I was solving the challenge LAB in Network Reconnaissance and have solved the previous 2 questions but I am stuck on question 3. I tried all the options but I am not getting the domain.
# Task 3
You’ll also discover one of these hosts is a DNS server running the BIND software. That’s handy since your IPs don’t seem to be resolving to any domains. This internal DNS server might be able to help you in this last sequence.
Hint: The --dns-server option specifies the nameserver Nmap should use for reverse resolution.
Use Nmap to perform a list scan to resolve your targets using the discovered DNS server for resolution. You’ll find a web server with an interesting domain name here
In the task 3 :
– perform the nmap scan to find the ip address of the dns server using 192.168.0.0/23 .
It will out put a list of ip running .
In side, find the dns server has service named BIND,
sudo nmap -sL --dns-server -iL iplist.lst
then you do rDNS using -n . find the name of the nameserver as it starts with hint. stag*
run sudo nmap -p 80,443 --script http-enum
replace with staging.*** domain
you get the output,
there will be a file displayed …
5:4 letters
1 Like
1.3 challenge exercise
I admit I am so lost on task 3. My ip.lst only displays two ips and I can’t seem to figure out how to find the DNS server from finishing task 2 with the nmap -n -Pn -sV -iL ip.lst – 21,22,80 --open
please help. I tried the commands you posted but nothing to resolve in my lst file
Hey @TesaZane5235,
If you only receive 2 IPs from your “masscan” scan in Task 1, I would double-check your command. You’re expected to run masscan using the provided top100.conf and point it at the provided IP range (192.168.0.0/23).
For Task 2, it looks like you only tried to scan 3 ports (21,22,80), where the request is to scan the top 1000 ports.
Once you take care of the above, you’ll be able to see the BIND server needed to finish Task 3.
Happy hacking!
1 Like
I did this and I couldn’t get it to show the files and directories like the task asks for just kept showing port 80 open
I think there’s a problem with that lab. I get 5 machines from the first scan (unless I’m too dumb & my counting skills + wc -l output’s no longer work). Then I get to see something like a robots.txt file, which does not match the hint pattern but I’m so sorry to say that nothing else is discovered anywhere. Executing nmap with the http-enum script on staging.*** does NOT discover a single thing so I’m not sure what on earth is going on but if this sort of thing keeps repeating in other labs I’ll stop paying a subscription.
Like someone else also said on these forums, I don’t have time for this either.
Replied over here - Lab is not loading - #73 by CalmQuail2332
TLDR on Issue 1 - you shouldn’t get 5 machines from the first scan if you’re following the instructions and limiting the scope of your scan to hosts that have open ports specified in the top100.conf file. If you scan for other ports, you may find more hosts, but that’s not what’s being asked here.
TLDR on Issue 2 - if you limit yourself to only scanning the staging domain with http-enum (or the related IP address that you already know) you won’t find anything, but the instructions say to “scan all IPs it resolves to!” - meaning that you should find a new IP address related to the staging domain, provided you edited the resolver file correctly to enable forward resolution.
I’d say Issue 2 was something like name resolution not working, but who knows. I had many problems loading this lab contents to start with, so maybe my network connection was not really stable at that time.
I’ll try to go through the lab again with & without editing /etc/resolv.conf. When I finally managed to get it done it looked like adding that line to the file was useless.