Difference between revisions of "Pentest"

From YobiWiki
Jump to navigation Jump to search
Line 97: Line 97:
 
==Mapping the network==
  
==Mapping the network==
 
===DNS===
  
===DNS===
  +
From the few domain names we got during the collect of informations, get their IP
In principle, after the collect of informations, we've a pretty good idea of the IP range in use.
  
  +
host www.example.com
<br>We can try a zone transfer, who knows...
  
  +
Then query whois to know the full IP range and its owner
dig @<authoritative_dns_server> example.com axfr
  
  +
whois [-B] 11.22.33.44
The authoritative DNS servers list can be obtained with a simple <code>dig NS www.example.com</code>
  
  +
We get also the handler "nic-hdl" which can be used in turn to see if other ranges are administred by the same people:
  +
whois -i pn <nic-hdl>
   
We can brute-force a reverse-lookup on the IP range:
 +
We can brute-force a reverse-lookup on the IP range to see if there are other relevant domain names:
 
for ((i=1;i!=255;i++)); do dig -x 11.22.33.$i|\
  
for ((i=1;i!=255;i++)); do dig -x 11.22.33.$i|\
 
grep -v '^;'|\
  
grep -v '^;'|\
 
awk '/PTR/{sub(/\.$/,"",$5);print $5}';done
  
awk '/PTR/{sub(/\.$/,"",$5);print $5}';done
  +
  +
For each identified domain name, see what say the TLDs:
  +
dig NS com
  +
dig NS example.com @a.gtld-servers.net.
  +
Cross-check with the whois results
  +
whois example.com
  +
 
We can try a zone transfer on the target NS, who knows, maybe one will allow it...
 
dig @<authoritative_dns_server> example.com axfr
  +
  +
This is also to be tested on subdomains as well...
   
 
==TODO==
  
==TODO==

Revision as of 20:37, 24 March 2008

Intro

Well a large subject...
You'll not find a howto here, more a checklist.
So why such a page?
Because I'm not doing pentests that often so when it happens, it's a bit unstructured.
Because I'm reading MISC HS 1 (in french) and I want to make some scrapbooking.
So I'll try to write down anything I do on that matter since now, starting with this HS1 and laying down everything I'm thinking about given my past experiences...
Note that a pentest doesn't imply going through *all* the steps described here, it depends what is the starting point, the surface of attack, the primary target, etc (looking on Google will not (better not!!) help you if you're assessing an internal network from inside)

Logging

  • Write down what we've found, how and when
  • Consider just writing what you did no matter what you found, especially when it's about grabbing bits after bits on various search engines, you don't want to redo several times the same query or to forget about trying this new juicy bit in one of your favorite search engines ;-)
  • You can end up with quite a lot of infos, especially e.g. when pentesting as an insider...
    • A (protected) wiki page sounds nice but confidentiality requires sometimes stronger measures such as a local encrypted deposit (cf MiscCrypto)
    • The results could be divided into several files:
      • a TRACE, with all the possible infos, too long to be read but you know you can find back your info here
      • a TRACEDIR, for the various tools which generate generous outputs, consider also saving a summary of the juicy bits in your TRACE & REPORT
      • a REPORT, with the most interesting facts, probably divided into results on the target and results as side-effects because you'll never stop just because it's a bit out-of-focus ;-) (I audited the frontdoor as you asked but btw did you know the wall is in paper?)
      • a TODO, with the parts you found that are calling for further investigation, pentesting is a lot about searching a tree and backtracking once you explored one branch as far as you could (technically or logistically if you've a deadline & priorities...)

Collecting information

This section is valid also for other domains than pure pentest, e.g. find a maximum of information on the person who bought a domain name under a pseudo...

website

  • postal address, about us,...
  • robots.txt
  • WayBack machine
    http://web.archive.org/web/*/http://www.example.com from [1]
  • Google cache
    http://209.85.135.104/search?q=cache:http://www.example.com
  • Coralize
    http://www.example.com.nyud.net from [2]
  • traceroute
    • CLI: traceroute / tcptraceroute
    • http://www.dnsstuff.com/tools/tracert.ch?ip=http://www.example.com from [3]
  • Other online DNS tools
  • whois
    • CLI: whois / whois 11.22.33.44 / whois -B 11.22.33.44
    • http://whois.webhosting.info/example.com from [4]
    • http://www.networksolutions.com/whois/results.jsp?domain=example.com from [5]
  • Reverse IP
    • CLI: host / host -t NS / host -t MX / host -t PTR 44.33.22.11.in-addr.arpa
    • Getting all known domains, not just reverse lookup:
      Interesting for co-hosted websites, to find if the same admin is managing other sites... -> whois etc on them
      • http://whois.webhosting.info/11.22.33.44 from [6]
      • http://search.msn.com/results.aspx?q=ip:11.22.33.44 from [7]
      • RIPE whois textual search to see if the contacts have registered other IP ranges
    • Try other IPs of the same range
  • Subdomains
    • http://searchdns.netcraft.com/?host=*.example.com from [8]
    • Google: site:example.com -inurl:www.example.com
    • -> try DNS queries, also with common ones: ftp., mail., citrix., vpn.

Search engines

  • Big list of the top 100 alternative search engines, see also [9]
  • Alexa: traffic ranking & other infos
  • Google + site: / inurl: / intext: / filetype: / -polluting_keyword / &num=100 / etc
    • wget / lynx -dump & awk / sed / grep
    • combined: (filetype:xls | filetype:doc | filetype:pdf) & check metadata of docs as well
    • cf Google FAQ about supported filetypes
  • Example requests to find emails:
    • lynx -dump "http://www.google.com/search?q=site:example.com+intext:@example.com&num=100" |\
      sed -n 's/@example.com/& /p' | grep -o -e '[.[:alnum:]]\+@example.com' | sort -u
    • site:example.com intext:"@example.com"
    • site:example.com intext:"mailto:"
    • site:example.com "Internal Server Error"
    • site:example.com (filetype:xls | filetype:doc | filetype:txt) mail
    • site:example.com filetype:csv mail address
    • site:example.com filetype:mdb inurl:email
    • site:example.com intitle:index.of inbox dbx
    • site:example.com filetype:wab wab
    • site:example.com filetype:reg reg intext:"internet account manager"
    • site:example.com filetype:pst inurl:"outlook.pst"

Finance

People

Other key people

Misc resources

Mapping the network

DNS

From the few domain names we got during the collect of informations, get their IP 

host www.example.com

Then query whois to know the full IP range and its owner 

whois [-B] 11.22.33.44

We get also the handler "nic-hdl" which can be used in turn to see if other ranges are administred by the same people: 

whois -i pn <nic-hdl>

We can brute-force a reverse-lookup on the IP range to see if there are other relevant domain names: 

for ((i=1;i!=255;i++)); do dig -x 11.22.33.$i|\
   grep -v '^;'|\
   awk '/PTR/{sub(/\.$/,"",$5);print $5}';done

For each identified domain name, see what say the TLDs: 

dig NS com
dig NS example.com @a.gtld-servers.net.

Cross-check with the whois results 

whois example.com

We can try a zone transfer on the target NS, who knows, maybe one will allow it... 

dig @<authoritative_dns_server> example.com axfr

This is also to be tested on subdomains as well...

TODO

  • Wi-Fi
    • kismet
    • detecting quickly the rogue APs via ARP replay & sniffing the internal network at same time, etc
    • breaking WEP, WPA
    • admin access on the APs
Retrieved from "https://wiki.yobi.be/index.php?title=Pentest&oldid=4043"