Information Gathering Flashcards
What is the first lookup tool to run against a domain like www.megacorpone.com?
whois megacorpone.com
What Google hack would allow you to just filter search results to those pages on www.megacorpone.com?
site:megacorpone.com
What Google hack would allow you to just filter search results to php pages on www.megacorpone.com?
site:megacorpone.com filetype:php
What Google hack would allow you to exclude HTML pages on www.megacorpone.com?
site:megacorpone.com -filetype:html
What is recon-ng?
- module-based framework for web-based information gathering.
- stores results in a database
- startup by typing “recon-ng”
Recon-ng: what command allows you to find modules?
marketplace search
Recon-ng: what command allows you to find out information about a module?
marketplace info
Recon-ng: what command allows you to install a module?
marketplace install
Recon-ng: what command allows you to use an installed module?
modules load
Recon-ng: what command allows you to find out information about a module after it has been loaded?
info
Recon-ng: what is the Google module that uses the “site:” search operator?
recon/domain-hosts/google_site_web
Recon-ng: what command in the Google module to find all subdomains for a site?
- options set SOURCE megacorpone.com
- run
Recon-ng: what command allows discovered subdomains in the database to be displayed?
show hosts
Recon-ng: what module allows you to resolve IP addresses to host domain names?
recon/hosts-hosts-resolve
What does SSL Server Test do?
- analyzes a server’s SSL/TLS configuration and compares it against current best practices
What is the name of the public site for storing and sharing text, that does not require an account for usage?
pastebin
What is theHarvester?
information gathering tool that gathers, emails, names, subdomains, IPs, and URLs from multiple public data sources.
What command would allow the use of theHarvester to search for information about the domain megacorpone.com?
theHarvester -d megacorpone.com -b google
What is the site that allows you to search social media sites for users or a keyword?
social-searcher
What is the process of DNS?
- Hostname entered into browser
- Browser passes the hostname to the OS’ DNS client, and the OS then forwards the hostname to the external DNS server configured for use
- The first server in the chain is known as the DNS recursor and is responsible for interacting with the DNS infrastructure and returning the results to the DNS client.
- The DNS recursor contacts one of the servers in the DNS root zone.
- The root server then responds with the address of the server responsible for the zone containing the TLD (.com TLD)
- Once the DNS recursor server receives the address of the TLD DNS server, it queries for the address of the authoritative nameserver for the .com domain.
- The authoritative nameserver is the final step in the DNS lookup process and contains the DNS records in a local database known as the “zone file”.
- Once the DNS recursor provides the DNS client with the IP address for the hostname, the browser can contact the correct web server at its IP address and load the webpage.
What is the Zone File?
- The authoritative nameserver contains a zone file.
- The Zone File is a local database that contains DNS records
- Their are typically two zones for each domain:
1) the forward lookup zone used to find the IP Address of a specified hostname
2) the reverse lookup zone used to find the hostname of a specific IP Address
DNS Records: NS
- Nameserver record
- contains the name of the authoritative servers hosting the DNS records for a domain
DNS Records: A
- A record (aka host record)
- contains the IP address of a hostname
DNS Records: MX
- Mail Exchange record
- contains the names of the servers responsible for handling email for the domain.
DNS Records: PTR
- Pointer record
- used in reverse lookup zones and are used to find the records associated with an IP address
DNS Records: CNAME
- Canonical name record
- used to create aliases for other host records
DNS Records: TXT
- Text records
- contain any arbitrary data and can be used for various purposes, such as domain ownership verification
What command can be used to find the IP address for megacorpone.com
host www.megacorpone.com
What does the ‘host’ command look for?
A record
How would you look for the MX and TXT records for megacorpone.com?
- host -t mx megacorpone.com
- host -t txt megacorpone.com
What are some example hostnames to query against a domain such as megacorpone.com?
- www
- ftp
- owa
- proxy
- router
If you had a list of possible hostnames in a list named “list.txt”, what is a one-liner to try Forward Lookup Brute Force against megacorpone.com?
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
What project has a comprehensive hostname wordlist? How can it be installed?
Where does it install?
- SecLists project
- sudo apt install seclists
- /usr/share/seclists
What is a one-liner for Reverse Lookup Brute Force for IP addresses in the range 38.100.193.50-100?
for ip in $(seq 50 100); do host 38.100.193.$ip; done
grep -v “not found”
What is the DNS Zone Transfer command?
host -l
DNSRecon
- Kali tool
- advanced, modern DNS enumeration script written in Python
Namp: Syn Scan
- nmap -sS
- default Nmap scan
- Sends a SYN packet to various ports
- If a port is open, a SYN-ACK packet is received back
- the ACK packet is NOT sent back
What is a benefit of the Syn scan?
