forked from blaCCkHatHacEEkr/PENTESTING-BIBLE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpentesting_1_information_gathering.txt
261 lines (194 loc) · 7.12 KB
/
pentesting_1_information_gathering.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
Info Gathering
The more info we have, the more likely of success
Passive Info Gathering
1st phase of pentesting
Consists of using publicly available information
Target servers/websites
How well is the website designed?
How clean is the code?
Google Search
All the sites site:"example.com"
Remove any related to www site:"example.com" -site:"www.example.com"
Search for Powerpoint files with exact term site:"example.com" filetype:ppt "penetation testing"
Google Hacking
Single out specific pages with this in title intitle:"VNC viewer for Java"
Example - Webcam inurl:"/control/userimage.html"
Specific host authentication signature - PHP inurl:php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin
Searching for compromised machines for known PHP vuln intitle:"-N3t" filetype:php undetectable
GHDB "Google Hacking Database"
http://www.exploit-db.com/google-dorks/
Active Info Gathering
DNS Enumeration
Discover nameservers for a domain
host -t ns magacorpone.com
Discover mail servers for a domain
host -t mx megacorpone.com
Find IP address for server
host www.megacorpone.com
Forward DNS Lookup
Determine IPs of hostnames
Common host names
www, ftp, mail, owa, proxy,router, admin, www2, firewall, mx, pop3
forward.sh
#!/bin/bash
for name in $(cat list.txt); do
host $name.megacorpone.com | grep "has address" | cut -d" " -f1,4
done
Reverse DNS Lookup
Try to get hostnames for list of IPs
reverse.sh
#!/bin/bash
for ip in $(seq 72 91); do
host 38.100.193.$ip | grep "megacorp" | cut -d" " -f1,5
done
DNS Zone Transfers
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. The portion of the database that is replicated is a zone.
The data contained in a DNS zone may be sensitive from an operational security aspect. This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
Basically, anyone asking for a copy can get one
host -t ns megacorpone.com
To get a list of DNS servers
host -l megacorpone.com ns1.megacorpone.com
If fail, will say "Transfer failed"
If success, will provide ip/hostname of all related hosts
host -t ns megacorpone.com | cut -d" " -f4
parse just the DNS hostnames
for server in $(host -t ns megacorpone.com | cut -d" " -f4); do host -l megacorpone.com $server; done
axfr.sh
#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash Script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi
# If argument was given, identify the DNS servers for the domain.
# For each of these servers, attempt a zone transfer
for server in $(host -t ns $1 | cut -d" " -f4); do
host -l $1 $server | grep "has address"
done
Port Scanning
TCP Connect Scan
relives on 3-way TCP handshake mechanism
In Wireshark,
Pick capture interface
Capture filter: host $IP
Disable Name Resolution on MAC and transport name fields
Using netcat, nc -nvv -w 1 -z $IP $PORT_RANGE
SYN > RST = connection refused/closed SYN, SYN ACK, FIN = open port
SYN Scanning
Involves sending SYN packets without sending FIN
Often bypasses firewalls
no longer that effective
UDP Scanning
stateless
For UDP ports, use -u with netcat nc -unvv -w 1 -z $IP $PORT_RANGE
If closed, ICMP packet is sent back
If open, nothing is sent back
Network Implication
Be aware of type and amount of traffic generated in Network Scanning
Nmap
nmap -h Help page
/usr/share/nmap-services - contains port names/transport protocols and probability
Traffic Accountability
iptables-counters.sh
#!/bin/bash
# reset all counters and iptables rules
iptables -Z && iptables -F
# measure incoming traffic to some ip
iptables -I INPUT 1 -s $SOME_IP -j ACCEPT
# measure outgoing traffic to some ip
iptables -I OUTPUT -d $SOME_IP -j ACCEPT
Run the iptables-counters.sh
nmap $SOME_IP
by default, will run tcp syn scan
iptables -vn -L
will reveal the amount of traffic generated
Network sweeping
ICMP sweep
nmap -sn $IP_RANGE
-o to create a grep-able output to a file
nmap -sn $IP_RANGE -oG ping-sweep-nmap
Specify a port
nmap -p 80 $IP_RANGE -oG port80open
TCP Connect Scan for 20 most common ports
nmap -sT --top-ports 20 $IP_RANGE -oG top-port-sweep.txt
Nmap OS Discovery and Banner Enumeration
Banner grabbing
enumerated service versions
nmap -A $IP
Nmap NSE Scripts
Nmap scripting engine /usr/share/nmap/scripts
SMB Enumeration
Only display results with open SMB ports
nmap -p 139,445 $IP_RANGE --open
nbtscan
nbtscan $IP_RANGE
can list logged in users and hostnames
SMB Null sessions
to allow unauthenticated users to find out info about the machines
Windows XP, NT, 2000 has it on by default
rpcclient -U "" $IP
Explore a remote smb service with an empty username/password
rpcclient $> srvinfo
Allows further info on Windows version
rpcclient $> enumdomusers
Get a list of users
rpcclient $> getdompwinfo
Get password info (not the password)
enum4linux
runs various smb enumeration procedures
enum4linux -v $IP
full list of usernames, shares, policies, and more
Nmap SMB NSE scripts
ls -l /usr/share/nmap/scripts/ | grep smb
nmap -p 139,445 --script smb-enum-users $IP
enumerated SMB usernames
nmap -p 139,445 --script smb-check-vulns --script-args=unsafe=1 $IP
checks for vulns
SMTP enumeration
under certain misconfigurations, info can be gathered
VRFY & EXPN
divulge info on users
nc -nv $IP 25
replies with a Banner VRFY bob
will return 250 if user is on system, otherwise of 550
VRFY script
create a list of users
for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 $IP 25 2>/dev/null | grep ^"250"; done
Python port of VRFY script
vrfy.py
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
print "Usage: vrfy.py <username>"
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a Socket
connect=s.connect(('$IP', 25)) # Connect to the server
banner=s.recv(1024) # Receive the banner
print banner
s.send('VRFY ' + sys.argv[1] + '\r\n') # VRFY a user
result=s.recv(1024)
print result
s.close() # Close the socket
SNMP Enumeration
based on UDP
susceptible to ICMP
SNMP MiB
port 161
nmap -sU --open -p 161 $IP_RANGE --open
-U scans UDP
onesixtyone
onesixty one -c COMMUNITY_STRINGS.txt -i IPs.txt
SNMPWalk
need community string
snmpwalk -c public -v1 $IP
too much info
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2
searches for running programs (see community string specified)
Other snmp tools
snmpenum
snmpcheck