Attacking Common Services - Attacking DNS

HTB Content Academy
, ,
1

Hi,
I have been stuck the this module assignment. ""Find all available DNS records for the “inlanefreight.htb” domain on the target name server and submit the flag found as a DNS record as the answer. Thus far, i have done the following:

  1. edited the /etc/hosts
  2. Used the following tools for subdomain enumeration “fierce” & “subfinder” & “subbrute”. and i have obtained a list of all the subdomains.
  3. I have obtained all the subdomain and attempted to use Dig AXFR to attempt zone transfer. in this step nothing is successful and i have used for example the following dig AXFR @ns1.inlanefreight.com inlanefreight.com doing this i keep getting this error for anything i attempt

Connection to 178.128.39.165#53(178.128.39.165) for 10.129.203.6 failed: timed out. Connection to 178.128.39.165#53(178.128.39.165) for 10.129.203.6 failed: timed out. <<>> DiG 9.16.33-Debian <<>> @ns1.inlanefreight.com 10.129.203.6 AXFR (1 server found) global options: +cmd connection timed out; no servers could be reached Connection to 178.128.39.165#53(178.128.39.165) for 10.129.203.6 failed: timed out.

i have also attempted Dig any, but nothing worked so far.
what am i doing wrong?

2

I think you need to brute force axfr. I’ve done that module long time ago so I may be mistaken though.
UDP: yeah, I’ve just checked that. You need to BF axfr.

3

how did you end up resolving this?e

4

is it .com or .htb? When I use .htb I get a response .com I get not response, but subbrute hasn’t worked with .htb

5

I just completed this module. Here are my suggestions:

  • Read the question well. Remember the www.inlanefreight.com is a private commercial company that contracted HTB for work. Though the examples show inlanefreight.com, you must not be hacking and doing any test with their website. Hence, the question mentions inlanefreight.htb

  • Whenever you tackle any DNS tasks, the first thing to do is a NSlookup (Name Server Look Up). nslookup -type=NS (domain) (IP target machine) will give you the correct domain and name server

  • Name Servers are responsible for providing information about the domain. Any query or command wil try to look for the nameserver and IP address. So, it is best to add the information you got from nslookup to the /etc/hosts file

  • As shown in the example on the course, run the subbrute.py program

  • Run the dig utility to dump the dns namespace from the dns server to the sub-domain server

  • make notes for the above steps. Once completed take a look at the workflow sequence. You will see the logic.

  • If you have time you can read DNS&BIND by Cricket Liu.