Information gathering - Active Subdomain Enumeration - Last question

dnetti4 · October 13, 2022, 9:36pm

Hi guys,
I need help with the last question of the mentioned lesson on the academy. The question is:
“Submit the number of all “A” records from all zones as the answer.”. So, previously, I have identified two zones:

inlanefreight.htb
internal.inlanefreight.htb

So I tried:

dig a inlanefreight.htb
dig a internal.inlanefreight.htb

I put this two FQDN in the /etc/hosts file with the related IP.

Can you help me?

onthesauce · October 13, 2022, 10:11pm

Hey, if you are trying to count the A records, then you need to display all of the records like you did in question #2. I recommend doing what you did in question #2 for each of the domains that you listed and then just manually counting the A records in each zone.
-onthesauce

dnetti4 · October 14, 2022, 5:50pm

OK I do this but I can’t find the answer. I do the following:

I take the same list of the question #2;
For each name and address: dig a name address.

But I always receive authority and additional but no answer.

onthesauce · October 14, 2022, 5:59pm

Hey no worries, when you transfer the zone are you not seeing the record type next to the listing?

I used dig to transfer via dig axfr and the output always contained the record type in each listing. There should be no additional need for dig, because it already gives you the record type. Then you just do what I said above.

DM me with a screenshot of your zone transfer if you are still having issues.
-onthesauce

BAlkan_BAndit · February 10, 2023, 4:19pm

I have a dumber question. How do we find out the answer to the second question: How many zones? I managed to finish the other questions but I still don’t know how to get the answer for this one. I know that there is not a 1-to-1 mapping from subdomains to zones, so how do we know which ones are the zones?

Alsuffndruff · April 21, 2023, 3:33pm

I am late with this one but I would like to share my thoughts.

I understood from the “Footprinting” module that

A zone is best identified if it answers on the AXFR request
If a found subdomain (one of the “A” records") has a SOA it is likely a zone, i.e. “No SOA - No Zone”
If this subdomain does not answer on AXFR but gives back subdomains via brute forcing then it is a zone

Now I understand from the “Information Gathering” module
3. When a subdomain with a SOA does not answer on AXFR and brute forcing does not give us back any subdomain it is likely not a zone (since you can never be sure that you found all subdomains via buteforcing)

Is this correct or is there any misunderstanding in the relationship between subdomains and zones? If this is true I am wondering why a zone needs to have a subdomain?

-Alsuffndruff

ppigeon · May 9, 2023, 2:32am

I’ve been stuck here for several days. I don’t understand the working principle of zone transfer. The only thing I can understand is the name server. I checked the forum and found that the answer to the second question was 2, but I obtained 22 records. I have also tried using other tools, but I still cannot solve the next few questions. I hope to get some hints. I can’t learn anything which makes me so UPSET (THT) THANKS !!