Information gathering is the most important stage during the penetration test, so it is important that we learned to gather as much information as possible during this stage in order to plan a successful attack. In this tutorial, I will be covering some of the ways you can gather information to create an attack plan. Some of the topics I will be covering are as follow
- Getting a list of subdomains
- Using Shodan for fun and profit
- Shodan Honeyscore
- Shodan plugins
- Using Nmap to find open ports
- Bypassing firewalls with Nmap
- Searching for open directories
- Performing deep magic with DMitry
- Hunting for SSL flaws
- Exploring connections with intrace
- Digging deep with theharvester
- Finding technology behind web applications
- Scanning IPs with masscan
- Sniffing around with Kismet
- Testing router with firewalk
Getting a list of subdomains
We don't always have a situation where a client has defined a full detailed scope of what needs to be pentested. So we will use the following mentioned recipes to gather as much information as we can to perform a successful pentest.
1. Fierce is one of the most widely used tools that also came installed with Kali. Fierce can be used to perform a subdomain scan to reveal useful information. We can start by looking at the fierce help menu. So open a terminal and type in fierce -h to see the help menu.
2. To perform a subdomain scan type in the following command
fierce -dns DomainName.com -threads 10
Example: fierce -dns google.com -threads 10
DNSdumpster
This is a free project by Hacker Target to look up subdomains. It relies on https://scans.io/ for its results. It can also be used to get the subdomains of a website. We should always prefer to use more than one tool for subdomain enumeration as we may get something from other tools that the first one failed to pick up.
Just type in the domain you wish to look up subdomains and click search to start scanning.
Shodan
1. Shodan is the world's first search engine to search for devices connected to the Internet. It was launched in 2009 by John Matherly. Shodan can be used to look up webcams, databases, industrial systems, video games, and many other devices. Shodan mostly collects data on the most popular web services running, such as HTTP, HTTPS, MongoDB, FTP, and many more.
2. In order to use Shodan we must first create an account. So open a new browser and visit https://www.shodan.io, you will see a page like the one I have below.
3. Click the green Login or Register button on the top right corner and create an account.
4. For this tutorial, we are going to search for FTP services running on port 21. So go to the search bar and type in port:"21" and press Enter. You will see a screen similar to mine below showing you some of the FTP servers that are available with port 21 opened.
5. You can narrow the search result down even further by specifying the country like this: port"21" country:"IN" this will show the FTP result for India.
6. Click on the Exploits tab to see all of the potential exploits you can use against some of these servers.
7. Now we can try the organization filter. It can be done by typing port:"21" country:"IN" org:"BSNL" as shown in the following screenshot:
Shodan has other tags that can be used to perform advanced searches, such as:
net: to scan IP ranges
city: to filter by city
More information can be found here
1. Nmap is already installed on Kali so we only need to execute the correct command to run the tool. Open a terminal and type in
nmap -h and press Enter
You will now see a screen similar to mine below.
nmap -sV -Pn 192.168.1.1
3. -Pn implies that we do not check whether the host is up or not by performing a ping request first. The -sV parameter is to list all the running services on the found open ports.
4. Another flag we can use is -A, which automatically performs OS detection, version detection, script scanning, and traceroute. The command is: nmap -A -Pn x.x.x.x
5. To scan an IP range or multiple IPs, we can use this command:
nmap -A -Pn x.x.x.0/24
where 192.168.1.1 is any IP address.
Normal Scan vs. TCP Scan
By Himanshu Sharma - Kali Linux - An Ethical Hacker's Cookbook
Shodan has other tags that can be used to perform advanced searches, such as:
net: to scan IP ranges
city: to filter by city
More information can be found here
Shodan Honeyscore
Shodan Honeyscore is another great project built using Python. It helps us figure out whether an IP address we have is a honeypot or a real system.
1. To use Shodan Honeyscore visit https://honeyscore.shodan.io/
2. Enter the IP address you want to check and click Check for Honeypot.
Shodan Plugins
Shodan is also a plugin for Chrome and Firefox that can be used to check open ports for websites we visit on the go.
To get the Shodan plugins for Chrome click here. Once you installed the plugin, just visit any website and click on the plugin icon to see information about that website.
Using Nmap To Find Open Ports
Network Mapper or Nmap is a security scanner written by Gordon Lyon. Its used to find hosts and services in a network. It first came out in September 1997. Nmap has various features as well as scripts to perform various test such as finding the OS, service version, brute force default logins, and so on.
