DNS (53)

Dig NS query

dig ns inlanefreight.htb @10.129.14.128

Dig version query

dig CH TXT version.bind 10.129.120.85

Dig ANY query

dig any inlanefreight.htb @10.129.14.128

Zone Transfer

Dig AXFR (asynchronous full transfer zone)

dig axfr inlanefreight.htb @10.129.14.128

Using Fierce for Zone Transfer

Fierce

# fierce --domain zonetransfer.me

Bruteforcing subdomains

Using dig

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

Using DNSEnum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Using subbrute

$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
$ cd subbrute
$ echo "ns1.inlanefreight.com" > ./resolvers.txt
$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

Using subfinder for enumeration

# ./subfinder -d inlanefreight.com -v       

Notes:

axfr can only be used if port 53 is open BIND9 CVEs ISC Bind : CVE security vulnerabilities, versions and detailed reports (cvedetails.com)

Subdomain Takeover

Check CNAME

# host support.inlanefreight.com

support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.com

https://github.com/EdOverflow/can-i-take-over-xyz

DNS Spoofing

DNS Cache Poisoning

Local DNS Cache Poisoning

1. Using MITM tools like Ettercap or Bettercap.

# cat /etc/ettercap/etter.dns
inlanefreight.com      A   192.168.225.110
*.inlanefreight.com    A   192.168.225.110

1. In ettercap, Hosts > Scan for Hosts

2. Add Target IP to target1; Add a default gateway to target2

3. Activate DNS spoof, Plugins > Manage Plugins