Advertisement
wonkastocks

Pentesting 1 Information gathering

Jun 8th, 2018
6,091
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.12 KB | None | 0 0
  1. Info Gathering
  2. The more info we have, the more likely of success
  3.  
  4. Passive Info Gathering
  5. 1st phase of pentesting
  6. Consists of using publicly available information
  7. Target servers/websites
  8. How well is the website designed?
  9. How clean is the code?
  10. Google Search
  11. All the sites site:"example.com"
  12.  
  13. Remove any related to www site:"example.com" -site:"www.example.com"
  14.  
  15. Search for Powerpoint files with exact term site:"example.com" filetype:ppt "penetation testing"
  16.  
  17. Google Hacking
  18. Single out specific pages with this in title intitle:"VNC viewer for Java"
  19.  
  20. Example - Webcam inurl:"/control/userimage.html"
  21.  
  22. Specific host authentication signature - PHP inurl:php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin
  23.  
  24. Searching for compromised machines for known PHP vuln intitle:"-N3t" filetype:php undetectable
  25.  
  26. GHDB "Google Hacking Database"
  27. http://www.exploit-db.com/google-dorks/
  28.  
  29. Active Info Gathering
  30. DNS Enumeration
  31. Discover nameservers for a domain
  32. host -t ns magacorpone.com
  33.  
  34. Discover mail servers for a domain
  35. host -t mx megacorpone.com
  36.  
  37. Find IP address for server
  38. host www.megacorpone.com
  39.  
  40. Forward DNS Lookup
  41. Determine IPs of hostnames
  42.  
  43. Common host names
  44. www, ftp, mail, owa, proxy,router, admin, www2, firewall, mx, pop3
  45. forward.sh
  46.  
  47. #!/bin/bash
  48.  
  49. for name in $(cat list.txt); do
  50. host $name.megacorpone.com | grep "has address" | cut -d" " -f1,4
  51. done
  52. Reverse DNS Lookup
  53. Try to get hostnames for list of IPs
  54.  
  55. reverse.sh
  56.  
  57. #!/bin/bash
  58.  
  59. for ip in $(seq 72 91); do
  60. host 38.100.193.$ip | grep "megacorp" | cut -d" " -f1,5
  61. done
  62. DNS Zone Transfers
  63. DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
  64.  
  65. A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. The portion of the database that is replicated is a zone.
  66.  
  67. The data contained in a DNS zone may be sensitive from an operational security aspect. This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
  68.  
  69. Basically, anyone asking for a copy can get one
  70. host -t ns megacorpone.com
  71.  
  72. To get a list of DNS servers
  73. host -l megacorpone.com ns1.megacorpone.com
  74.  
  75. If fail, will say "Transfer failed"
  76. If success, will provide ip/hostname of all related hosts
  77. host -t ns megacorpone.com | cut -d" " -f4
  78.  
  79. parse just the DNS hostnames
  80. for server in $(host -t ns megacorpone.com | cut -d" " -f4); do host -l megacorpone.com $server; done
  81.  
  82. axfr.sh
  83.  
  84. #!/bin/bash
  85. # Simple Zone Transfer Bash Script
  86. # $1 is the first argument given after the bash Script
  87. # Check if argument was given, if not, print usage
  88.  
  89. if [ -z "$1" ]; then
  90. echo "[*] Simple Zone transfer script"
  91. echo "[*] Usage : $0 <domain name> "
  92. exit 0
  93. fi
  94.  
  95. # If argument was given, identify the DNS servers for the domain.
  96. # For each of these servers, attempt a zone transfer
  97.  
  98. for server in $(host -t ns $1 | cut -d" " -f4); do
  99. host -l $1 $server | grep "has address"
  100. done
  101. Port Scanning
  102. TCP Connect Scan
  103. relives on 3-way TCP handshake mechanism
  104. In Wireshark,
  105.  
  106. Pick capture interface
  107. Capture filter: host $IP
  108. Disable Name Resolution on MAC and transport name fields
  109. Using netcat, nc -nvv -w 1 -z $IP $PORT_RANGE
  110. SYN > RST = connection refused/closed SYN, SYN ACK, FIN = open port
  111.  
  112. SYN Scanning
  113. Involves sending SYN packets without sending FIN
  114. Often bypasses firewalls
  115. no longer that effective
  116. UDP Scanning
  117. stateless
  118. For UDP ports, use -u with netcat nc -unvv -w 1 -z $IP $PORT_RANGE
  119.  
  120. If closed, ICMP packet is sent back
  121. If open, nothing is sent back
  122. Network Implication
  123. Be aware of type and amount of traffic generated in Network Scanning
  124. Nmap
  125. nmap -h Help page
  126.  
