FInding a Hostname

Hi just going through a few walkthroughs to better my skills. Currently going working on -Bank-, doing as much as I can before I use the walkthrough, but reading this part in one of them " At this point, the hostname had to be guessed for this machine; this turns out to be bank.htb. This follows the standard convention of HTB machines of the format .htb. " without guessing and following the HTB convention, how would one actually find it? I have tried dnsrecon, nslookup and dig as I read from a bit of googling those tools might help. But the bank.htb doesnt come up in the results. Thanks

@BigHEad66 said:

Hi just going through a few walkthroughs to better my skills. Currently going working on -Bank-, doing as much as I can before I use the walkthrough, but reading this part in one of them " At this point, the hostname had to be guessed for this machine; this turns out to be bank.htb. This follows the standard convention of HTB machines of the format .htb. " without guessing and following the HTB convention, how would one actually find it? I have tried dnsrecon, nslookup and dig as I read from a bit of googling those tools might help. But the bank.htb doesnt come up in the results. Thanks

On most HTB boxes, DNS lookups won’t work so you can’t really treat them as you would in a real-world pentest.

Generally speaking, your HTB choices are:

  1. Guess. Most boxes will use something like boxname.htb but not always. I’d certainly always try this first.

  2. Check the enumeration. Nmap can give additional guidance when it probes the HTTP ports, sometimes responding with things like the boxname.

  3. Check any SSL certificates - they often have domain name hints

  4. Fuzz. Make requests to FUZZ.htb against the IP address and see what the responses look like.

It’s the same with subdomains.

Thank you. it was really helpful