Prompt

You've been tasked to help the newly launched company, Fortaigan, audit its DNS records.

To complete the tasks, use the device with the resolver hostname in the provided terminal as the DNS resolver to query for fortaigan.net.

Walk-Through

In this challenge, you’ll use the dig command to query a DNS resolver and learn information about a fictional company, Fortaigan. If you’ve completed the OSINT challenge “Lookup” as well as the “DNS” Network Analysis challenge from the gym, you’ll have a good foundation to begin to work on this challenge. Also check out the “Helpful Tools” section below for links to resources.

The DNS (Domain Name Service) protocol enables a system that allows devices to lookup the IP address of a domain name. This is useful because, as humans, it is much easier for us to remember “google.com” instead of the specific IP address that you should use when you want to reach any website’s services.

Specific public resolvers can be queried to verify DNS records. In this challenge, you are provided with the resolver to connect to. This resolver contains the information needed to complete this challenge.

When using a provided client terminal on the Cyber Skyline platform, you’ll receive the hostname of the target system in the question (unless the challenge specifically asks you to find the target system). In this case, the target system’s hostname is resolver. You can use the hostname of the system to communicate with it from your terminal. Use ping to ensure connectivity:

Guide

To find the IPv4 address for Fortaigan.net, query the resolver for the A record. This can be done by using dig @resolver A fortaigan.net

The answer is redacted.

To find the mail server, query the resolver for the MX record. This can be done using dig @resolver MX fortaigan.net

The answers for Questions 2 and 3 are redacted.

After seeing what mail servers are available, you’ll have the information to determine which server takes first priority. This will be the server listed with the LOWEST number. The nameserver stores all of the DNS records for a domain. To find the nameserver record, use NS with dig as follows: dig @resolver NS fortaigan.net

The results of dig @resolver NS fortaigan.net

This returns the primary nameserver for fortaigan.net. To get the IPv4 address, dig again using dig @resolver ns1.fortaigan.net

The answer is redacted.

Finding the responsible person for this domain is a bit trickier. Many domains do not include the responsible person and instead they may include a generic contact email. The dig command has a responsible person record type. Use dig @resolver RP fortaigan.net

The RP record type returns information about the responsible person. Here the contact email is returned.

Now use the email address to find the full name of the person responsible. This can be done with: dig @resolver admin.fortaigan.net TXT

The answer is redacted.

To find the flag, try looking to see if there are any contents in the TXT record. Do this by using: dig @resolver TXT fortaigan.net

The answer is redacted. The TXT record includes additional quotations and backslashes around the flag. These are part of how the TXT record is represented and are not a part of the flag.

A SIP service, or Session Initiation Protocol (SIP), handles the signaling part of voice, video and other messaging sessions that many modern businesses may need. SIP has the ability to route calls using domain names instead of phone numbers, therefore, the SIP devices may need help locating the correct servers.

The information for the SIP service may be found in many DNS record types. If you try using dig with the SRV record type, no information is returned. This is typical for many organizations. SIP services are published using specific service labels that have a particular formatting. Find information about the service using a standard SIP SRV hostname, _sip._tcp..

Add the SRV record type to make the command more explicit: dig @resolver SRV _sip._tcp.fortaigan.net

The answer and some unrelated values are redacted.

This command will return a number of values (the port the SIP service listens on, the weight used for load balancing, and the priority) as well as the hostname of the server that provides the SIP service. Determine which value is the priority.

To find the IPv4 address of the machine running the SIP service, use the hostname found in question 7 with dig: dig @resolver sipserver.fortaigan.net

The answer is redacted.

Useful tools for this challenge:

Cloudflare “What is DNS?”: https://www.cloudflare.com/learning/dns/what-is-dns/
Cloudflare “DNS records”: https://www.cloudflare.com/learning/dns/dns-records/
Use the Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about DNS and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Using DNS to Dig Up Information

In Using DNS to Dig Up Information, you’ll learn from Franz Payer, CEO of Cyber Skyline, as they explain how to use the ‘dig’ command to understand DNS records and the details they can provide into an organization’s external systems and infrastructure. This video is for educational purposes only

www.youtube.com

Cyber Skyline Live: Using DNS to Dig Up Information

Questions

1. What is the IPv4 address for `fortaigan.net`?

2. How many mail servers does `fortaigan.net` have?

3. What's the name of the mail server that takes the first priority?

4. What is the IPv4 address of the name server record for `fortaigan.net`?

5. What's the full name of the responsible person at `fortaigan.net`?

6. What is the text flag found in the DNS records?

7. What is the priority number given to the SIP service using the TCP protocol on `fortaigan.net`?

8. What is the IPv4 address of the machine that's running the SIP service for `fortaigan.net`?

Prompt

You've been tasked to help the newly launched company, Fortaigan, audit its DNS records.

