Intro
The Footprinting module consists of eleven sub-modules. This write-up is continuation of the previous one and focuses on covering the middle section of this module, providing detailed explanations and analysis for each.
4. DNS
Task 1: Interact with the target DNS using its IP address and enumerate the FQDN of it for the “inlanefreight.htb” domain.
A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name.
Let’s start with enumerating the target DNS by using the following dig ns command which lists information about the domain.
┌──(solo㉿HTB)-[~]
└─$ dig inlanefreight.htb @10.129.245.156
<<>> DiG 9.19.19-1-Debian <<>> ns inlanefreight.htb @10.129.245.156
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11861
flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
WARNING: recursion requested but not available
OPT PSEUDOSECTION:
EDNS: version: 0, flags:; udp: 4096
COOKIE: 15b8a2fc4d46bd520100000065f439050017661c744bde19 (good)
QUESTION SECTION:
inlanefreight.htb. IN NS
ANSWER SECTION:
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
ADDITIONAL SECTION:
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
Query time: 1008 msec
SERVER: 10.129.245.156#53(10.129.245.156) (UDP)
WHEN: Date
MSG SIZE rcvd: 107
Answer: ns.inlanefreight.htb
Task 2: Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{…))
Zone transfer refers to the transfer of zones to another server in DNS, which generally happens over TCP port 53. This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR).
The original data of a zone is located on a DNS server, which is called the primary name server for this zone. However, to increase the reliability, realize a simple load distribution, or protect the primary from attacks, one or more additional servers are installed in practice in almost all cases, which are called secondary name servers for this zone.
We will continue enumerating with dig axfr command to see if get any results.
┌──(solo㉿HTB)-[~]
└─$ dig axfr inlanefreight.htb @10.129.245.156
<<>> DiG 9.19.19-1-Debian <<>> axfr inlanefreight.htb @10.129.245.156
global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
Query time: 2232 msec
SERVER: 10.129.245.156#53(10.129.245.156) (TCP)
WHEN: date
XFR size: 11 records (messages 1, bytes 560)
We can see that there is in fact a secondary name server (internal.inlanefreight.htb). Let’s enumerate it.
┌──(solo㉿HTB)-[~]
└─$ dig axfr internal.inlanefreight.htb @10.129.245.156
<<>> DiG 9.19.19-1-Debian <<>> axfr internal.inlanefreight.htb @10.129.245.156
global options: +cmd
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN TXT "HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
dc1.internal.inlanefreight.htb. 604800 IN A 10.129.34.16
dc2.internal.inlanefreight.htb. 604800 IN A 10.129.34.11
mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200
ns.internal.inlanefreight.htb. 604800 IN A 127.0.0.1
vpn.internal.inlanefreight.htb. 604800 IN A 10.129.1.6
ws1.internal.inlanefreight.htb. 604800 IN A 10.129.1.34
ws2.internal.inlanefreight.htb. 604800 IN A 10.129.1.35
wsus.internal.inlanefreight.htb. 604800 IN A 10.129.18.2
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
Query time: 28 msec
SERVER: 10.129.245.156#53(10.129.245.156) (TCP)
WHEN: date
XFR size: 15 records (messages 1, bytes 677)
Answer: HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
Task 3: What is the IPv4 address of the hostname DC1?
This question is straightforward and we have already enumerated this information in the previous task.
Answer: 10.129.34.16
Task 4: What is the FQDN of the host where the last octet ends with “x.x.x.203”?
This task took us awhile to figure out and by no means is a obvious one. The individual A records with the hostnames can be found out with the help of a brute-force attack. To do this, we need a list of possible hostnames, which we use to send the requests in order. Such lists are provided, for example, by SecLists. Download the fierce-hostlist.txt and make sure the path (/home/yourfilespath/fierce-hostlist.txt) of the command is correct.
┌──(solo㉿HTB)-[~]
└─$ for sub in $(cat /home/fierce-hostlist.txt);do dig $sub.dev.inlanefreight.htb @10.129.245.156 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
dev1.dev.inlanefreight.htb. 604800 IN A 10.12.3.6
ns.dev.inlanefreight.htb. 604800 IN A 127.0.0.1
win2k.dev.inlanefreight.htb. 604800 IN A 10.12.3.203
Answer: win2k.dev.inlanefreight.htb
5. SMTP
Task 1: Enumerate the SMTP service and submit the banner, including its version as the answer.
To interact with the SMTP server, we can use the telnet tool to initialize a TCP connection with the SMTP server. The actual initialization of the session is done with the command mentioned above, HELO or EHLO.
┌──(solo㉿HTB)-[~]
└─$ telnet 10.129.245.156 25
Trying 10.129.245.156...
Connected to 10.129.245.156.
Escape character is '^]'.
220 InFreight ESMTP v2.11
Answer: InFreight ESMTP v2.11
Task 2: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
┌──(solo㉿HTB)-[~]
└─$ telnet 10.129.245.156 25
Trying 10.129.245.156...
Connected to 10.129.245.156.
Escape character is '^]'.
220 InFreight ESMTP v2.11
6. IMAP
Task 1: TBA.
Conclusion
This module offers an exceptional opportunity for individuals seeking to acquire proficient skills in utilizing different Host Based Enumeration tools. Mastery of these tools is highly recommended for anyone aspiring to excel in this field, making this module an essential resource for knowledge acquisition.