Pentesting for beginners

initroot

Senior Member
Joined
Jul 30, 2011
Messages
868
Would be really nice to have some of the grey beards assist here.
Comments and feedback are welcome.

For legal matters this guide should serve for education purposes only for white hat hackers. I hold no responsibility for the actions or intentions of the readers.

Ideally this should be used by inexperienced practitioners looking to test their services to learn more within a controlled secure environment.

I will not write any introduction to assist with covering your tracks or precautions that should be taken.I will follow with the rest as I get time to do so.

  • Footprinting - Network mapping
  • Scanning and exploitation
  • Escalating
  • Pivoting

In order to encourage users to read more themselves, I will keep the guide limited in certain aspects but provide resources to assist with educating yourself. So let's start out with this week's topic 1. Network Mapping.

Footprinting - network mapping:

Method: A very effective method in exploring your target's network using relentless reverse whois lookups and normal whois lookups on the target domains.

Reason: Whois lookups tells you the very useful information about your hosting company and the domain itself. We are using fierce to extract data related to the dns in order to map out all the possible targets within the domain.

The information that you can obtain about a resource is:

Name of the owner company
Address of the owner company
The IP range that a certain IP belongs to
Contact phone number
Contact email
Administrator's name
Name servers

Next we I will layout the most used keys within zone files:

A Records- Maps an IP Address to a hostname.
NS Records-Delegates a given zone to use the given authoritative nameserver. For e.g. ns1.google.com is an authoritative nameserver for google.com
MX Records-This basically tells us which server is responsible for receiving mails sent to that domain name.
TXT Records-This consists of arbitrarily human readable text in a record.
CNAME Records- Gives an alias of one name to another.

We will be using fierce to find all the name-servers for the target domain. It will also check if these domains does have zone transfers enabled.If one of the domains aren't properly configured it will allow zone transfers. (http://tools.kali.org/information-gathering/fierce, http://www.hackersgarage.com/fierce-dns-analysis-perl-script.html, http://pentester.fr/resources/tools/techno/DNS/Fierce/fierce.pl)

So let's use a dummy page with a south african domain, this site however has not been configured properly. In order to also show results for sites that has been configured properly, I will use the company where I'm working's domain.

So lets first discover the subdomains of our targets eg. sharpies.co.za and confiance.co.za

In the linux command prompt we cd to the location where our fierce perl script is saved and then we execute it using the following commands. perl fierce.pl [-dns example.com] [OPTIONS]

perl fierce.pl -dns sharpies.co.za

Code:
DNS Servers for sharpies.co.za:

   ns1.atspace.me

   ns2.atspace.me

 Trying zone transfer first...

   Testing ns1.atspace.me

 Whoah, it worked - misconfigured DNS server found:

sharpies.co.za.    3600    IN    SOA    ns1.atspace.me. hostmaster.atspace.me. (

   2014040201    ;serial

   10800    ;refresh

   3600    ;retry

   1209600    ;expire

   7200    )    ;minimum

mx.sharpies.co.za.    3600    IN    A    82.197.130.149

mail.sharpies.co.za.    3600    IN    A    82.197.130.163

sharpies.co.za.    3600    IN    NS    ns2.atspace.me.

sharpies.co.za.    3600    IN    NS    ns1.atspace.me.

sharpies.co.za.    3600    IN    MX    10 mx.sharpies.co.za.

www.sharpies.co.za.    3600    IN    A    83.125.22.197

sharpies.co.za.    3600    IN    A    83.125.22.197

Okay, trying the good old fashioned way... brute force

 Checking for wildcard DNS...

Nope. Good.

Now performing 8117 test(s)...

perl fierce.pl -dns confiance.co.za

Code:
DNS Servers for confiance.co.za:

   ns4143.dns.dyn.com

   ns3135.dns.dyn.com

   ns2162.dns.dyn.com

   ns1191.dns.dyn.com

 

Trying zone transfer first...

   Testing ns4143.dns.dyn.com

   Request timed out or transfer not allowed.

   Testing ns3135.dns.dyn.com

   Request timed out or transfer not allowed.

   Testing ns2162.dns.dyn.com

   Request timed out or transfer not allowed.

   Testing ns1191.dns.dyn.com

   Request timed out or transfer not allowed.

 

Unsuccessful in zone transfer (it was worth a shot)

Okay, trying the good old fashioned way... brute force

 

Checking for wildcard DNS...

Nope. Good.

Now performing 8117 test(s)...

So lets now use our sharpies.co.za dummy webpage for whois lookups.

The important aspect to look for is the Server,SOURCE, NetRange, and CIDR.

If we do a whois lookup for some of the domain targets we will find that they are all registered by the same person, so now lets rather use that for our reverse lookup.

Most reverse whois lookup cost money so we can cheat by using google, not as effective but good enough for our example. We can make use of the inurl: command in google search. (https://sites.google.com/site/resourcesandsearchstrategies/google/advanced-searching-in-google)

Now we use fierce again with the with the -range command on the IP addresses we found to lookup dns names and -dns to find the sub-domains and IP addresses.

EDIT: As mentioned on our thread, another great tool to assist with foot-printing is Yeti from Sensepost (www.sensepost.com) . Supports windows and linux. They also provide tutorial on domain expansion and lookups. http://spyeti.blogspot.com/p/getting-started.html

We will continue the above until we have a nice set of domains with IP addresses which we will scan for vulnerabilities next week.

https://www.linkedin.com/pulse/prac...rs-guide-pentesting-frans-botes?trk=prof-post
 
Last edited:

RoganDawes

Expert Member
Joined
Apr 18, 2007
Messages
1,212
Cool. How is Dominic keeping these days? Haven't heard from him at all in more than a year

Doing well! He'll be at BlackHat/Defcon this year, giving training. Otherwise, look out for him in #zacon on Atrum.
 

initroot

Senior Member
Joined
Jul 30, 2011
Messages
868
For footprinting, check out jyeti. Get the download from here.

Disclaimer, I work for SensePost, who created JYeti.

Thanks! Will update the posts.

Keep the ideas coming guys, I will update the posts as we get new ideas. Would be nice if we can let each process run for a week or two and get everyone's ideas on it before we move to the next. Wouldn't mind if somebody else would like to join on the posts as well?
 
Top