Pentest External Recon

From Batserver Wiki
Jump to: navigation, search

Contents

Meta Data

Foca

Download: Here

largeImg.png


FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages, and can be downloaded and analyzed with FOCA.

It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance.

These documents are searched for using three possible search engines: Google, Bing, and Exalead. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file.

With all data extracted from all files, FOCA matches information in an attempt to identify which documents have been created by the same team and what servers and clients may be infered from them.

FOCA began as a metadata analysis tool to draw a network based on said metadata. Today, it has become a reference in the computer security sector due to the many options it includes. Thanks to the aforementioned FOCA options, it is possible to undertake multiple attacks and analysis techniques such as:

  • Metadata extraction.
  • Network analysis.
  • DNS Snooping.
  • Search for common files.
  • Juicy files.
  • Proxies search.
  • Technologies identification.
  • Fingerprinting.
  • Leaks.
  • Backups search.
  • Error forcing.
  • Open directories search.

In addition, FOCA has a series of plugins to increase the functionality or number of attacks that can be carried out to elements obtained during the analysis. The user will also be able to use the “Foquetta” model to generate reports with the results obtained. For this module to be available, the “Crystal Reports” program must be installed.

Metagoofil

$ Python metagoofil.py -d batserver.co.uk -t pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx -l 100 -n 5 -o targetfiles -f results.html

DNS

dnsrecon

The types of enumeration that this tool performs include the following:

  • Zone Transfer
  • Reverse Lookup
  • Domain and Host Brute-Force
  • Standard Record Enumeration (wildcard,SOA,MX,A,TXT etc.)
  • Cache Snooping
  • Zone Walking
  • Google Lookup
$ dnsrecon -t brt,std,axfr -D /path/to/wordlist.txt -d batserver.co.uk

[*] Performing host and subdomain brute force against batserver.co.uk
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to 94.23.204.209
[!] All queries will resolve to this address!!
[*] Do you wish to continue? y/n 
y
[*] 	 A www.batserver.co.uk 94.23.204.209
[*] 	 A mail.batserver.co.uk 94.23.204.209
[*] 	 A webmail.batserver.co.uk 94.23.204.209
.
.
.

I have wildcard enabled to help prevent against these attacks. However, it is possible to simple run your tool and then exclude the repeating IP address and find all those that resolve to a different address.

$ dnsrecon -r  94.23.204.0-94.23.204.254

[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 94.23.204.0 to 94.23.204.254
[*] 	 PTR ns303168.ip-94-23-204.eu 94.23.204.4
[*] 	 PTR urheilulajit.fi 94.23.204.6
[*] 	 PTR ns311345.ip-94-23-204.eu 94.23.204.5
[*] 	 PTR ns310295.ip-94-23-204.eu 94.23.204.8
[*] 	 PTR ns305199.ip-94-23-204.eu 94.23.204.7
[*] 	 PTR ns3012615.ip-94-23-204.eu 94.23.204.9
[*] 	 PTR ilb.fr.eu 94.23.204.3
[*] 	 PTR ns303041.ip-94-23-204.eu 94.23.204.10
[*] 	 PTR ks303043.kimsufi.com 94.23.204.12
[*] 	 PTR ns323934.ip-94-23-204.eu 94.23.204.14
[*] 	 PTR itunix.eu 94.23.204.11
[*] 	 PTR ns303044.ip-94-23-204.eu 94.23.204.13
[*] 	 PTR ns303048.ip-94-23-204.eu 94.23.204.17
[*] 	 PTR ns303046.ip-94-23-204.eu 94.23.204.15
[*] 	 PTR da03.movves.io 94.23.204.20

This command will do reverse DNS checks against IPs in the same range. This is often agood way to find other domains associated with your target as they are often assigned IPs that are close to each other

dnsenum

$ dnsenum -f /root/Desktop/Wordlists/dnsbruteforce.txt  batserver.co.uk
dnsenum.pl VERSION:1.2.3