Some of the most common types of scan are:
TCP connect( ) scan
SYN stealth scan
UDP scan
Ping scan
Idle scan
How to use Nmap
1. Nmap is already installed on Kali so we only need to execute the correct command to run the tool. Open a terminal and type in
nmap -h and press Enter
You will now see a screen similar to mine below.
2. To perform a basic scan we can execute the following command
nmap -sV -Pn 192.168.1.1
3. -Pn implies that we do not check whether the host is up or not by performing a ping request first. The -sV parameter is to list all the running services on the found open ports.
4. Another flag we can use is -A, which automatically performs OS detection, version detection, script scanning, and traceroute. The command is: nmap -A -Pn x.x.x.x
5. To scan an IP range or multiple IPs, we can use this command:
nmap -A -Pn x.x.x.0/24
Using Nmap Scripting Engine
The Nmap Scripting Engine (NSE) allows users to create their own scripts to perform different tasks automatically. These scripts are executed side by side when a scan is run. They can be used to perform more effective version detection, exploitation of the vulnerability, and so on. The command for using a script is:
nmap -Pn -sV domain.com --script dns-brute
Output:
Here the script dns-brute tries to fetch the available subdomains by brute forcing it against a set of common subdomain names.
Bypassing firewall with Nmap
Many time during a pentest, you will come across systems that are protected by firewalls or an Intrusion Detection Systems (IDS). Nmap provides many different ways to bypass firewalls to perform port scans on a network. In this part of the tutorial, we will learn some of the ways to bypass firewalls.
TCP ACK scan
The ACK scan (-sA) sends acknowledge packets instead of SYN packets and the firewall does not create logs of ACK packets as it will treat ACK packets as responses to SYN packets. It is mostly used to map the type of firewall being used.
How to perform an ACK scan
Open a terminal and type in nmap -sA 192.168.1.1
Let us look at the comparison of how a normal scan differs from an ACK scan:
ACK scan result:
The scan results of filtered and unfiltered ports depend on whether a firewall being used is stateful or stateless. A stateful firewall checks if an incoming ACK packet is part of an existing connection or not. It blocks it if the packets are not part of any requested connection. Hence, the port will show up as filtered during a scan. Whereas, in the case of a stateless firewall, it will not block the ACK packets and the ports will show up as unfiltered.
TCP Windows Scan
Windows scan (-sW) is almost the same as an ACK scan except it shows open and closed ports.
How to use Nmap TCP scan
1. To run the TCP scan type in nmap -sW 192.168.1.1
where 192.168.1.1 is any IP address.
Normal Scan vs. TCP Scan
TCP scan revealed much more detail compared to a normal scan.
Idle Scan
Idle scanning is an advanced technique where no packets sent to the target can be traced back to the attacker machine. This scanning technique requires a zombie host to be specified.
To use the Idle scan type in
nmap -sI AnyZombiehost.com domain.com
How does Idle Scan work?
Idle scan works on the basis of a predictable IPID or an IP fragmentation ID of the zombie host. First, the IPID of the zombie host is checked and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host which resets (RST) the connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the zombie again; if it has changed by one step it implies an RST was received from the target. But if the IPID has changed by two steps it means a packet was received by the zombie host from the target host and there was an RST on the zombie host, which implies that the port is open.
Searching for open directories
In the previous part of this tutorial, we discussed how to find open ports on a network IP or domain name. We often see developers running web servers on different ports. Sometimes developers may also leave directories misconfigured that may contain useful information for us. We have already covered dirsearch at the top of this tutorial; here we will look at an alternatives tool to dirsearch.
The dirb Tool
The dirb tool is a tool that can be used to brute force open directories. Although it is generally shown and does not support multi-threading, it is still a great way to find directories and subdirectories that may have been left open due to a misconfiguration.
How to use dirb
1. Type in the command dirb https://domain.com to start the search.
2. Other option you can use in dirb that can come in handy.
-a: to specify a user agent
-c : to specify a cookie
-H: to enter a custom header
-X: to specify the file extension
Performing deep magic with DMitry
The Deepmagic Information Gathering Tool (DMitry) us an open source, command line tool made usng C. It has the ability to gather information on subdomains, email address, whois info, and many more.
How to use DMitry
1. In the terminal type in dmitry -h to see a list of options and what the tool can do for you.
2. Now we will try to perform an email, whois, TCP port scan, and subdomain search by using the following command.
dmitry -s -e -w -p domain.com
Searching for flaws within SSL
Most of the web applications today use SSL to communicate with the server. The sslscan is a tool to check for flaws or misconfiguration.
How to use sslscan
1. Open the terminal and type in sslscan -h to open the help menu.
2. To run a tool against a host type in
sslscan host.com:port number
example: sslscan google.com/80
3. An alternative to sslscan is TLSSLed which can also be used to check for SSL vulnerabilities.
Exploring Connection With Intrace
The intrace tool is a great tool to enumerate IP hops on existing TCP connections. It can be useful for bypassing firewall and gather information about a network.
How to use intrace
To use intrace type in intrace -h domain.com -p port -s SizeOfPacket
Example: intrace -h google.com -p 443 -s 4
Information Gathering with theharvester
Theharvester is a tool that can help you gather a lot of information about a company. It can be used to find information like email accounts, subdomains, and many more. In this next tutorial, we will learn how to use theharvester to gather information about a company.
How to use theharvester
To start using theharvester open the terminal and type in
theharvester -d domain/name -l 20 -b all
Example: theharvester -d packpub -l 10 -b linkedin
-d is for the domain name or the keyword we want to search, -l is for limiting the number of search results, and -b is the source we want the tool to use while gathering information. The tool supports Google, Google CSE, Bing, Bing API, PGP, LinkedIn, Google Profiles, people123, Jigsaw, Twitter, and Google Plus sources.
Finding the technology behind the Web Application
There is no point starting a pentest against a web application without knowing what the actual technology behind it is. For example, it would be absolutely useless to run dirsearch to look for files with the extension .php when the technology is actually ASP.NET. So, in this next tutorial, we will learn to use a simple tool called whatweb to understand the technology behind a web app. It comes by default in Kali. It can also be installed manually from the URL https://github.com/urbanadventurer/WhatWeb.
How to use whatweb
1. Open a terminal, type in whatweb and press Enter
2. To scan a web application just type in whatweb domain.com
Example: whatweb facebook.com
Scanning IP address with masscan
The masscan tool is a very fast port scan tool. This tool is a good alternative with Nmap when we know exactly what ports we are looking for in a network. This tool, however, does not support default port scanning, all ports must be specified using the -p flag.
To use the tool open the terminal and type in masscan x.x.x.x/24 -p 80, 443, 23
Example: masscan 192.168.1.1/24 -p 80, 443, 23
We can also specify the packet rate by using the --max-rate flag. By default, the rate is 100 packets per second. Using this is not recommended as it will put a lot of load on the network device.
Sniffing with Kismet
Kismet is a layer 2 wireless network detector. It comes in hand because while performing a pentest in a corporate environment, we may need to look at wireless networks as well. Kismet can sniff 802.11a/b/g/n traffic. It works with many wireless cards that support raw monitoring modes.
In this part of the tutorial, we will learn how to use Kismet to monitor Wi-Fi networks.
1. To start Kismet just type in kismet in the terminal and press Enter
Once the GUI appeared choose Yes to start the server.
2. Choose Yes again on this screen
3. Next, we need to specify a source interface, in our case it is wlan0, so we will type that in. Make sure the interface is in monitor mode before initializing it in Kismet:
4. Let Kismet scan the air for wireless network nearby. If it picks up any it will display on the screen like below.
5. By default, Kismet listens on all of the channels so you will have to specify which channel you want by selecting the entry Config Channel from the Kismet menu.
5. On this screen we can type in the channel we want Kismet to listen on.
6. Kismet also allows us to see the signal to noise ratio. We can see that by selecting Channel Details under the Windows menu
7. This signal to noise ratio is very helpful during times of wardriving.
Testing routers with Firewalk
The firewalk tool is a network security reconnaissance tool that helps us figure out whether our routers are actually doing the job they are supposed to do. It attempts to find out what protocols a router or firewall will allow and what it will block.
This tool is useful during pentesting because it verifies and validates firewall policies in a corporate environment.
How to use Firewalk
1. We have to install firewalk because it is not installed by default on Kali. To install firewalk open the terminal and type in apt-get install firewalk and press Enter
2. To run firewalk simply type in
firewalk -S 1-23 -i eth0 192.168.1.1 192.168.10.1
-i is for specifying the network interface, -S is for specifying the port numbers we want to test, and the next two are the router's IP address and the host's IP address that we want to check against our router.
By Himanshu Sharma - Kali Linux - An Ethical Hacker's Cookbook
Well , thanks for copy pasting the second chapter from my book "Kali Linux - An ethical Hackers Cookbook". I would really appreciate if you could give some credits to the original author too .
ReplyDelete