::.. =[]= ..::     ::.. =[]= ..::     ::.. =[]= ..::     ::.. =[]= ..::
 

CgAn Course: Welcome to Simple recon methods

| November 10th, 2017 by Doemela | Comments Off on CgAn Course: Welcome to Simple recon methods

See https://archive.cyberguerrilla.org/a/2017/cgan-teach-the-world-about-hacking-hacktivism/

[RedAcor] Welcome
[RedAcor] I guess we can start
[RedAcor] Anon_Blackcat01 ?
[Anon_Blackcat01] yes
[RedAcor] So welcome to simple recon methods and tools.
[RedAcor] First of all i could say that this was fast preparation. ๐Ÿ™‚
[RedAcor] Anyways
[RedAcor] We can talk about two type recon what depends what is the target
[RedAcor] We uses different methods and tools for every type recon
[RedAcor] At least we will talk about about two type recon what the basics for most of pentesters and hackers etc…
[RedAcor] If the target is website or network you will need to decide what you wanna do. If you wanna pwn it, it is complex work and you will need to work hard.
[RedAcor] Much will wait you.
[RedAcor] Search engines will be your best helper when you search
[RedAcor] https://google.com and https://www.startpage.com/ can be used text based search and exploration of exploitable vulns.
[Chanlog] Title: Google (at www.google.com.ua)
[Aeolus] can i ask?
[RedAcor] Sure.
[Aeolus] startpage can be used like google dorks?
[RedAcor] Yeah.
[Aeolus] cool
[RedAcor] Example ] site:example.com php?id=
[RedAcor] If you use site:.example.com php?id= it will search subdomains also.
[RedAcor] ๐Ÿ™‚
[RedAcor] “.” is the best helper in this case. ๐Ÿ™‚
[RedAcor] Anyways.
[Arkhangel] did u already start?
[RedAcor] Yeah.
[Arkhangel] ๐Ÿ˜ฎ
[Arkhangel] ok
[RedAcor] If you decided about the target you can start with finding their server type and their cms if you think exploiting it.
[RedAcor] http://searchdns.netcraft.com/ is one of the useful online site to find their dbms, sytem type.
[Chanlog] Title: Netcraft – Search Web by Domain (at searchdns.netcraft.com)
[RedAcor] nmap is the important tool to find their OS.
[RedAcor] w3af can be used to find their dbms type also.
[RedAcor] Btw you can ask any question you want. Feel free.
[Aeolus] sysadmins who change their web server name etc
[Aeolus] like when we use such tools
[Aeolus] but they configed their systems to return altered results
[Aeolus] what can we do in such case?
[B[U]G] in this case we can get more possible info verified
[RedAcor] If you use w3af or kinda tool, they cant hide their server type from you.
[Aeolus] ah good
[B[U]G] for example we can read our request of header info
[B[U]G] and get verified info
[B[U]G] depends from your ask at server
[Aspire] ok
[B[U]G] if POST / GET
[B[U]G] or
[B[U]G] you can call by netcat on various ports
[B[U]G] to see if HTTP / 1.!
[Aspire] what is netcat?
[B[U]G] are 200
[B[U]G] Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
[Aspire] ?
[RedAcor] Aspire Netcat is a tool about network.
[Aspire] ok
[RedAcor] If you find their dbms type and OS. It is time to find CMS.
[RedAcor] We mostly find CMS type with manual analysing.
[RedAcor] Also there are mostly used same CMS types: WordPressi Joomla, Drupal etc…
[RedAcor] For example: https://sub.media/wp-content/uploads/2017/07/Trouble-S1e5-screening-kit.pdf
[B[U]G] or for many institutional website is typo3
[RedAcor] There is wp-content in URL. You can easily understand it is WordPress and they use MySQL
[RedAcor] Yeah.
[RedAcor] Moodle is another one.
[RedAcor] http://www4.unfccc.int/submissions/_layouts/viewlsts.aspx ] Microsoft SharePoint Shit
[Chanlog] Title: All Site Content (at www4.unfccc.int)
[RedAcor] Other example.
[RedAcor] SharePoint based sites mostly have kinda home page: http://www4.unfccc.int/Pages/Default.aspx
[RedAcor] So you can easily see it SharePoint
[Aspire] by aspx?
[RedAcor] Yeah.
[Aspire] ok
[RedAcor] It is ASP.Net
[RedAcor] If you didnt find with easy way, you will have to dig and play with it a bit.
[RedAcor] Example:
[RedAcor] http://pbignewsletter.ml.com/c.do?cid=840534&oid=150&internalVisitor=true