-----   batserver.co.uk   -----

Host's addresses:
__________________ 

batserver.co.uk.                         5        IN    A        94.23.204.209
Wildcard detection using: edrsjrnrtuwb
_______________________________________

edrsjrnrtuwb.batserver.co.uk.            5        IN    A        94.23.204.209
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!! 
 Wildcards detected, all subdomains will point to the same IP address
 Omitting results containing 94.23.204.209.
 Maybe you are using OpenDNS servers.
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
Name Servers:
______________
ns2.123-reg.co.uk.                       5        IN    A        92.51.159.40
ns.123-reg.co.uk.                        5        IN    A        212.67.202.2
_______________
batserver.co.uk.                         5        IN    A        94.23.204.209
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for batserver.co.uk on ns2.123-reg.co.uk ... 
AXFR record query failed: RCODE from server: REFUSED

Trying Zone Transfer for batserver.co.uk on ns.123-reg.co.uk ... 
AXFR record query failed: RCODE from server: REFUSED
 
Brute forcing with /root/Desktop/Wordlists/dnsbruteforce.txt:
______________________________________________________________
wiki.batserver.co.uk.                    5        IN    A        51.254.157.195
chat.batserver.co.uk.                    5        IN    A        51.254.157.199

The Harvester

$ theharvester -l 1000 -b all -d batserver.co.uk

*******************************************************************
*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.6                                           *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************     


Full harvest..
[-] Searching in Google..
	Searching 0 results...
	Searching 100 results...
	Searching 200 results...
	Searching 300 results...
[+] Emails found:
------------------
support@batserver.co.uk
info@batserver.co.uk

[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 

51.254.157.199:chat.batserver.co.uk
51.254.157.194:se.batserver.co.uk
94.23.204.209:www.batserver.co.uk

[+] Virtual hosts:
==================
51.254.157.199	www.amazon.co.uk
94.23.204.209	batserver.co.uk

Email

The Harvester

$ theharvester -l 1000 -b all -d batserver.co.uk

*******************************************************************
*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.6                                           *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************     


Full harvest..
[-] Searching in Google..
	Searching 0 results...
	Searching 100 results...
	Searching 200 results...
	Searching 300 results...
[+] Emails found:
------------------
support@batserver.co.uk
info@batserver.co.uk

[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 
51.254.157.199:chat.batserver.co.uk
51.254.157.194:se.batserver.co.uk
94.23.204.209:www.batserver.co.uk
[+] Virtual hosts:
==================
51.254.157.199	www.amazon.co.uk
94.23.204.209	batserver.co.uk

HTTP Enum

nmap dns-brute.nse

$ nmap --script dns-brute.nse batserver.co.uk


httprint

$ apt-get install httprint
$ httprint -h batserver.co.uk -P0 -s signatures.txt

httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com  

Finger Printing on http://batserver.co.uk:80/
Finger Printing Completed on http://batserver.co.uk:80/
--------------------------------------------------
Host: batserver.co.uk
Fingerprinting Error: Host/URL not found... 

--------------------------------------------------

Netcat

$ nc batserver.co.uk 80
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Wed, 24 Aug 2016 15:38:53 GMT
Server: Apache/2.4.7 (Ubuntu)
Connection: close
Content-Type: text/html; charset=iso-8859-1

Netcat - force error

Another method is to send a malformed request to the web server that will cause the web server to produce an error page which will contain in the response header the version of the web server.

$ nc batserver.co.uk 80
HEAD / HTTP/3.0

HTTP/1.1 400 Bad Request
Date: Wed, 24 Aug 2016 15:42:08 GMT
Server: Apache/2.4.7 (Ubuntu)
Connection: close
Content-Type: text/html; charset=iso-8859-1


Telnet

$ telnet batserver.co.uk 80
Trying 94.23.204.209...
Connected to batserver.co.uk.
Escape character is '^]'.
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Wed, 24 Aug 2016 15:39:48 GMT
Server: Apache/2.4.7 (Ubuntu)
Connection: close
Content-Type: text/html; charset=iso-8859-1 

Nmap -sV

$ nmap -sV batserver.co.uk -p 80

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-24 16:40 BST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for batserver.co.uk (94.23.204.209)
Host is up (0.0036s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Ports / Services

