Port 23 (DNS)

Each domain can use different types of DNS records. Some of the most common types of DNS records include:

NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.test.com).
AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.test.com).
MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.
CNAME: Canonical Name Records are used to create aliases for other host records.
TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

Using host to find the A host record for www.test.com

host www.test.com

By default, the host command searches for an A record, but we can also query other fields, such as MX or TXT records

host -t mx www.test.com

dnsrecon

DNSRecon is an advanced DNS enumeration script written in Python. Let's run dnsrecon against test.com, using the -d option to specify a domain name and -t to specify the type of enumeration to perform (in this case, a standard scan).

dnsrecon -d test.com -t std

Let's try to brute force additional hostnames using the list.txt file we created. To perform our brute force attempt, we will use the -d option to specify a domain name, -D to specify a file name containing potential subdomain strings, and -t to specify the type of enumeration to perform, in this case brt for brute force.

dnsrecon -d test.com -D ~/list.txt -t brt

dnsenum

DNSEnum is another popular DNS enumeration tool that can be used to further automate DNS enumeration of the test.com domain.

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r

Windows

Once connected to the Windows 11 client, we can open a command prompt window and run a simple query to resolve the A record for the test.com host.

nslookup test.com

Footprinting the Service

DIG - NS Query

dig ns inlanefreight.htb @10.129.14.128

Version query

dig CH TXT version.bind 10.129.120.85

ANY Query

dig any inlanefreight.htb @10.129.14.128

AXFR Zone Transfer

First grab the NS of the domain

dig NS inlanefreight.htb +short

Then use the NS as @ parameter

dig axfr inlanefreight.htb @10.129.14.128

PreviousPort 21 (FTP)NextPort 25 (SMTP)

Last updated 1 month ago