2 :53 dns

53/tcp open  domain  ISC BIND 9.16.1 (Ubuntu Linux)

$ dig version.bind CHAOS TXT @10.10.10.244

; <<>> DiG 9.16.15-Debian <<>> version.bind CHAOS TXT @10.10.10.244
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8939
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7df2ffed12dbe2580100000061087e6d63bc2d994ef89fd6 (good)
;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.16.1-Ubuntu"

;; Query time: 123 msec
;; SERVER: 10.10.10.244#53(10.10.10.244)
;; WHEN: Mon Aug 02 16:21:22 PDT 2021
;; MSG SIZE  rcvd: 95

$ nmap --script dns-nsid 10.10.10.244
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-02 16:22 PDT
Nmap scan report for dyna.htb (10.10.10.244)
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
| dns-nsid:
|_  bind.version: 9.16.1-Ubuntu
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 25.72 seconds

# find domains
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://dyna.htb" -H "HOST: FUZZ.dyna.htb"

# too many responses with the 1090 chars.
# filter that out using --hh <value>

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://dyna.htb" -H "HOST: FUZZ.dyna.htb" --hh 10909
# no results

Last updated