Scribd
Upload
7 views

pentesting_1_information_gathering

The document outlines techniques for information gathering in penetration testing, including passive and active methods. It covers various tools and commands for DNS enumeration, port scanning, and service enumeration, emphasizing the importance of both public information and network traffic analysis. Additionally, it discusses specific scripts and commands for gathering detailed information about target systems and services.

Uploaded by

kabegij928
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
7 views

pentesting_1_information_gathering

The document outlines techniques for information gathering in penetration testing, including passive and active methods. It covers various tools and commands for DNS enumeration, port scanning, and service enumeration, emphasizing the importance of both public information and network traffic analysis. Additionally, it discusses specific scripts and commands for gathering detailed information about target systems and services.

Uploaded by

kabegij928
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

Info Gathering

The more info we have, the more likely of success

Passive Info Gathering


1st phase of pentesting
Consists of using publicly available information
Target servers/websites
How well is the website designed?
How clean is the code?
Google Search
All the sites site:"example.com"

Remove any related to www site:"example.com" -site:"www.example.com"

Search for Powerpoint files with exact term site:"example.com" filetype:ppt


"penetation testing"

Google Hacking
Single out specific pages with this in title intitle:"VNC viewer for Java"

Example - Webcam inurl:"/control/userimage.html"

Specific host authentication signature - PHP inurl:php?


intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin

Searching for compromised machines for known PHP vuln intitle:"-N3t" filetype:php
undetectable

GHDB "Google Hacking Database"


http://www.exploit-db.com/google-dorks/

Active Info Gathering


DNS Enumeration
Discover nameservers for a domain
host -t ns magacorpone.com

Discover mail servers for a domain


host -t mx megacorpone.com

Find IP address for server


host www.megacorpone.com

Forward DNS Lookup


Determine IPs of hostnames

Common host names


www, ftp, mail, owa, proxy,router, admin, www2, firewall, mx, pop3
forward.sh

#!/bin/bash

for name in $(cat list.txt); do


host $name.megacorpone.com | grep "has address" | cut -d" " -f1,4
done
Reverse DNS Lookup
Try to get hostnames for list of IPs

reverse.sh
#!/bin/bash

for ip in $(seq 72 91); do


host 38.100.193.$ip | grep "megacorp" | cut -d" " -f1,5
done
DNS Zone Transfers
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a
type of DNS transaction. It is one of the many mechanisms available for
administrators to replicate DNS databases across a set of DNS servers.

A zone transfer uses the Transmission Control Protocol (TCP) for transport, and
takes the form of a client–server transaction. The client requesting a zone
transfer may be a slave server or secondary server, requesting data from a master
server, sometimes called a primary server. The portion of the database that is
replicated is a zone.

The data contained in a DNS zone may be sensitive from an operational security
aspect. This is because information such as server hostnames may become public
knowledge, which can be used to discover information about an organization and even
provide a larger attack surface.

Basically, anyone asking for a copy can get one


host -t ns megacorpone.com

To get a list of DNS servers


host -l megacorpone.com ns1.megacorpone.com

If fail, will say "Transfer failed"


If success, will provide ip/hostname of all related hosts
host -t ns megacorpone.com | cut -d" " -f4

parse just the DNS hostnames


for server in $(host -t ns megacorpone.com | cut -d" " -f4); do host -l
megacorpone.com $server; done

axfr.sh

#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash Script
# Check if argument was given, if not, print usage

if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi

# If argument was given, identify the DNS servers for the domain.
# For each of these servers, attempt a zone transfer

for server in $(host -t ns $1 | cut -d" " -f4); do


host -l $1 $server | grep "has address"
done
Port Scanning
TCP Connect Scan
relives on 3-way TCP handshake mechanism
In Wireshark,
Pick capture interface
Capture filter: host $IP
Disable Name Resolution on MAC and transport name fields
Using netcat, nc -nvv -w 1 -z $IP $PORT_RANGE
SYN > RST = connection refused/closed SYN, SYN ACK, FIN = open port