- Since there is not an ACK packet (three-way handshake is never completed) the information is not passed to the application layer.
- This means that the traffic will never appear in any application logs
- Syn scans are also faster
Nmap: TCP Scan
nmap -sT
Nmap: UDP Scan
nmap -sU
Nmap: Network Sweep
nmap -sn 10.11.1.1-254
Nmap: OS Fingerprint
nmap -0
Nmap: Banner Grabbing/Service Enumeration
nmap -sV -sT -A
Where are Nmap Scripts located?
/usr/share/nmap/scripts
What does the NetBIOS service on TCP 139 do?
Session layer protocol and service that allows computers on the local network to communicate with each other.
Nmap: Scanning for NetBIOS Service
nmap -v -p 139,445
Tool used for identifying NetBIOS information?
- nbtscan
- sudo nbtscan -r 10.11.1.0/24
How do you search for SMB Nmap Scripts?
ls -1 /usr/share/nmap/scripts/smb*
What is NFS?
- Network File System
- Distributed file system protocol
- Allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage
- Often used with Unix systems
- Very insecure
How do you scan for NFS Shares?
- By using RPCbind on TCP port 111
- nmap -v -p 111 10.11.1.1-254
- nmap -sV -p 111 –script=rpcinfo 10.11.1.1-254
How do you search for NFS Nmap Scripts?
ls -1 /usr/share/nmap/scripts/nfs*
How do you run all NFS Nmap Scripts at the same time?
nmap -p 111 –script nfs* 10.11.1.72
If your Nmap NFS scan uncovered a NFS mount (RPCbind) name “home”, how would you mount it to your machine?
- mkdir home
- sudo mount -o nolock 10.11.1.72:/home ~/home
You locate a file on a mounted file share, that you don’t have access to, and belongs to user “1014”.
How could you access this share?
- Add a local user to our machine (where we have mounted the file share) using the “adduser” command
- Change the UUID to “1014”
How do you change a user’s UUID from 1001 to 1014?
sudo sed -i -e ‘s/1001/1014/g’ /etc/password
Why is SNMP a useful protocol for penetration testing?
- Simple Network Management Protocol
- Not well-understood by network administrators
- Often results in SNMP misconfigurations, which can result in information leaks
- SNMP is based on UDP, and is therefore susceptible to IP Spoofing and replay attacks
- SNMP protocols 1, 2, 2c offer no traffic encryption
- SNMP has weak authentication schemes and is commonly left configured with default public and private community strings
What is SNMP MIB?
- SNMP Management Information Base
- Database containing information usually related to network management
- organized like a tree, where branches represent different organizations or network functions
- the leaves of the tree (final endpoints) correspond to specific variable values that can then be accessed, and probed, by an external user.
Nmap: Scan for SNMP
sudo nmap -sU –open -p 161 10.111.1.1-254
SNMP Brute Force Tool?
onesixtyone
How to brute force a network with onesixtyone?
echo public > community
echo private»_space; community
echo manager»_space; community
for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips
onesixtyone -c community -i ips
Once you find SNMP services, what can you do from there?
Start querying the discovered SNMP services for MIB data
What is an SNMP Community String?
- similar to a user ID or password that is sent along with each SNMP Get-Request to get access to a devices’ information
- if the community string is correct, you’re given access to the devices’ statistics
How do you use snmpwalk to enumerate the Entire MIB Tree of a discovered SNMP service?
- snmpwalk
- snmpwalk -c public -v1 -t 10 10.11.1.14
- -c = specifies the community string
- -v = specifies the SNMP version
- -t = specifies the timeout value (seconds)
How do you use snmpwalk to enumerate Windows users?
- snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
- 1.3.6.1.4.1.77.1.2.25 == MIB value for Windows User Accounts
How do you use snmpwalk to enumerate Windows Processes?
- snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2
- 1.3.6.1.2.1.25.4.2.1.2 = MIB value for Windows Process Path
How do you use snmpwalk to enumerate Windows ope TCP ports?
- snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
- 1.3.6.1.2.1.6.13.1.3 = MIB value for Windows TCP Local Ports
How do you use snmpwalk to enumerate installed software on a Windows machine?
- snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2
- 1.3.6.1.2.1.25.6.3.1.2 = MIB value for Windows running programs
What nmap one-liner shows what services are running?
sudo nmap 10.11.0.128 -p- -sV -vv –open –reason
