Dnscan - A Python tool that uses a wordlist to resolve valid subdomains.
How to install Dnscan
1. Open the Terminal and type in
git clone https://github.com/rbsec/dnscan.git and press Enter
2. In the Terminal, navigate to the directory where you downloaded the Dnscan tool then type in ./dnscan.py -h and press Enter
Now you will be able to see a screen like the one I have below.
Subbrute - This tool provides an extra layer of anonymity as it uses public resolvers to brute force the subdomains
How to install Subbrute
1. Open the Terminal and type in
git clone https://github.com/TheRook/subbrute.git and press Enter
Once the installation is complete you will need to have a dictionary wordlist to run it against a domain. You can either download a list at https://github.com/bitquark/dnspop/tree/master/results OR you can use Crunch which came with Kali to generate your own wordlist.
2. Once you have both Subbrute installed and a wordlist you can run the following command to brute-force a domain
./subbrute.py -s /path/to/wordlist domain.com
Dirsearch - This tool can be used to brute-force a directory and it is much faster than DIRB.
How to install Dirsearch
1. Open the Terminal and type in
git clone https://github.com/maurosoria/dirsearch.git
2. Once the cloning is completed browse to the directory and run the tool using the following command
./dirsearch.py -u domain.com -e aspx, php
Below is an example of a screenshot after running Dirsearch
ike-scan - For attacking VPN
Sometimes when we attack a system or network we encounter VPN endpoints. However, finding vulnerabilities in those endpoints and exploiting them is not a well-known method. VPN endpoints use IKE or Internet Key Exchange protocol to set up a security association between multiple clients to establish a VPN tunnel.
IKE has two phases. The first phase is responsible for setting up and establishing a secure authentication communication channel, and phase two is responsible for encrypting and transporting the data.
Our focus of interest here is phase one which uses two methods of exchanging keys. The first method is the Main mode and the second is Aggressive mode.
We will hunt for aggressive mode enabled VPN endpoints using PSK authentication.
To Install ike-scan
1. Open the Terminal and type in
git clone https://github.com/royhills/ike-scan.git
2. Browse to the directory where ike-scan was downloaded and type in apt-get install autoconf
3. Now type in autoreconf --install and press Enter to generate a configure file.
4. Type in ./configure and press Enter
5. Now type in make and press Enter to build the project
6. Run make check to verify the building stage
7. Run make install to install ike-scan
8. To scan a host for an aggressive mode handshake, type in the command below.
ike-scan 192.168.1.1 -M -A and press Enter
After running the command above you will be able to see a screen like the one I have below.
9. Sometimes we will see the response after providing a valid group name like (vpn):
ike-scan 192.168.1.1 -M -A id=vpn
For additional help on how to use ike-scan you can also execute the command ike-scan -h
NOTE: You can also brute-force the groupnames by using the script below
1. https://github.com/SpiderLabs/groupenum
2. ./dt_group_enum.sh 192.168.1.2 groupnames.dic
Cracking the PSK
1. ike-scan -P
Where -P is the option to tell ike-scan to show a response with a captured hash.
2. To save the hash we provide a filename along with the -P flag like below.
psk-crack -b -5 /path/to/pskkey
Where -b is brute-force mode and length of the password is 5
3. To use a dictionary based attack we can use the following command
psk-crack -d /path/to/dictionary /path/to/pskkey
How does it work?
In aggressive mode, the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK. This is not possible in the main mode as it uses an encrypted hash along with a sixway handshake, whereas aggressive mode uses only the threeway handshake.
0 comments:
Post a Comment