To complete the tasks, use the device with the resolver hostname in the provided terminal as the DNS resolver to query for fortaigan.net.

Walk-Through

Guide

To find the IPv4 address for Fortaigan.net, query the resolver for the A record. This can be done by using dig @resolver A fortaigan.net

The answer is redacted.

To find the mail server, query the resolver for the MX record. This can be done using dig @resolver MX fortaigan.net

The answers for Questions 2 and 3 are redacted.

The results of dig @resolver NS fortaigan.net

This returns the primary nameserver for fortaigan.net. To get the IPv4 address, dig again using dig @resolver ns1.fortaigan.net

The answer is redacted.

The RP record type returns information about the responsible person. Here the contact email is returned.

Now use the email address to find the full name of the person responsible. This can be done with: dig @resolver admin.fortaigan.net TXT

The answer is redacted.

To find the flag, try looking to see if there are any contents in the TXT record. Do this by using: dig @resolver TXT fortaigan.net

The answer is redacted. The TXT record includes additional quotations and backslashes around the flag. These are part of how the TXT record is represented and are not a part of the flag.

Add the SRV record type to make the command more explicit: dig @resolver SRV _sip._tcp.fortaigan.net

The answer and some unrelated values are redacted.

To find the IPv4 address of the machine running the SIP service, use the hostname found in question 7 with dig: dig @resolver sipserver.fortaigan.net

The answer is redacted.

Useful tools for this challenge:

Cloudflare “What is DNS?”: https://www.cloudflare.com/learning/dns/what-is-dns/
Cloudflare “DNS records”: https://www.cloudflare.com/learning/dns/dns-records/
Use the Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about DNS and see a walkthrough of how to solve this challenge:

Cyber Skyline Live: Using DNS to Dig Up Information

www.youtube.com

Dig

Prompt

Walk-Through

Guide

Tutorial Video

Cyber Skyline Live: Using DNS to Dig Up Information

Questions

1. What is the IPv4 address for fortaigan.net?

2. How many mail servers does fortaigan.net have?

3. What's the name of the mail server that takes the first priority?

4. What is the IPv4 address of the name server record for fortaigan.net?

5. What's the full name of the responsible person at fortaigan.net?

6. What is the text flag found in the DNS records?

7. What is the priority number given to the SIP service using the TCP protocol on fortaigan.net?

8. What is the IPv4 address of the machine that's running the SIP service for fortaigan.net?

Dig

Prompt

Walk-Through

Guide

Tutorial Video

Cyber Skyline Live: Using DNS to Dig Up Information

Questions

1. What is the IPv4 address for fortaigan.net?

2. How many mail servers does fortaigan.net have?

3. What's the name of the mail server that takes the first priority?

4. What is the IPv4 address of the name server record for fortaigan.net?

5. What's the full name of the responsible person at fortaigan.net?

6. What is the text flag found in the DNS records?

7. What is the priority number given to the SIP service using the TCP protocol on fortaigan.net?

8. What is the IPv4 address of the machine that's running the SIP service for fortaigan.net?

1. What is the IPv4 address for `fortaigan.net`?

2. How many mail servers does `fortaigan.net` have?

4. What is the IPv4 address of the name server record for `fortaigan.net`?

5. What's the full name of the responsible person at `fortaigan.net`?

7. What is the priority number given to the SIP service using the TCP protocol on `fortaigan.net`?

8. What is the IPv4 address of the machine that's running the SIP service for `fortaigan.net`?

1. What is the IPv4 address for `fortaigan.net`?

2. How many mail servers does `fortaigan.net` have?

4. What is the IPv4 address of the name server record for `fortaigan.net`?

5. What's the full name of the responsible person at `fortaigan.net`?

7. What is the priority number given to the SIP service using the TCP protocol on `fortaigan.net`?

8. What is the IPv4 address of the machine that's running the SIP service for `fortaigan.net`?