SEC-335: Eth. Hacking & Pen. Testing
HomeTech JournalsPersonal ProjectsSysadmin Wiki
  • SEC-335: Eth. Hacking & Pen. Testing
  • Breakdown
    • Course Overview
  • Activities/Assignments
    • Assignment 1.2: The Kali Virtual Machine
    • Activity 2.1: Host Discovery
    • Activity 3.1: DNS Enumeration
    • Activity 4.1: Exploiting Cupcake
    • Assignment 5.1: Breaking into Kali
  • Labs
    • Lab 2.1: Port Scanning 1
    • Lab 2.2: Port Scanning 2
    • Lab 3.1: Powershell and DNS
    • Lab 3.2: DNS uses TCP and UDP
    • Lab 5.1: Password Guessing
    • Lab 6.1: Cracking Linux Passwords with JtR and Hashcat
    • Lab 7.1: Exploiting pippin.shire.org (10.0.5.25)
    • Lab 8.1: Weevely
    • Lab 8.2: Reverse Shell
    • Lab 9.1: Exploit Gloin
    • Lab 10.1: Linux - Permission Vulnerabilities
    • Lab 10.2: Exploiting nancurunir
    • Lab 11.1: Metasploit
    • Final: Bree
  • Tools/Recon
    • Metasploit
    • NMAP
    • Active/Passive Reconnaissance
    • Shodan
    • The Harvester
    • Netcraft
    • Metagoofil
    • DNS-Enumeration
    • CEWL
    • rsmangler
    • Hydra
    • DIRB
    • John the Ripper
    • Hashcat
    • Passwords
    • TMP
Powered by GitBook
On this page
  • Summary
  • Deliverable 1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.
  • Deliverable 3. Write a script that takes a network prefix and a specific dns server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.
  • Deliverable 5. Use nmap to find your DNS servers. Figure out how to: skip host discovery, use a grepable output to send results to dns-servers2.txt, only scan for a single tcp port across 10.0.5.0/24, only report "open" ports, see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to DNS lookups.
  • Deliverable 6. The following nmap command will use -sL (list targets) while specifying a dns server. See if you can do some magic with grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run. Note, you may have different hosts listed as our target environment changes and grows over time.
  • Deliverable 7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.
  1. Activities/Assignments

Activity 3.1: DNS Enumeration

PreviousActivity 2.1: Host DiscoveryNextActivity 4.1: Exploiting Cupcake

Last updated 2 years ago

Summary

Deliverable 1. Provide a screenshot of your /24 port scan against 10.0.5.0/24 similar to the one below.

Code:

#!/bin/bash

network=$1
port=$2

echo "host,port"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   timeout .1 bash -c "echo >/dev/tcp/$ipaddr/$port" 2>/dev/null && echo "$ipaddr,$port"
done

Output:

Output

Deliverable 3. Write a script that takes a network prefix and a specific dns server in which to perform a lookup. Assume a /24 network. Provide a screenshot similar to the one below showing the program run.

Code:

#!/bin/bash

network=$1
name_serv=$2

echo "dns resolution for $network"
for ((ip=1; ip<=254; ip++)); do
   ipaddr="$1.$ip"
   nslookup $ipaddr $name_serv | grep name
done

Output:

Deliverable 5. Use nmap to find your DNS servers. Figure out how to: skip host discovery, use a grepable output to send results to dns-servers2.txt, only scan for a single tcp port across 10.0.5.0/24, only report "open" ports, see if you can use a bash 1 or 2 liner to list the unique IP addresses that respond to DNS lookups.

nmap:

sudo nmap -Pn --open 10.0.5.0/24 -p T:53 -oG dns-server2.txt

ouput:

cat dns-server2.txt | grep -v Nmap | grep -v / | awk '{print  $2}'

Deliverable 6. The following nmap command will use -sL (list targets) while specifying a dns server. See if you can do some magic with grep and cut or awk to produce output similar to the one below. Provide a screenshot showing your modified nmap run. Note, you may have different hosts listed as our target environment changes and grows over time.

nmap:

sudo nmap -sL -R 10.0.5.1-124 --dns-server 10.0.5.22 | awk '{print $5 $6}' | grep "(" | grep -v addresses

Ouput:

Deliverable 7. zt.txt should have some useful information, see what you can do to parse it in a manner that we have a hostname and associated ip address. Provide a screenshot similar to the one below. Note, the screenshot below is not quite perfect as not every host has an IP address.

Zone Transfer:

Note:

documentation: https://digi.ninja/projects/zonetransferme.php

Output:

cat zt.txt | grep -E ",*." | awk {'print $1","$5'} | grep -v ";"
Output
Find Name Servers
Attempt the Zone Transfer