[Chanlog] Title: PBIG (at pbignewsletter.ml.com)
[RedAcor] No hint
[RedAcor] You can use a simple prefix to play
[RedAcor] Like that: http://pbignewsletter.ml.com/c.do?cid=840534%27&oid=150&internalVisitor=true
[RedAcor] So it will show you their treasure
[RedAcor] ๐Ÿ™‚
[Aspire] what did you do?
[RedAcor] There is another CMS with no patched vuln you may gather site users name.
[Aspire] %27?
[RedAcor] Yeah.
[Aspire] what is?
[RedAcor] You can add “*” ” ‘ ”
[RedAcor] It is encoded prefix
[Aspire] to cause an error
[RedAcor] Yeah. It doesnt cause error everytime.
[Aspire] yes i know ahaha
[RedAcor] It can direct to 404 page. It is error page, will not give you any info about their system etc..
[RedAcor] [RedAcor] There is another CMS with no patched vuln you may gather site users name.
[RedAcor] Drupal
[Aeolus] “*” ” ‘ ” can do that?
[RedAcor] ‘=%27 encoded ๐Ÿ™‚
[RedAcor] Same thing
[RedAcor] Example for drupal: https://blogs.state.gov/admin/views/ajax/autocomplete/user/c
[RedAcor] As you see there are user names.
[RedAcor] You will just need check every letters to get all user list.
[RedAcor] So you will have chance to bruteforce their login.
[RedAcor] ๐Ÿ™‚
[RedAcor] Any question?
[Aspire] no
[RedAcor] Ok.
[RedAcor] Now we can talk about gathering subdomains.
[Aeolus] lol indeed
[Aeolus] json format to make your life easier ๐Ÿ˜›
[RedAcor] jejeje
[RedAcor] I have to explain that before talk about gathering subdomains.
[RedAcor] Many sysadmins forgot to update some subdomains and that helps you to have easy and unpatched targets.
[RedAcor] You can hack the hardest system by hacking subdomain. ๐Ÿ˜›
[RedAcor] Anyways.
[RedAcor] So we can talk about subdomain gathering tools.
[RedAcor] nmap has plugin for that.
[RedAcor] DNS-Brute option is very useful
[RedAcor] Simply: nmap –script dns-brute mail.example.com
[RedAcor] And kaboom. It will bruteforce subdomains.
[RedAcor] Other tool is fierce
[Aspire] and what we gain?
[RedAcor] You gain subdomain list. And you have chance to check subdomain. More work and more chance to hack there.
[RedAcor] https://nmap.org/
[RedAcor] https://zmap.io/
[Chanlog] Title: Nmap: the Network Mapper – Free Security Scanner (at nmap.org)
[Chanlog] Title: The ZMap Project (at zmap.io)
[Aspire] ok
[RedAcor] Also you can use zenmap (noob version of nmap)
[Aeolus] RedAcor
[RedAcor] Yeah. ๐Ÿ™‚
[Aeolus] what about built in tools in Linux distros?
[Aeolus] can they help?
[Aeolus] like nslookup etc
[Aeolus] dig
[RedAcor] You can use them
[RedAcor] But we havent started talking about ip based recon. ๐Ÿ™‚
[Aeolus] ah sorry
[RedAcor] We are talking about text based recon.
[RedAcor] For usage of fierce you can check: https://tools.kali.org/information-gathering/fierce
[Chanlog] Title: Fierce | Penetration Testing Tools (at tools.kali.org)
[RedAcor] If you find subdomains and system, dbms and CMS, you have two ways
[RedAcor] 1. Searching exploits on exploit online databases like https://www.exploit-db.com/ and trying to hack
[Arkhangel] just a question: when u have shown the nmap example command, u said we do a bruteforce attack… but dont we need of a txt files containing all patterns for bruteforcing?
[RedAcor] 2. Scanning with tools and trying to find vuln on site
[RedAcor] Arkhangel Nmap has own txt for that.
[Arkhangel] ok
[RedAcor] You can use another tool: dnsdict
[Arkhangel] about the 1. solution above, in that case, I must know manually what are the vulns that I can exploit and that I must search on that webiste?
[RedAcor] It has option to use external txt for that.
[RedAcor] Arkhangel Manual search is another option.
[Arkhangel] ok
[RedAcor] But this lesson is for beginners to introduce simple ways.
[Arkhangel] is there a way to know which is the kind of DB running on a target?
[RedAcor] Depends what CMS it uses.
[Arkhangel] can you show an example please?
[RedAcor] If it is WordPress, you can say “hey it is mysql”
[Arkhangel] wordpress uses always mysql?
[Arkhangel] I never find a MS SQL or Oracle on WP?