Shodan

Site: https://www.shodan.io/

https://www.shodan.io/host/94.23.204.209

FAGDtT2.png

The shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you’re running the latest version of the library you already have access to the CLI. To install the new tool in Linux simply execute:

$ easy_install shodan

Once the tool is installed, you have to initialize the environment with your API key using shodan init:

$ shodan init YOUR_API_KEY
$ shodan host 94.23.204.209
94.23.204.209
Hostnames:               batserver.co.uk
Country:                 France
Organization:            OVH SAS
Number of open ports:    13

Ports:
     22  
     80 Apache httpd (2.4.7)
    110  
    111  
    143  
    993  
	|-- SSL Versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2
	|-- Diffie-Hellman Parameters:
		Bits:          1024
		Generator:     2
   3306 MySQL (5.5.44-MariaDB-1ubuntu0.14.04.1)
   5000 Apache httpd (2.4.7)
   6881  
   8080  
   9191  
  10000 MiniServ (1.770)
	|-- SSL Versions: 
  32400

Nmap

Typical Scans

Full TCP Scan

nmap -sS -n -v -T4 -O -Pn -A -p- -iL scope.txt -oA nmap-tcp-full

Default UDP Scan

nmap -sU -T4 -v -v -iL scope.txt -oA NMAP_UDP_TOP_1024 -Pn --top-ports 1024 

Quick TCP Scan

nmap -sS -n -v -T4 -P0 --top-ports 100 -O -oA nmap-tcp-scan -iL scope.txt

Ping Sweep

nmap -n -sn -vv <ip> | grep -v 'host down' | grep Nmap | awk {'print $5'} | grep -v addresses
nmap -sP -n -oX out.xml <IP/24> | grep "Nmap" | cut -d " " -f 5

Nmap Target Selection

Scan a single IP
nmap 192.168.1.1
Scan a host
nmap www.testhostname.com
Scan a range of IPs
nmap 192.168.1.1-20
Scan a subnet
nmap 192.168.1.0/24
Scan targets from a text file
nmap -iL list-of-ips.txt

Nmap Port Scan types

Scan using TCP connect
nmap -sT 192.168.1.1
Scan using TCP SYN scan (default)
nmap -sS 192.168.1.1
Scan UDP ports
nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore discovery
nmap -Pn -F 192.168.1.1

Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.


Service and OS Detection

Detect OS and Services
nmap -A 192.168.1.1
Standard service detection
nmap -sV 192.168.1.1
More aggressive Service Detection
nmap -sV --version-intensity 5 192.168.1.1
Lighter banner grabbing detection
nmap -sV --version-intensity 0 192.168.1.1

Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.


Nmap Output Formats

Save default output to file
nmap -oN outputfile.txt 192.168.1.1
Save results as XML
nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep
nmap -oG outputfile.txt 192.168.1.1
Save in all formats
nmap -oA outputfile 192.168.1.1

The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.


Digging deeper with NSE Scripts

Scan using default safe scripts
nmap -sV -sC 192.168.1.1
Get help for a script
nmap --script-help=ssl-heartbleed
Scan using a specific NSE script
nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts
nmap -sV --script=smb* 192.168.1.1

According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. If you are serious about your network scanning you really should take the time to get familiar with some of them.

The option --script-help=$scriptname will display help for the individual scripts. To get an easy list of the installed scripts try locate nse | grep script.

You will notice I have used the -sV service detection parameter. Generally most NSE scripts will be more effective and you will get better coverage by including service detection.


A scan to search for DDOS reflection UDP services

Gather page titles from HTTP services
nmap --script=http-title 192.168.1.0/24
Get HTTP headers of web services
nmap --script=http-headers 192.168.1.0/24
Find web apps from known paths
nmap --script=http-enum 192.168.1.0/24

There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.


Detect Heartbleed SSL Vulnerability

Heartbleed Testing
nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24

Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).


IP Address information

Find Information about IP address
nmap --script=asn-query,whois-ip,ip-geolocation-maxmind 192.168.1.0/24


Misc

Decoy - masqurade

nmap -D RND:10 [target]
(Generates a random number of decoys)

Spoof Source

nmap –source-port 53 target

Randomize scan form diff IP

nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC 192.168.31.10-12 (all scan default)