Home » Posts filed under Enumeration

Host-Extract - Enumerate All IP/Host Patterns In A Web Page

in , , , , , , - on 8:28 PM - No comments
This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL.

With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files.

This is unlike web crawler which looks for new links only in anchor tags (<a) or the like.

(you might miss many additional targets if you ever use such web crawler or other GUI-based tools that shows you your main target and its relationship with its linked sub/off-site domains)
In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf.

With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time.


USAGE: 
ruby host-extract.rb URL [option]

Usage: host-extract [options]
        -a               find all ip/host patterns
        -j               scan all js files
        -c               scan all css files
        -v               append view-source html snippet for manual verification
Read more
Labels: , , , , , ,

[DNSRecon v0.8.6] DNS Enumeration Script

in , , , , , , , , - on 4:47 PM - No comments
Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:
infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]SOA ns16.zoneedit.com 69.64.68.41
[*]NS ns12.zoneedit.com 209.62.64.46
[*]Bind Version for 209.62.64.46 8.4.X
[*]NS ns16.zoneedit.com 69.64.68.41
[*]Bind Version for 69.64.68.41 8.4.X
[*]MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]A zonetransfer.me 217.147.180.162
[*]TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see:

infidel02:dnsrecon carlos$ cat zt.xml

<?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC KSk RSASHA256 ...
[*]SOA labns1.acmelab.com 192.168.1.80
[*]NS labns1.acmelab.com 192.168.1.80
[-]Recursion enabled on NS Server 192.168.1.80
[*]MX mail1.acmelab.com 192.168.1.4
[*]A acmelab.com 192.168.1.2
[*]TXT acmelab.com v=spf1 192.168.1.0/24
[*]TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Read more
Labels: , , , , , , , ,

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

in , , , , , - on 10:46 PM - No comments

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Read more
Labels: , , , , ,

[Kacak] Enumerate Users in Subnets

in , , , , - on 2:00 PM - No comments

Kacak is a tool that can enumerate users specified in the configuration file for windows based networks. It uses metasploit smb_enumusers_domain module in order to achieve this via msfrpcd service. If you are wondering what the msfrpcd service is, please look at the https://github.com/rapid7/metasploit-framework/blob/master/documentation/msfrpc.txt . It also parse mimikatz results.


Read more
Labels: , , , ,

[SSLSmart] Smart SSL Cipher Enumeration

in , , , , , - on 9:37 AM - No comments

SSLSmart is a highly flexible and interactive tool aimed at improving efficiency and reducing false positives during SSL testing. A number of tools allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings.


    SSLSmart has been tested to work on the following platforms and versions of Ruby:
    Windows: Ruby 1.8.6 with wxruby6 (2.0.0) and builder7 (2.1.2).
    Linux: Ruby 1.8.7/1.9.1 with wxruby (2.0.0) and builder (2.1.2).

Read more
Labels: , , , , ,