[RedAcor] jejeje
[RedAcor] Yeah.
[Arkhangel] ok ty
[RedAcor] [RedAcor] 2. Scanning with tools and trying to find vuln on site
[RedAcor] Sorry.
[RedAcor] Ok. First option is end of recon if you found exploit.
[RedAcor] If you didnt find any exploit or any technique for that, time to pass to second option (scaning)
[RedAcor] What tools are used for that?
[RedAcor] w3af is one of them
[Arkhangel] a question: there are different scanning tools. I think there is not a best tool. So among these tools, when I must use one and when use others?
[RedAcor] Just one tool is not enough
[RedAcor] You will need different tools for different type analyses.
[RedAcor] w3af has different options in it.
[Arkhangel] can u list the kind of analysis and the related tools to use for each analysis?
[RedAcor] Crawl, attack, audit, grep.
[RedAcor] Ah, i will. No worries.
[RedAcor] Example: ] [RedAcor] Crawl, attack, audit, grep.
[RedAcor] Also w3af can get intagrated with sqlmap
[Arkhangel] crawl, attack, audit, grep are kind of analysis or tools?
[RedAcor] So after scan you can direct attack if there is vuln on site.
[RedAcor] I meant w3af does crawling, greping
[RedAcor] It will show you the result by crawling site, so you can analyses the vuln on the page.
[RedAcor] For example: If there is vuln on login page it will show you the method=”post” blah blah.
[Aspire] ok
[RedAcor] https://github.com/andresriancho/w3af
[RedAcor] http://docs.w3af.org/en/latest/basic-ui.html#running-w3af-with-gtk-user-interface
[Chanlog] Title: GitHub – andresriancho/w3af: w3af: web application attack and audit framework, the open source web vulnerability scanner. (at github.com)
[Chanlog] Title: Running w3af โ€” w3af – Web application attack and audit framework 1.7.6 documentation (at docs.w3af.org)
[RedAcor] You can check for more info.
[Arkhangel] what does crawl, audit, grep analysis mean? What is the difference among each one?
[RedAcor] The other tool is Owasp Zap
[RedAcor] Arkhangel It is not analyses. Sorry, i caused confusing.
[RedAcor] Those are just what w3af does.
[RedAcor] You can check links for info.
[RedAcor] Owasp Zap is good for web app scaning and fuzzing site.
[RedAcor] https://github.com/zaproxy/zaproxy
[RedAcor] https://null-byte.wonderhowto.com/how-to/hack-like-pro-hack-web-apps-part-6-using-owasp-zap-find-vulnerabilities-0168129/
[Chanlog] Title: GitHub – zaproxy/zaproxy: The OWASP ZAP core project (at github.com)
[Chanlog] Title: Hack Like a Pro: How to Hack Web Apps, Part 6 (Using OWASP ZAP to Find Vulnerabilities) ยซ Null Byte :: WonderHowTo (at null-byte.wonderhowto.com)
[RedAcor] You can check links for info.
[RedAcor] It gathers pages and you can analyse every page and scripts on it.
[RedAcor] Even if the page or script has no vuln.
[Arkhangel] ok ty
[RedAcor] Vega
[RedAcor] Openvas
[RedAcor] wpscan
[RedAcor] joomscan
[RedAcor] This tools are other tool what you can search them and find how to use.
[RedAcor] Openvas is mostly used to find weaknesses of site about cert, fingerprinting and d/dos
[RedAcor] Now we can pass to ip based recon.
[RedAcor] First of you need to find it is ip.
[RedAcor] You can use nslookup, dig commands on your system.
[RedAcor] Simple way
[RedAcor] nmap is other option and most used thing.
[RedAcor] Simply: nmap -T4 -A -v 1.1.1.1
[RedAcor] Do that and check the result.
[Aeolus] parameters explained pls?
[RedAcor] Ah sorry wrong shit
[RedAcor] nmap -T4 -A -v example.com
[Aeolus] i used
[Aeolus] nmap -T4 -A -v nato.gov
[Aeolus] just kiddin :p
[RedAcor] jajaja
[RedAcor] I am not kidding with my links as you see.
[RedAcor] Anyways.
[RedAcor] Some site has a few ips because they are big or they use some services to have more ips.
[RedAcor] So you may need some online solution for that.
[RedAcor] https://www.robtex.com/
[Chanlog] Title: Welcome to Robtex! (at www.robtex.com)
[RedAcor] is one of them.
[RedAcor] Btw https://dnsdumpster.com/ is one of online solution to find subdomains.
[Chanlog] Title: DNSdumpster.com – dns recon and research, find and lookup dns records (at dnsdumpster.com)
