Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Info Gathering
- The more info we have, the more likely of success
- Passive Info Gathering
- 1st phase of pentesting
- Consists of using publicly available information
- Target servers/websites
- How well is the website designed?
- How clean is the code?
- Google Search
- All the sites site:"example.com"
- Remove any related to www site:"example.com" -site:"www.example.com"
- Search for Powerpoint files with exact term site:"example.com" filetype:ppt "penetation testing"
- Google Hacking
- Single out specific pages with this in title intitle:"VNC viewer for Java"
- Example - Webcam inurl:"/control/userimage.html"
- Specific host authentication signature - PHP inurl:php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin
- Searching for compromised machines for known PHP vuln intitle:"-N3t" filetype:php undetectable
- GHDB "Google Hacking Database"
- http://www.exploit-db.com/google-dorks/
- Active Info Gathering
- DNS Enumeration
- Discover nameservers for a domain
- host -t ns magacorpone.com
- Discover mail servers for a domain
- host -t mx megacorpone.com
- Find IP address for server
- host www.megacorpone.com
- Forward DNS Lookup
- Determine IPs of hostnames
- Common host names
- www, ftp, mail, owa, proxy,router, admin, www2, firewall, mx, pop3
- forward.sh
- #!/bin/bash
- for name in $(cat list.txt); do
- host $name.megacorpone.com | grep "has address" | cut -d" " -f1,4
- done
- Reverse DNS Lookup
- Try to get hostnames for list of IPs
- reverse.sh
- #!/bin/bash
- for ip in $(seq 72 91); do
- host 38.100.193.$ip | grep "megacorp" | cut -d" " -f1,5
- done
- DNS Zone Transfers
- DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
- A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. The portion of the database that is replicated is a zone.
- The data contained in a DNS zone may be sensitive from an operational security aspect. This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
- Basically, anyone asking for a copy can get one
- host -t ns megacorpone.com
- To get a list of DNS servers
- host -l megacorpone.com ns1.megacorpone.com
- If fail, will say "Transfer failed"
- If success, will provide ip/hostname of all related hosts
- host -t ns megacorpone.com | cut -d" " -f4
- parse just the DNS hostnames
- for server in $(host -t ns megacorpone.com | cut -d" " -f4); do host -l megacorpone.com $server; done
- axfr.sh
- #!/bin/bash
- # Simple Zone Transfer Bash Script
- # $1 is the first argument given after the bash Script
- # Check if argument was given, if not, print usage
- if [ -z "$1" ]; then
- echo "[*] Simple Zone transfer script"
- echo "[*] Usage : $0 <domain name> "
- exit 0
- fi
- # If argument was given, identify the DNS servers for the domain.
- # For each of these servers, attempt a zone transfer
- for server in $(host -t ns $1 | cut -d" " -f4); do
- host -l $1 $server | grep "has address"
- done
- Port Scanning
- TCP Connect Scan
- relives on 3-way TCP handshake mechanism
- In Wireshark,
- Pick capture interface
- Capture filter: host $IP
- Disable Name Resolution on MAC and transport name fields
- Using netcat, nc -nvv -w 1 -z $IP $PORT_RANGE
- SYN > RST = connection refused/closed SYN, SYN ACK, FIN = open port
- SYN Scanning
- Involves sending SYN packets without sending FIN
- Often bypasses firewalls
- no longer that effective
- UDP Scanning
- stateless
- For UDP ports, use -u with netcat nc -unvv -w 1 -z $IP $PORT_RANGE
- If closed, ICMP packet is sent back
- If open, nothing is sent back
- Network Implication
- Be aware of type and amount of traffic generated in Network Scanning
- Nmap
- nmap -h Help page
- /usr/share/nmap-services - contains port names/transport protocols and probability
- Traffic Accountability
- iptables-counters.sh
- #!/bin/bash
- # reset all counters and iptables rules
- iptables -Z && iptables -F
- # measure incoming traffic to some ip
- iptables -I INPUT 1 -s $SOME_IP -j ACCEPT
- # measure outgoing traffic to some ip
- iptables -I OUTPUT -d $SOME_IP -j ACCEPT
- Run the iptables-counters.sh
- nmap $SOME_IP
- by default, will run tcp syn scan
- iptables -vn -L
- will reveal the amount of traffic generated
- Network sweeping
- ICMP sweep
- nmap -sn $IP_RANGE
- -o to create a grep-able output to a file
- nmap -sn $IP_RANGE -oG ping-sweep-nmap
- Specify a port
- nmap -p 80 $IP_RANGE -oG port80open
- TCP Connect Scan for 20 most common ports
- nmap -sT --top-ports 20 $IP_RANGE -oG top-port-sweep.txt
- Nmap OS Discovery and Banner Enumeration
- Banner grabbing
- enumerated service versions
- nmap -A $IP
- Nmap NSE Scripts
- Nmap scripting engine /usr/share/nmap/scripts
- SMB Enumeration
- Only display results with open SMB ports
- nmap -p 139,445 $IP_RANGE --open
- nbtscan
- nbtscan $IP_RANGE
- can list logged in users and hostnames
- SMB Null sessions
- to allow unauthenticated users to find out info about the machines
- Windows XP, NT, 2000 has it on by default
- rpcclient -U "" $IP
- Explore a remote smb service with an empty username/password
- rpcclient $> srvinfo
- Allows further info on Windows version
- rpcclient $> enumdomusers
- Get a list of users
- rpcclient $> getdompwinfo
- Get password info (not the password)
- enum4linux
- runs various smb enumeration procedures
- enum4linux -v $IP
- full list of usernames, shares, policies, and more
- Nmap SMB NSE scripts
- ls -l /usr/share/nmap/scripts/ | grep smb
- nmap -p 139,445 --script smb-enum-users $IP
- enumerated SMB usernames
- nmap -p 139,445 --script smb-check-vulns --script-args=unsafe=1 $IP
- checks for vulns
- SMTP enumeration
- under certain misconfigurations, info can be gathered
- VRFY & EXPN
- divulge info on users
- nc -nv $IP 25
- replies with a Banner VRFY bob
- will return 250 if user is on system, otherwise of 550
- VRFY script
- create a list of users
- for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 $IP 25 2>/dev/null | grep ^"250"; done
- Python port of VRFY script
- vrfy.py
- #!/usr/bin/python
- import socket
- import sys
- if len(sys.argv) != 2:
- print "Usage: vrfy.py <username>"
- sys.exit(0)
- s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a Socket
- connect=s.connect(('$IP', 25)) # Connect to the server
- banner=s.recv(1024) # Receive the banner
- print banner
- s.send('VRFY ' + sys.argv[1] + '\r\n') # VRFY a user
- result=s.recv(1024)
- print result
- s.close() # Close the socket
- SNMP Enumeration
- based on UDP
- susceptible to ICMP
- SNMP MiB
- port 161
- nmap -sU --open -p 161 $IP_RANGE --open
- -U scans UDP
- onesixtyone
- onesixty one -c COMMUNITY_STRINGS.txt -i IPs.txt
- SNMPWalk
- need community string
- snmpwalk -c public -v1 $IP
- too much info
- snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2
- searches for running programs (see community string specified)
- Other snmp tools
- snmpenum
- snmpcheck
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement