The list of users in the lesson module can be downloaded here
9 Likes
For anyone else still struggling with this specific question, like others have mentioned: start by doing a dig Zone Transfer command on the main domain using the target machineâs IP as the DNS server. Then record all the subdomains you get back. Then use dig to try and Zone Transfer on those subdomains (app.inlanefreight.htb, internal.inlanefreight.htb, dev.inlanefreight.htb, etc.) and record any that you cannot get records for.
Finally, use either the bash script or the DNSEnum tool to brute force the subdomains you couldnât get records for using a very âfierceâ wordlist. Good luck and hope you learn something new like I did!
Huge help, thanks
Dont Worry Direct Ans Is Here 
(Academy - Footprinting - DNS - #67 by Neverakswhy)
any hints for IMAP/POP3? the last question? I tried literally everything, nothing worked out
Can anyone say to me where HTB have provided the so called wordlists. I have checked all section of this module and no one mentions any list. Please tell me if I am missing something.
1 Like
Could you tell me how did you do it? i.e. what command did you use? and which wordlist did you use?
There is a wordlist provided by HTB in this section.
+1 - tried the nse script and python enum script with good lists. Found it with Metasploit
Did you manage to find the wordlist?
Hi can you tell me where is the wordlist.
It is under the resources on the right hand side of the page. Unfortunately, it is not working with the smtp-user-enum.
Hey,
thanks to everybody for the golden tips/hints and the solutions.
Yes HTBâs âplanâ is to let us thinking outside the Box⌠but for beginners its maybe sometimes to difficult⌠not enough examples in the modules⌠i mean: Where is the info that we can use the single âsmtp-user-enumâ tool weâve never heard before? I was thinking they are meaning the Nmap script like in the examples⌠to be fair, its a medium module. There are a lot of this difficult questionsâŚi dont knowâŚat the end im happy with the community hints. But i think there could be a better way with a âlittleâ more pointing in the right way.
2 Likes
I found that Nmap isnât great here. Itâs fine for the first question but the second requires a different tool set. Both msploit and smtp-user-enum will work with the proper wordlist. Try a fuzzy one. However, with smtp-user-enum, I found I had to experiment with timings. Pro-tip: longer timeouts will be VERY beneficial here.
But if you just canât be bothered: the wordlist that will get your answer is /usr/shared/wordlists/wfuzz/general/medium.txt.
You can also use the wordlist that is provided in the resources, but I find that trying to use wordlists available on your own VM attack box or a list you may have compiled over time gives a more âreal-worldâ feel in terms of execution and the patience required to get a hit.
And remember, while rockyou is greatâŚitâs not always the most pragmatic choice. Know your wordlists and which ones are ideal for a given scenario. This bit comes with time.
Before revealing - dig a bit deeper and embrace the patience!
3 Likes
The file âfootprinting-wordlist.txtâ is in the resource
Iâm stuck. Tried everything i could find in this topic but no success. Anyone any tips how to come to the admin email and last flag in SMTP?
how would i write the command to include the wordlist.txt?
Which metasploit module would you use? several come up for smtp. not sure which one to use.