  127. /usr/share/nmap-services - contains port names/transport protocols and probability
  128.  
  129. Traffic Accountability
  130. iptables-counters.sh
  131.  
  132. #!/bin/bash
  133.  
  134. # reset all counters and iptables rules
  135. iptables -Z && iptables -F
  136. # measure incoming traffic to some ip
  137. iptables -I INPUT 1 -s $SOME_IP -j ACCEPT
  138. # measure outgoing traffic to some ip
  139. iptables -I OUTPUT -d $SOME_IP -j ACCEPT
  140. Run the iptables-counters.sh
  141. nmap $SOME_IP
  142. by default, will run tcp syn scan
  143. iptables -vn -L
  144. will reveal the amount of traffic generated
  145. Network sweeping
  146. ICMP sweep
  147.  
  148. nmap -sn $IP_RANGE
  149.  
  150. -o to create a grep-able output to a file
  151.  
  152. nmap -sn $IP_RANGE -oG ping-sweep-nmap
  153.  
  154. Specify a port
  155.  
  156. nmap -p 80 $IP_RANGE -oG port80open
  157.  
  158. TCP Connect Scan for 20 most common ports
  159.  
  160. nmap -sT --top-ports 20 $IP_RANGE -oG top-port-sweep.txt
  161.  
  162. Nmap OS Discovery and Banner Enumeration
  163. Banner grabbing
  164.  
  165. enumerated service versions
  166. nmap -A $IP
  167.  
  168. Nmap NSE Scripts
  169. Nmap scripting engine /usr/share/nmap/scripts
  170. SMB Enumeration
  171. Only display results with open SMB ports
  172.  
  173. nmap -p 139,445 $IP_RANGE --open
  174.  
  175. nbtscan
  176. nbtscan $IP_RANGE
  177.  
  178. can list logged in users and hostnames
  179. SMB Null sessions
  180. to allow unauthenticated users to find out info about the machines
  181. Windows XP, NT, 2000 has it on by default
  182. rpcclient -U "" $IP
  183.  
  184. Explore a remote smb service with an empty username/password
  185. rpcclient $> srvinfo
  186.  
  187. Allows further info on Windows version
  188. rpcclient $> enumdomusers
  189.  
  190. Get a list of users
  191. rpcclient $> getdompwinfo
  192.  
  193. Get password info (not the password)
  194. enum4linux
  195. runs various smb enumeration procedures
  196. enum4linux -v $IP
  197.  
  198. full list of usernames, shares, policies, and more
  199. Nmap SMB NSE scripts
  200. ls -l /usr/share/nmap/scripts/ | grep smb
  201.  
  202. nmap -p 139,445 --script smb-enum-users $IP
  203.  
  204. enumerated SMB usernames
  205. nmap -p 139,445 --script smb-check-vulns --script-args=unsafe=1 $IP
  206.  
  207. checks for vulns
  208. SMTP enumeration
  209. under certain misconfigurations, info can be gathered
  210. VRFY & EXPN
  211. divulge info on users
  212. nc -nv $IP 25
  213.  
  214. replies with a Banner VRFY bob
  215. will return 250 if user is on system, otherwise of 550
  216. VRFY script
  217. create a list of users
  218. for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 $IP 25 2>/dev/null | grep ^"250"; done
  219. Python port of VRFY script
  220. vrfy.py
  221.  
  222. #!/usr/bin/python
  223.  
  224. import socket
  225. import sys
  226.  
  227. if len(sys.argv) != 2:
  228. print "Usage: vrfy.py <username>"
  229. sys.exit(0)
  230.  
  231. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a Socket
  232. connect=s.connect(('$IP', 25)) # Connect to the server
  233. banner=s.recv(1024) # Receive the banner
  234. print banner
  235. s.send('VRFY ' + sys.argv[1] + '\r\n') # VRFY a user
  236. result=s.recv(1024)
  237. print result
  238. s.close() # Close the socket
  239. SNMP Enumeration
  240. based on UDP
  241. susceptible to ICMP
  242. SNMP MiB
  243. port 161
  244. nmap -sU --open -p 161 $IP_RANGE --open
  245.  
  246. -U scans UDP
  247. onesixtyone
  248.  
  249. onesixty one -c COMMUNITY_STRINGS.txt -i IPs.txt
  250.  
  251. SNMPWalk
  252. need community string
  253. snmpwalk -c public -v1 $IP
  254.  
  255. too much info
  256. snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2
  257.  
  258. searches for running programs (see community string specified)
  259. Other snmp tools
  260. snmpenum
  261. snmpcheck
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement