What is the FQDN of the host where the last octet ends with "x.x.x.203"?

Vidad · December 6, 2022, 2:04pm

Hello everybody,

I tried several approaches but do not get the subdomain (zone) which contains the X.X.X.203 box.

My approach:

└─$ dig +nocmd inlanefreight.htb AXFR +noall +answer @10.129.195.200
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreigh
t.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT “MS=ms97310371”
inlanefreight.htb. 604800 IN TXT “atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU”
inlanefreight.htb. 604800 IN TXT “v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.
129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all”
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800

Next, based on the found A addresses I searched those which do not allow any zone transfer with this appraoch:

└─$ dnsenum --dnsserver 10.129.1.16 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt internal.inlanefreight.htb
dnsenum VERSION:1.2.6

----- internal.inlanefreight.htb -----

Host’s addresses:

Name Servers:

internal.inlanefreight.htb NS record query failed: query timed out

But I do not gain anything.

Do you have a tip what I missing?

Thank you in advance for your feedback.

BR
Vidad

PayloadBunny · December 6, 2022, 5:47pm

You need to find all the zones.

Hint

Hint: A zone must have a SOA entry.

There are DNS servers that allow zone transfer only from certain servers.

Hint

Only such zones must be explored by brute force.

Vidad · December 7, 2022, 5:22am

Sure thing.
I solved it with this approach for anybody having issues:
dnsenum --dnsserver 10.129.42.195 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/(a smal list).txt --threads 90 X.inlanefreight.htb

The X needs to be the zone in focus.

Hackalino · April 9, 2023, 1:10am

Thank you! Your post helped me.

gary.copland · August 25, 2023, 3:41pm

I’m totally lost in this.

SOA entery - internal.inlanefreight.htb. 604800 IN SOA

shoulnt this work - dnsenum --dnsserver 10.129.173.58 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top500.txt --threads 90 internal.inlanefreight.htb

This is what I get:
nsenum VERSION:1.2.6

----- internal.inlanefreight.htb -----

Host’s addresses:

Name Servers:

internal.inlanefreight.htb NS record query failed: REFUSED

Ive tried serval of the wordlists from the link within HTB but non of them work.

PayloadBunny · August 25, 2023, 5:34pm

You need to find all the zones here.
There are zones that do not allow zone transfer.
If the zone allows zone transfer, it will give you all data voluntarily. So there is no need to bother this zone with various requests.