What is the FQDN of the host where the last octet ends with "x.x.x.203"? i dont know what do anymore

i used first:
for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
);do dig $sub.inlanefreight.htb @10.129.169.32 | grep -v ‘;|SOA’ | sed -r ‘/^\s*$/d’ | grep $sub | tee -a subdomains.txt;done
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
app.inlanefreight.htb. 604800 IN A 10.129.18.15

then
dnsenum --dnsserver 10.128.169.32 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt 203.inlanefreight.htb

and

dnsenum --dnsserver 10.128.169.32 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt --threads 90 inlanefreight.htb

dnsenum VERSION:1.2.6

----- 203.inlanefreight.htb -----

Host’s addresses:


Name Servers:


203.inlanefreight.htb NS record query failed: query timed out

then
dig A inlanefreight.htb @10.129.169.32

; <<>> DiG 9.18.11-2-Debian <<>> A inlanefreight.htb @10.129.169.32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42245
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1aa7312d7f7924440100000063f9c5aa1624263184cd2716 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN A

;; AUTHORITY SECTION:
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 6

;; Query time: 64 msec
;; SERVER: 10.129.169.32#53(10.129.169.32) (UDP)
;; WHEN: Sat Feb 25 03:24:11 EST 2023
;; MSG SIZE rcvd: 115

but nothing, where am i wrong

Hi shinobi,
you have to use another wordlist.

2 Likes

What wordlist should i use?

You are really close to cracking this one. You have all the pieces necessary to complete it, but you aren’t quite there yet. I don’t want to completely give the answer away, but try to do a bit more enumeration on the subdomains that you have access to.

Remember, pay close attention to the Authority section from the dig results. That will give you a clue as to what may or may not have additional subdomains for you to find. Try to go through all the FQDNs you have found from the initial enumeration you did with ‘dig’ and try to see the pattern in what is and isn’t matching with the SOA record. That will give you an indication as to what you should or shouldn’t brute force.

Also, if you are able to zone transfer to something and see all the subdomains within it, you probably don’t have to worry about brute forcing it. That should cut down on the number of scans you will need to do to find the answer.

Otherwise, you are definitely on the right track if you haven’t already solved it.

It is one of the shorter lists in the seclist/Discovery/DNS directory. There may be a couple in that will yield what you need, but none of them are what is listed on the academy page example itself.

If you still can’t find the FQDN with x.x.x.203 from any of those, do a bit more enumeration on the subdomains that you have access to. Be thorough, because you may have missed something the first time.

I’m totally lost on this. Any pointers?

“inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800” This is the only one with a SOA

I tried this
dnsenum --dnsserver 10.129.173.58 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top500.txt --threads 90 inlanefreight.htb

and got this out put:
dnsenum VERSION:1.2.6

----- inlanefreight.htb -----

Host’s addresses:


Name Servers:


ns.inlanefreight.htb. 604800 IN A 127.0.0.1

Mail (MX) Servers:


Trying Zone Transfers and getting Bind Versions:


unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 1.

Trying Zone Transfer for inlanefreight.htb on ns.inlanefreight.htb …
AXFR record query failed: no nameservers

Brute forcing with /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top500.txt:


Error: make sure that the file /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top500.txt exists and has a size greater than zero.

Ive tried all the wordlists from Seclists. not getting anywhere!

dnsenum --dnsserver 10.129.94.63 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/deepmagic.com-prefixes-top500.txt dev.inlanefreight.htb
what am I doing wrong ?