Footprinting DNS
Now we will be working on the Footprinting DNS section in the Footprinting module on Hack The Box
academy.
DNS Zone Transfers used to be one of my weakpoints; however, when I originally did this on Hack the Box, it helped tremendously in understanding how DNS works. I highly recommend reading through the section if you struggle. And as always, practice makes perfect!
1. Interact with the target DNS using its IP address and enumerate the FQDN of it for the “inlanefreight.htb” domain.
First we must map the target IP to inlanefreight.htb via /etc/hosts
sudo vi /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali.siffer.local kali
10.129.247.162 inlanefreight.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now we can use dig to enumerate the domain. Remember to use the IP address as the name server!:
dig inlanefreight.htb @10.129.247.162
; <<>> DiG 9.19.21-1-Debian <<>> ns inlanefreight.htb @10.129.247.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15982
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 592ef17f37c631600100000066591a67f2ecfe076c188838 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN NS
;; ANSWER SECTION:
inlanefreight.htb. 604800 IN NS [redacted]
;; ADDITIONAL SECTION:
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
;; Query time: 39 msec
;; SERVER: 10.129.247.162#53(10.129.247.162) (UDP)
;; WHEN: Thu May 30 20:31:34 EDT 2024
;; MSG SIZE rcvd: 107
Excellent. We found the FQDN! Lets move on to the next question
2. Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{…))
Now lets check to see if we can do some zone transfers! We can use dig with axfr option to enumerate:
dig axfr inlanefreight.htb @10.129.247.162
; <<>> DiG 9.19.21-1-Debian <<>> axfr inlanefreight.htb @10.129.247.162
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 39 msec
;; SERVER: 10.129.247.162#53(10.129.247.162) (TCP)
;; WHEN: Thu May 30 20:39:04 EDT 2024
;; XFR size: 11 records (messages 1, bytes 560)
Looks like there are a few records:
- app.inlanefreight.htb
- dev.inlanefreight.htb
- internal.inlanefreight.htb
- mail1.inlanefreight.htb
We can now try to transfer each record. Both app and dev failed; however, internal worked!
dig axfr internal.inlanefreight.htb @10.129.247.162
; <<>> DiG 9.19.21-1-Debian <<>> axfr internal.inlanefreight.htb @10.129.247.162
;; global options: +cmd
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN TXT "[Redacted]"
internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
<SNIP>
;; Query time: 35 msec
;; SERVER: 10.129.247.162#53(10.129.247.162) (TCP)
;; WHEN: Thu May 30 20:40:52 EDT 2024
;; XFR size: 15 records (messages 1, bytes 677
Several TXT records, and our flag is contained in one of them (redacted).
On to the next question..
3. What is the IPv4 address of the hostname DC1?
We can get the answer for this question in the internal transfer as well. It is part of the snipped portion above
4. What is the FQDN of the host where the last octet ends with “x.x.x.203”?
This one takes a bit of trial and error with the tool dnsenum. We need to enumerate the correct subdomain and use the right wordlist. The proper command is:
dnsenum --dnsserver <DNS_SERVER_IP> --enum -p 0 -s 0 -o subdomains.txt -f </path/to/list.txt> <subdomain>.inlanefreight.htb
First I tried against the app subdomain and the NS query failed, so then I moved on to dev and started getting results; However, the first few lists I tried were not returning an IP with the last octet 203. Finally got there using fierce-hostlist.txt
dnsenum --dnsserver 10.129.247.162 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
dnsenum VERSION:1.3.1
----- dev.inlanefreight.htb -----
Host's addresses:
__________________
Name Servers:
<SNIP>
Mail (MX) Servers:
<SNIP>
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
<SNIP>
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt:
____________________________________________________________________________________
dev1.dev.inlanefreight.htb. 604800 IN A 10.12.3.6
ns.dev.inlanefreight.htb. 604800 IN A 127.0.0.1
[redacted]. 604800 IN A x.x.x.203
And there we have the answer!
This is an excellent example that you shouldn’t rely on a single wordlist. Always do a couple passes during enumeration with differnt wordlists to paint a full picture! Enumeration is the most important step of a penetration test, so be as thorough as possible.