SYN Scanning
Involves sending SYN packets without sending FIN
Often bypasses firewalls
no longer that effective
UDP Scanning
stateless
For UDP ports, use -u with netcat nc -unvv -w 1 -z $IP $PORT_RANGE

If closed, ICMP packet is sent back


If open, nothing is sent back
Network Implication
Be aware of type and amount of traffic generated in Network Scanning
Nmap
nmap -h Help page

/usr/share/nmap-services - contains port names/transport protocols and probability

Traffic Accountability
iptables-counters.sh

#!/bin/bash

# reset all counters and iptables rules


iptables -Z && iptables -F
# measure incoming traffic to some ip
iptables -I INPUT 1 -s $SOME_IP -j ACCEPT
# measure outgoing traffic to some ip
iptables -I OUTPUT -d $SOME_IP -j ACCEPT
Run the iptables-counters.sh
nmap $SOME_IP
by default, will run tcp syn scan
iptables -vn -L
will reveal the amount of traffic generated
Network sweeping
ICMP sweep

nmap -sn $IP_RANGE

-o to create a grep-able output to a file

nmap -sn $IP_RANGE -oG ping-sweep-nmap

Specify a port

nmap -p 80 $IP_RANGE -oG port80open

TCP Connect Scan for 20 most common ports

nmap -sT --top-ports 20 $IP_RANGE -oG top-port-sweep.txt

Nmap OS Discovery and Banner Enumeration


Banner grabbing
enumerated service versions
nmap -A $IP

Nmap NSE Scripts


Nmap scripting engine /usr/share/nmap/scripts
SMB Enumeration
Only display results with open SMB ports

nmap -p 139,445 $IP_RANGE --open

nbtscan
nbtscan $IP_RANGE

can list logged in users and hostnames


SMB Null sessions
to allow unauthenticated users to find out info about the machines
Windows XP, NT, 2000 has it on by default
rpcclient -U "" $IP

Explore a remote smb service with an empty username/password


rpcclient $> srvinfo

Allows further info on Windows version


rpcclient $> enumdomusers

Get a list of users


rpcclient $> getdompwinfo

Get password info (not the password)


enum4linux
runs various smb enumeration procedures
enum4linux -v $IP

full list of usernames, shares, policies, and more


Nmap SMB NSE scripts
ls -l /usr/share/nmap/scripts/ | grep smb

nmap -p 139,445 --script smb-enum-users $IP

enumerated SMB usernames


nmap -p 139,445 --script smb-check-vulns --script-args=unsafe=1 $IP

checks for vulns


SMTP enumeration
under certain misconfigurations, info can be gathered
VRFY & EXPN
divulge info on users
nc -nv $IP 25

replies with a Banner VRFY bob


will return 250 if user is on system, otherwise of 550
VRFY script
create a list of users
for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 $IP 25 2>/dev/null |
grep ^"250"; done
Python port of VRFY script
vrfy.py

#!/usr/bin/python
import socket
import sys

if len(sys.argv) != 2:
print "Usage: vrfy.py <username>"
sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a Socket


connect=s.connect(('$IP', 25)) # Connect to the server
banner=s.recv(1024) # Receive the banner
print banner
s.send('VRFY ' + sys.argv[1] + '\r\n') # VRFY a user
result=s.recv(1024)
print result
s.close() # Close the socket
SNMP Enumeration
based on UDP
susceptible to ICMP
SNMP MiB
port 161
nmap -sU --open -p 161 $IP_RANGE --open

-U scans UDP
onesixtyone

onesixty one -c COMMUNITY_STRINGS.txt -i IPs.txt

SNMPWalk
need community string
snmpwalk -c public -v1 $IP

too much info


snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2

searches for running programs (see community string specified)


Other snmp tools
snmpenum
snmpcheck

You might also like