[RedAcor] It is useful.
[RedAcor] https://dnsdumpster.com/ can be used all ips of that site also.
[Chanlog] Title: DNSdumpster.com – dns recon and research, find and lookup dns records (at dnsdumpster.com)
[RedAcor] https://www.robtex.com/
[Chanlog] Title: Welcome to Robtex! (at www.robtex.com)
[RedAcor] and https://censys.io/
[Chanlog] Title: Censys (at censys.io)
[RedAcor] Can be used for same purpose.
[RedAcor] If you find ips time to find open ports and some open points
[RedAcor] nmap -p 1-65535 -T4 -A -v targetip will check all tcp ports of ip.
[RedAcor] Also you can use it for ip range
[RedAcor] nmap -p 1-65535 -T4 -A -v 1.1.1.1/24
[Aeolus] RedAcor
[RedAcor] Yeah.
[Aeolus] but this isnt too loud?
[RedAcor] Sometimes.
[RedAcor] Actually masscan is too loud.
[RedAcor] ๐Ÿ™‚
[RedAcor] nmap has different plugins for different purposes
[RedAcor] For example: nmap -T4 -A -v –script rdp-enum-encryption,rdp-vuln-ms12-020 192.168.195.0/24
[RedAcor] This command will help you to check rdp vuln on that ip range
[RedAcor] I am checking for I forgot something or not.
[RedAcor] Nah.
[RedAcor] Website-Network part is over.
[RedAcor] I had said that: [RedAcor] We can talk about two type recon what depends what is the target
[RedAcor] If target is person or company there is not thing much to do.
[RedAcor] Actually there is much to do but i will explain it so short.
[Aeolus] maby we can add a course
[RedAcor] Maybe.
[RedAcor] If target is a company, targets are employees and bosses
[RedAcor] So you will need to have a fake Linkedin account to join their network, contact and gather info about them.
[RedAcor] You will need fake personality for that. It is other lesson’s topic.
[RedAcor] Will not explain it.
[RedAcor] We will focus on recon for spear phising
[RedAcor] phishing
[Aeolus] social engineering?
[RedAcor] Yeah.
[RedAcor] Also it.
[RedAcor] But i dont wanna talk about social engineering.
[RedAcor] It is large subject.
[RedAcor] theharvester is useful tool gather email addresses from web
[RedAcor] Easy to use also.
[RedAcor] theharvester -d dhs.gov -l 1000 -b google
[RedAcor] So you can have hundreds email for spear phishing.
[RedAcor] “google, bing, yahoo”
[RedAcor] https://www.data.com/ is most used site like linkedin by companies also
[RedAcor] You may need to create account on it also.
[RedAcor] And last thing is Maltego.
[RedAcor] It is wonderful tool to gather info about networks, persons and websites…
[RedAcor] Fancy Bear uses it.
[RedAcor] Just kidding.
[RedAcor] ๐Ÿ™‚
[RedAcor] General info: https://www.hackingloops.com/maltego/
[Chanlog] Title: The Ultimate Guide to Using Maltego as a Powerful Footprinting Tool (at www.hackingloops.com)
[RedAcor] Network: https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-maltego-do-network-reconnaissance-0158464/
[Chanlog] Title: Hack Like a Pro: How to Use Maltego to Do Network Reconnaissance ยซ Null Byte :: WonderHowTo (at null-byte.wonderhowto.com)
[RedAcor] Person: https://www.youtube.com/watch?v=09PfRJ4-5_0
[Chanlog] Title: How to Gather Data On Any Person Using Maltego CE || reconnaissance – YouTube (at www.youtube.com)
[RedAcor] If you find their emails you are ready for spear phishing:
[RedAcor] Than use: https://github.com/pentestgeek/phishing-frenzy
[Chanlog] Title: GitHub – pentestgeek/phishing-frenzy: Ruby on Rails Phishing Framework (at github.com)
[RedAcor] Or contact with them and do social engineering.
[RedAcor] Enjoy.
[RedAcor] Lesson is over.
[Aeolus] i really appreciate todays class
[Aeolus] lot of material to read
[Aeolus] thanks RedAcor ๐Ÿ™‚
[RedAcor] You’re welcome.
[mint] thanks
[l0t3D_] thanks RedAcor
[RedAcor] It was fast prepared lesson. Sorry if i amde some mistakes.
[Anon_Blackcat01] well done RedAcor, great lesson as expected
[l0t3D_] today’s lesson was too hard for me tho so that’s why wasn’t asking a lot

(Visited 380 times, 1 visits today)

Comments are closed.

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.