Would be really nice to have some of the grey beards assist here.
Comments and feedback are welcome.
For legal matters this guide should serve for education purposes only for white hat hackers. I hold no responsibility for the actions or intentions of the readers.
Ideally this should be used by inexperienced practitioners looking to test their services to learn more within a controlled secure environment.
I will not write any introduction to assist with covering your tracks or precautions that should be taken.I will follow with the rest as I get time to do so.
In order to encourage users to read more themselves, I will keep the guide limited in certain aspects but provide resources to assist with educating yourself. So let's start out with this week's topic 1. Network Mapping.
Footprinting - network mapping:
Method: A very effective method in exploring your target's network using relentless reverse whois lookups and normal whois lookups on the target domains.
Reason: Whois lookups tells you the very useful information about your hosting company and the domain itself. We are using fierce to extract data related to the dns in order to map out all the possible targets within the domain.
The information that you can obtain about a resource is:
Name of the owner company
Address of the owner company
The IP range that a certain IP belongs to
Contact phone number
Contact email
Administrator's name
Name servers
Next we I will layout the most used keys within zone files:
A Records- Maps an IP Address to a hostname.
NS Records-Delegates a given zone to use the given authoritative nameserver. For e.g. ns1.google.com is an authoritative nameserver for google.com
MX Records-This basically tells us which server is responsible for receiving mails sent to that domain name.
TXT Records-This consists of arbitrarily human readable text in a record.
CNAME Records- Gives an alias of one name to another.
We will be using fierce to find all the name-servers for the target domain. It will also check if these domains does have zone transfers enabled.If one of the domains aren't properly configured it will allow zone transfers. (http://tools.kali.org/information-gathering/fierce, http://www.hackersgarage.com/fierce-dns-analysis-perl-script.html, http://pentester.fr/resources/tools/techno/DNS/Fierce/fierce.pl)
So let's use a dummy page with a south african domain, this site however has not been configured properly. In order to also show results for sites that has been configured properly, I will use the company where I'm working's domain.
So lets first discover the subdomains of our targets eg. sharpies.co.za and confiance.co.za
In the linux command prompt we cd to the location where our fierce perl script is saved and then we execute it using the following commands. perl fierce.pl [-dns example.com] [OPTIONS]
perl fierce.pl -dns sharpies.co.za
perl fierce.pl -dns confiance.co.za
So lets now use our sharpies.co.za dummy webpage for whois lookups.
The important aspect to look for is the Server,SOURCE, NetRange, and CIDR.
If we do a whois lookup for some of the domain targets we will find that they are all registered by the same person, so now lets rather use that for our reverse lookup.
Most reverse whois lookup cost money so we can cheat by using google, not as effective but good enough for our example. We can make use of the inurl: command in google search. (https://sites.google.com/site/resourcesandsearchstrategies/google/advanced-searching-in-google)
Now we use fierce again with the with the -range command on the IP addresses we found to lookup dns names and -dns to find the sub-domains and IP addresses.
EDIT: As mentioned on our thread, another great tool to assist with foot-printing is Yeti from Sensepost (www.sensepost.com) . Supports windows and linux. They also provide tutorial on domain expansion and lookups. http://spyeti.blogspot.com/p/getting-started.html
We will continue the above until we have a nice set of domains with IP addresses which we will scan for vulnerabilities next week.
https://www.linkedin.com/pulse/prac...rs-guide-pentesting-frans-botes?trk=prof-post
Comments and feedback are welcome.
For legal matters this guide should serve for education purposes only for white hat hackers. I hold no responsibility for the actions or intentions of the readers.
Ideally this should be used by inexperienced practitioners looking to test their services to learn more within a controlled secure environment.
I will not write any introduction to assist with covering your tracks or precautions that should be taken.I will follow with the rest as I get time to do so.
- Footprinting - Network mapping
- Scanning and exploitation
- Escalating
- Pivoting
In order to encourage users to read more themselves, I will keep the guide limited in certain aspects but provide resources to assist with educating yourself. So let's start out with this week's topic 1. Network Mapping.
Footprinting - network mapping:
Method: A very effective method in exploring your target's network using relentless reverse whois lookups and normal whois lookups on the target domains.
