VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Nslookup
  • Dig
  • Host (Zone Transfer)
  • BruteForce Subdomain
  1. Offensive Treasure
  2. Penetration Testing
  3. Enumeration
  4. Service Ports

DNS (53)

Nslookup

nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.
> ns1.cronos.htb
Server:         10.10.10.13
Address:        10.10.10.13#53

Name:   ns1.cronos.htb
Address: 10.10.10.13

Dig 

# Zone Transfer
└─$ dig axfr cronos.htb @10.10.10.13

; <<>> DiG 9.16.15-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 63 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Wed Nov 03 05:37:37 EDT 2021
;; XFR size: 7 records (messages 1, bytes 203)
# Resolve and Verify domain
└─$ dig @10.10.10.161 forest.htb.local

Host (Zone Transfer)

└─$ host -l cronos.htb 10.10.10.13                                                                                                                                    127 ⨯
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases: 

cronos.htb name server ns1.cronos.htb.
cronos.htb has address 10.10.10.13
admin.cronos.htb has address 10.10.10.13
ns1.cronos.htb has address 10.10.10.13
www.cronos.htb has address 10.10.10.13

BruteForce Subdomain

└─$ gobuster dns -d cronos.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     cronos.htb
[+] Threads:    50
[+] Timeout:    1s
[+] Wordlist:   /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
2021/11/03 06:51:16 Starting gobuster in DNS enumeration mode
===============================================================
Found: www.cronos.htb
Found: admin.cronos.htb
                                   
===============================================================
2021/11/03 07:07:26 Finished
===============================================================
PreviousSMTP (25)NextTFTP (69/udp)

Last updated 1 year ago

🧌