DNS & Subdomains

WHOIS

eldeim@htb[/htb]$ whois inlanefreight.com

[...]
Domain Name: inlanefreight.com
Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.amazon
Registrar URL: https://registrar.amazon.com
Updated Date: 2023-07-03T01:11:15Z
Creation Date: 2019-08-05T22:43:09Z
[...]

Each WHOIS record typically contains the following information:

• Domain Name: The domain name itself (e.g., example.com)

• Registrar: The company where the domain was registered (e.g., GoDaddy, Namecheap)

• Registrant Contact: The person or organization that registered the domain.

• Administrative Contact: The person responsible for managing the domain.

• Technical Contact: The person handling technical issues related to the domain.

• Creation and Expiration Dates: When the domain was registered and when it's set to expire.

• Name Servers: Servers that translate the domain name into an IP address.

DNS

Record Type	Full Name	Description	Zone File Example
A	Address Record	Maps a hostname to its IPv4 address.	www.example.com. IN A 192.0.2.1
AAAA	IPv6 Address Record	Maps a hostname to its IPv6 address.	www.example.com. IN AAAA 2001:db8:85a3::8a2e:370:7334
CNAME	Canonical Name Record	Creates an alias for a hostname, pointing it to another hostname.	blog.example.com. IN CNAME webserver.example.net.
MX	Mail Exchange Record	Specifies the mail server(s) responsible for handling email for the domain.	example.com. IN MX 10 mail.example.com.
NS	Name Server Record	Delegates a DNS zone to a specific authoritative name server.	example.com. IN NS ns1.example.com.
TXT	Text Record	Stores arbitrary text information, often used for domain verification or security policies.	example.com. IN TXT "v=spf1 mx -all" (SPF record)
SOA	Start of Authority Record	Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters.	example.com. IN SOA ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400
SRV	Service Record	Defines the hostname and port number for specific services.	_sip._udp.example.com. IN SRV 10 5 5060 sipserver.example.com.
PTR	Pointer Record	Used for reverse DNS lookups, mapping an IP address to a hostname.	1.2.0.192.in-addr.arpa. IN PTR www.example.com.

Digging DNS

Command	Description
dig domain.com	Performs a default A record lookup for the domain.
dig domain.com A	Retrieves the IPv4 address (A record) associated with the domain.
dig domain.com AAAA	Retrieves the IPv6 address (AAAA record) associated with the domain.
dig domain.com MX	Finds the mail servers (MX records) responsible for the domain.
dig domain.com NS	Identifies the authoritative name servers for the domain.
dig domain.com TXT	Retrieves any TXT records associated with the domain.
dig domain.com CNAME	Retrieves the canonical name (CNAME) record for the domain.
dig domain.com SOA	Retrieves the start of authority (SOA) record for the domain.
dig @1.1.1.1 domain.com	Specifies a specific name server to query; in this case 1.1.1.1
dig +trace domain.com	Shows the full path of DNS resolution.
dig -x 192.168.1.1	Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.
dig +short domain.com	Provides a short, concise answer to the query.
dig +noall +answer domain.com	Displays only the answer sec

Subdomain Bruteforcing

DNSEnum

Let's see dnsenum in action by demonstrating how to enumerate subdomains for our target, inlanefreight.com. In this demonstration, we'll use the subdomains-top1million-5000.txt wordlist from SecLists, which contains the top 5000 most common subdomains.

dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

-r: This option enables recursive subdomain brute-forcing, meaning that if dnsenum finds a subdomain, it will then try to enumerate subdomains of that subdomain

eldeim@htb[/htb]$ dnsenum --enum inlanefreight.com -f  /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt 

dnsenum VERSION:1.2.6

-----   inlanefreight.com   -----

Host's addresses:
__________________

inlanefreight.com.                       300      IN    A        134.209.24.248

[...]

Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:
_______________________________________________________________________________________

www.inlanefreight.com.                   300      IN    A        134.209.24.248
support.inlanefreight.com.               300      IN    A        134.209.24.248
[...]

done.

Exploiting Zone Transfers

You can use the dig command to request a zone transfer:

eldeim@htb[/htb]$ dig axfr @nsztm1.digi.ninja zonetransfer.me

This command instructs dig to request a full zone transfer (axfr) from the DNS server responsible for zonetransfer.me. If the server is misconfigured and allows the transfer, you'll receive a complete list of DNS records for the domain, including all subdomains.

eldeim@htb[/htb]$ dig axfr @nsztm1.digi.ninja zonetransfer.me

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
...
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
...
;; Query time: 10 msec
;; SERVER: 81.4.108.41#53(nsztm1.digi.ninja) (TCP)
;; WHEN: Mon May 27 18:31:35 BST 2024
;; XFR size: 50 records (messages 1, bytes 2085)

zonetransfer.me is a service specifically setup to demonstrate the risks of zone transfers so that the dig command will return the full zone record.

Virtual Hosting

sudo nano /etc/hosts
## Add
94.237.52.18 inlanefreight.htb
## Run
gobuster vhost -u http://inlanefreight.htb:39472 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

The --append-domain flag appends the base domain to each word in the wordlist.

Crt.sh lookup

While crt.sh offers a convenient web interface, you can also leverage its API for automated searches directly from your terminal. Let's see how to find all 'dev' subdomains on facebook.com using curl and jq:

eldeim@htb[/htb]$ curl -s "https://crt.sh/?q=facebook.com&output=json" | jq -r '.[]
 | select(.name_value | contains("dev")) | .name_value' | sort -u
 
*.dev.facebook.com
*.newdev.facebook.com
*.secure.dev.facebook.com
dev.facebook.com
devvm1958.ftw3.facebook.com
facebook-amex-dev.facebook.com
facebook-amex-sign-enc-dev.facebook.com
newdev.facebook.com
secure.dev.facebook.com

ReconSpider

## Download
eldeim@htb[/htb]$ pip3 install scrapy
eldeim@htb[/htb]$ wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip
eldeim@htb[/htb]$ unzip ReconSpider.zip 
## Use
eldeim@htb[/htb]$ python3 ReconSpider.py http://inlanefreight.com

Google Dorking

Here are some common examples of Google Dorks, for more examples, refer to the Google Hacking Database:

• Finding Login Pages:

  • site:example.com inurl:login

  • site:example.com (inurl:login OR inurl:admin)

• Identifying Exposed Files:

  • site:example.com filetype:pdf

  • site:example.com (filetype:xls OR filetype:docx)

• Uncovering Configuration Files:

  • site:example.com inurl:config.php

  • site:example.com (ext:conf OR ext:cnf) (searches for extensions commonly used for configuration files)

• Locating Database Backups:

  • site:example.com inurl:backup

  • site:example.com filetype:sql