Reason: Whois lookups tells you the very useful information about your hosting company and the domain itself. We are using fierce to extract data related to the dns in order to map out all the possible targets within the domain.
The information that you can obtain about a resource is:
Name of the owner company
Address of the owner company
The IP range that a certain IP belongs to
Contact phone number
Contact email
Administrator's name
Name servers
Next we I will layout the most used keys within zone files:
A Records- Maps an IP Address to a hostname.
NS Records-Delegates a given zone to use the given authoritative nameserver. For e.g. ns1.google.com is an authoritative nameserver for google.com
MX Records-This basically tells us which server is responsible for receiving mails sent to that domain name.
TXT Records-This consists of arbitrarily human readable text in a record.
CNAME Records- Gives an alias of one name to another.
We will be using fierce to find all the name-servers for the target domain. It will also check if these domains does have zone transfers enabled.If one of the domains aren't properly configured it will allow zone transfers. (http://tools.kali.org/information-gathering/fierce, http://www.hackersgarage.com/fierce-dns-analysis-perl-script.html, http://pentester.fr/resources/tools/techno/DNS/Fierce/fierce.pl)
So let's use a dummy page with a south african domain, this site however has not been configured properly. In order to also show results for sites that has been configured properly, I will use the company where I'm working's domain.
So lets first discover the subdomains of our targets eg. sharpies.co.za and confiance.co.za
In the linux command prompt we cd to the location where our fierce perl script is saved and then we execute it using the following commands. perl fierce.pl [-dns example.com] [OPTIONS]
perl fierce.pl -dns sharpies.co.za
Code:
DNS Servers for sharpies.co.za:
ns1.atspace.me
ns2.atspace.me
Trying zone transfer first...
Testing ns1.atspace.me
Whoah, it worked - misconfigured DNS server found:
sharpies.co.za. 3600 IN SOA ns1.atspace.me. hostmaster.atspace.me. (
2014040201 ;serial
10800 ;refresh
3600 ;retry
1209600 ;expire
7200 ) ;minimum
mx.sharpies.co.za. 3600 IN A 82.197.130.149
mail.sharpies.co.za. 3600 IN A 82.197.130.163
sharpies.co.za. 3600 IN NS ns2.atspace.me.
sharpies.co.za. 3600 IN NS ns1.atspace.me.
sharpies.co.za. 3600 IN MX 10 mx.sharpies.co.za.
www.sharpies.co.za. 3600 IN A 83.125.22.197
sharpies.co.za. 3600 IN A 83.125.22.197
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 8117 test(s)...perl fierce.pl -dns confiance.co.za
Code:
DNS Servers for confiance.co.za:
ns4143.dns.dyn.com
ns3135.dns.dyn.com
ns2162.dns.dyn.com
ns1191.dns.dyn.com
Trying zone transfer first...
Testing ns4143.dns.dyn.com
Request timed out or transfer not allowed.
Testing ns3135.dns.dyn.com
Request timed out or transfer not allowed.
Testing ns2162.dns.dyn.com
Request timed out or transfer not allowed.
Testing ns1191.dns.dyn.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
Nope. Good.
Now performing 8117 test(s)...So lets now use our sharpies.co.za dummy webpage for whois lookups.
The important aspect to look for is the Server,SOURCE, NetRange, and CIDR.
If we do a whois lookup for some of the domain targets we will find that they are all registered by the same person, so now lets rather use that for our reverse lookup.
Most reverse whois lookup cost money so we can cheat by using google, not as effective but good enough for our example. We can make use of the inurl: command in google search. (https://sites.google.com/site/resourcesandsearchstrategies/google/advanced-searching-in-google)
Now we use fierce again with the with the -range command on the IP addresses we found to lookup dns names and -dns to find the sub-domains and IP addresses.
EDIT: As mentioned on our thread, another great tool to assist with foot-printing is Yeti from Sensepost (www.sensepost.com) . Supports windows and linux. They also provide tutorial on domain expansion and lookups. http://spyeti.blogspot.com/p/getting-started.html
We will continue the above until we have a nice set of domains with IP addresses which we will scan for vulnerabilities next week.
https://www.linkedin.com/pulse/prac...rs-guide-pentesting-frans-botes?trk=prof-post
Last edited:
