Jump to content
patrick.k.sheehan

PTP Lab 13, missing content?

Recommended Posts

patrick.k.sheehan

In PTP Lab 13 - DNS & SMB Relay Attack, Task 2:

Using only Forward DNS Lookups, list all of the hosts that you can.
Proposed Solution: "One way that we can use to try to guess the DNS records of a DNS Server is to brute-force it.  According to the provided hint, the hostnames of this environment matches with department’s name."

I have looked and looked and can't find any hint, let alone suggestion about hostnames of environment matching with department's name.  Am I missing something, or is there some content that was intended to be there (but got removed)?

Share this post


Link to post
Share on other sites
StefanWAustin
On 6/17/2020 at 12:23 PM, patrick.k.sheehan said:

According to the provided hint, the hostnames of this environment matches with department’s name."

I could not find a hint, but I think is it obvious, and it is the first thing that I would try. The solution gives you “short” list of possible names, but you can think about other names. I am “lazy” therefore I would try the nmap script dns-brute for a first guess, because this script knows the common names for DNS.

This part is more to show the manual way with a short script to see how automated tools like fierce works. A pen tester will not manually add basic and common known names, but if you know uncommon names you learned how to add them. 

  • Thanks 1

Share this post


Link to post
Share on other sites
patrick.k.sheehan
7 hours ago, hu33 said:

did you checked the lab solution ?

Yes.  My point is that either (a) the "solution" shouldn't say "according to the provided hint" (as there is no hint), or (b) there should be a hint.

4 hours ago, StefanWAustin said:

I could not find a hint, but I think is it obvious, and it is the first thing that I would try. The solution gives you “short” list of possible names, but you can think about other names. I am “lazy” therefore I would try the nmap script dns-brute for a first guess, because this script knows the common names for DNS.

This part is more to show the manual way with a short script to see how automated tools like fierce works. A pen tester will not manually add basic and common known names, but if you know uncommon names you learned how to add them. 

I appreciate the input.  My point is that as it's written, it's wrong.  I merely made the post as a suggestion.  I think your statement would be a much better correction -- instead of "According to the provided hint" (and not providing a hint), in the solution have a blurb about what would be a prudent course of action.  It would not only be accurate, but also more helpful & insightful.

Share this post


Link to post
Share on other sites
StefanWAustin
1 minute ago, patrick.k.sheehan said:

It would not only be accurate, but also more helpful & insightful.

I think it is a lot of work to write 6500 pages and there is always something to correct. In the next version, they will add a hint or rewrite the sentence, because they read this suggestions area. eLearnSecurity is a small company, they need us customers to fix small things.

Usually, I ignore mistakes because I do not need the solutions anymore but at the beginning it is important that the lab instructions are clear written, correct and helpful. In three months, you will have more knowledge and it is much easier to ignore a mistake. Maybe a hint: You are doing the beginner labs, but many of them have funny easter eggs. If you do it the first time, you can not see it, because you do not have the knowledge, but later you will laugh about some things. > you are ready for the exam.

Share this post


Link to post
Share on other sites
patrick.k.sheehan
50 minutes ago, StefanWAustin said:

I think it is a lot of work to write 6500 pages and there is always something to correct. In the next version, they will add a hint or rewrite the sentence, because they read this suggestions area. eLearnSecurity is a small company, they need us customers to fix small things.

To clarify, my post wasn't meant as an attack against eLearnSecurity, but rather as this forum is "Suggestions & Corrections", I was providing just that -- a Suggestion & Correction.  Minor?  Absolutely.  But the forum isn't named "Critical Suggestions & Corrections".

Share this post


Link to post
Share on other sites
StefanWAustin
34 minutes ago, patrick.k.sheehan said:

To clarify, my post wasn't meant as an attack against eLearnSecurity,

I am customer and I am not related to eLS. English is not my first language, sorry for that misunderstanding.  You did the right thing :) and I wrote too much after hours of studying.

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×