TL;DR
nslookup -type=any -query=axfr [SECONDARY DNS] [PRIMARY DNS]
I used to think NSLOOKUP was just for looking up IP's for domain names I had - how wrong I was! This tool is SO powerful if you understand what goes on with DNS and DNS is a very weak point for me, so let's dig in. We're going to use the help of hackthebox's academy for bounty hunters - you'll see from the TLD markers.
We're going to look at a particular item - zone transfers. Before we get going here we need to first understand how this works.
The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented.
OK, so the first thing we're going to do is use the main DNS server on a secondary server to see the listing of domains, subdomains, etc with all their glory. In the below example, I'm querying the domain inlanefreight.htb using the server 10.129.42.195 and the query server. This lists out any domains and subdomains that NS knows about.
nslookup -type=any -query=axfr inlanefreight.htb 10.129.42.195
Server: 10.129.42.195
Address: 10.129.42.195#53
inlanefreight.htb
origin = inlanefreight.htb
mail addr = root.inlanefreight.htb
serial = 2
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
inlanefreight.htb nameserver = ns.inlanefreight.htb.
Name: admin.inlanefreight.htb
Address: 10.10.34.2
Name: ftp.admin.inlanefreight.htb
Address: 10.10.34.2
Name: careers.inlanefreight.htb
Address: 10.10.34.50
Name: internal.inlanefreight.htb
Address: 127.0.0.1
<snip>...
Name: www1.inlanefreight.htb
Address: 10.10.34.111
inlanefreight.htb
origin = inlanefreight.htb
mail addr = root.inlanefreight.htb
serial = 2
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
But wait! There's more!
When you get this list, store it somewhere because you should attempt to do this zone transfer with ALL the subdomains you see here. Use the same primary DNS server and swap out the secondary to see if you can get even MORE information! As you can see below we got a TON more information with one of the sub-domains we found.
nslookup -type=ptr -query=axfr internal.inlanefreight.htb 10.129.105.27
Server: 10.129.105.27
Address: 10.129.105.27#53
internal.inlanefreight.htb
origin = inlanefreight.htb
mail addr = root.inlanefreight.htb
serial = 2
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
internal.inlanefreight.htb text = "ZONE_TRANSFER{87o2z3cno7zsoiedznxoi82z3o47xzhoi}"
internal.inlanefreight.htb nameserver = ns.inlanefreight.htb.
Name: dev.admin.internal.inlanefreight.htb
Address: 10.10.1.2
Name: panel.admin.internal.inlanefreight.htb
Address: 10.10.1.2
Name: printer.admin.internal.inlanefreight.htb
Address: 10.10.1.3
Name: dc3.internal.inlanefreight.htb
Address: 10.10.1.5
Name: ns.internal.inlanefreight.htb
Address: 127.0.0.1
Name: ns2.internal.inlanefreight.htb
Address: 10.10.34.136
Name: ws1.internal.inlanefreight.htb
Address: 10.10.2.11
Name: ws2.internal.inlanefreight.htb
Address: 10.10.3.12
internal.inlanefreight.htb
origin = inlanefreight.htb
mail addr = root.inlanefreight.htb
serial = 2
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
Because we asked that it return ANY type of entry, we can see we're even getting TXT records!
コメント