mean? There is no pointer given if there’s one that is hidden how do you find it? is there a command I can execute?

kippa · January 17, 2022, 2:34pm

Hi 0xh4rtz, thankyou for the clue, but could you give a bit more
of a hint without spoiling. I’ve been completely overthinking this
entire section and my brain is about to go into meltdown, ta.

Sorted now, caffeine fix

blackdog · April 14, 2022, 3:53am

Hi I was just checking in if someone got any clue that might have worked for them. I have been stuck in this question for days now it will be a great help if someone can share some clues.

lucasfeandrade · June 13, 2022, 2:05am

The same way you used to solve the question about the TXT records you have to use in order to find the pointer record.

JPwnage · June 30, 2022, 7:16pm

Did you get past this question? I am stuck on it as well. i’ve added the IP to my /etc/hots, then I’ve tried running all the commands from the course work and get nothing but errors. I

JPwnage · June 30, 2022, 7:55pm

Could you explain this further? I have ran the same commands and get no response. Also does the ip need to be added to /etc/hosts? As rn i can not get a response from the server when i try to ping the ip

hoangvietitvn · July 3, 2022, 6:33am

i need suggestion on answer to this question , i tried command dig -x 10.10.34.136 @dnserverip but no success

pavka · August 14, 2022, 9:47pm

So, I’ve finally got it!

That’s what you have to do:
First of all I really recomend you to take some time and try to understand how dns zones work, that’s really usefull not only for this task, but also for many CTF’s.
I can recomend you to take Footprinting, and do it’s DNS section.
For this task:

Check axfr of inlanefreight.htb. There you will get some domains.
Now you have to check all of this domain, if they have axfr zone transfers (as you did it with inlanefreight.htb just a minute ago)
By one of this domains you will get list of it’s subdomains, and just look of the ip’s of this subdomains and you will find 10.10.34.136 there!
That’s not hard, but I really want to encourage you to dive in the topic of Zone Transfers and understand how it works and how you can use it for penetration testing

cheekychimp · October 7, 2022, 12:53pm

thanks saved so much time. Another tedious task from htb xD much appreciated

ve511t · January 4, 2023, 3:39am

Try this command:

dig @10.129.29.36 NS axfr internal.inlanefreight.htb

gennardio · March 27, 2023, 3:47pm

Hi, how can we count the different zones? I tried also to follow the Footprinting course to better understand the concept of zones and DNS in general but with no luck! I think I got that a zone can contain domain and subdomain but I don’t know how to distinguish between zones. If you can help me I really appreciate it. I don’t really want the answer but I want to understand what I’m missing!
Thanks a lot

cybersapper · April 9, 2023, 11:29am

Nslookup is not working for me for any command. Is anyone else having this issue? I added the target IP address to the hosts file and tried a variation of using the IP address and the domain with no response.

junkdog · May 10, 2023, 12:40am

Hey, you’re probably overthinking it. The answer is much simpler and it’s hidden in plain sight.

Identify the which of the subdomains is actually the other zone.
Pretty much do the same command but with updated data. (IP and NS)
Just look at your screen for a bit and you’ll get it

swapjam · May 12, 2023, 8:54am

Thanks, the advice to take the Footprinting DNS lesson was really helpful. I didn’t read the rest of your comment but just read through the Footprinting DNS module and that really helped me solve all the questions I had been stuck at.

godlike0 · August 8, 2023, 1:28pm

Hey guys, to solve this question you need to use the tool “dig”.

1st: dig @<ip_address> NS axfr inlanefreight.htb

2nd: dig @<ip_address> NS axfr internal.inlanefreight.htb

brunoboka · April 4, 2024, 2:36pm

For this question and the one before, I used this script:
#!/bin/bash

Array of subdomains

subdomains=(
“admin.inlanefreight.htb.”
“admin.internal.inlanefreight.htb.”
“careers.inlanefreight.htb.”
“cluster14.us.inlanefreight.htb.”
“dc1.inlanefreight.htb.”
“dc2.inlanefreight.htb.”
“dev.ir.inlanefreight.htb.”
“ftp.admin.inlanefreight.htb.”
“internal.inlanefreight.htb.”
“ir.inlanefreight.htb.”
“messagecenter.us.inlanefreight.htb.”
“ns.inlanefreight.htb.”
“resources.inlanefreight.htb.”
“securemessaging.inlanefreight.htb.”
“test1.inlanefreight.htb.”
“us.inlanefreight.htb.”
“wsus.internal.inlanefreight.htb.”
“ww02.inlanefreight.htb.”
“www1.inlanefreight.htb.”
“dc3.internal.inlanefreight.htb.”
“dev.admin.internal.inlanefreight.htb.”
“ns2.internal.inlanefreight.htb.”
“ns.internal.inlanefreight.htb.”
“panel.admin.internal.inlanefreight.htb.”
“printer.admin.internal.inlanefreight.htb.”
“ws1.internal.inlanefreight.htb.”
“ws2.internal.inlanefreight.htb.”
)

Nameserver IP address

NS=“10.129.123.42”

Loop through each subdomain and perform dig command

for subdomain in “${subdomains[@]}”; do
echo “Performing dig for $subdomain…”
dig +short TXT “$subdomain” @“$NS”
echo “”
done

I’ve just changed the command +short TXT` to axfr .