Monday, 11 November 2019

Passive information gathering and footprinting by Raj

---------------------------------------------------------------------------------------------------------------------

Google Hacking Database :-  In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.

https://www.exploit-db.com/google-hacking-database



inurl: "index.php?id="



----------------------------------------------------------------------------------------------------------------
Nikto :- This will give information about server on which web application is running

This will give
nikto -e 1 -h 172.31.93.23
nikto -h 172.31.93.23 -p 80

root@kali:~# nikto -e 1 -h 52.23.205.52
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          52.23.205.52
+ Target Hostname:    52.23.205.52
+ Target Port:        80
+ Using Encoding:     Random URI encoding (non-UTF8)
+ Start Time:         2019-11-11 08:47:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.34 (Amazon)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 394812, size: 38, mtime: Mon Nov 11 07:57:20 2019
+ Apache/2.2.34 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ 7888 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2019-11-11 08:47:15 (GMT0) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


------------------------------------------------------------------------------------------------------------------

whois :-

whois cnn.com     --- This give information about the domain

 Domain Name: CNN.COM
   Registry Domain ID: 3269879_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2018-04-10T16:43:38Z
   Creation Date: 1993-09-22T04:00:00Z
   Registry Expiry Date: 2026-09-21T04:00:00Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: domainabuse@cscglobal.com
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS-1086.AWSDNS-07.ORG
   Name Server: NS-1630.AWSDNS-11.CO.UK
   Name Server: NS-47.AWSDNS-05.COM
   Name Server: NS-576.AWSDNS-08.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: h

and many more
----------------------------------------------------------------------------------------------------------------

Harvester :-

root@kali:/usr/share/theharvester# ./theHarvester.py -d microsoft.com -l 500 -b google      ----This will give all the list of URL address with ip of application server

Like below

cloudblogs.microsoft.com:107.154.103.97
compass-ssl.microsoft.com:104.106.190.130
devblogs.microsoft.com:104.81.164.97
ds.microsoft.com:204.79.197.219
msdn.microsoft.com:104.108.116.12
msrc-blog.microsoft.com:40.122.65.162
news.microsoft.com:192.237.225.141
schemas.microsoft.com:104.108.119.185
support.microsoft.com:184.28.88.173
techcommunity.microsoft.com:208.74.205.202
www.microsoft.com:23.66.102.27

--------------------------------------------------------------------------------------------------------------

Shodan :- Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.




To get router IP address

root@kali:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.80.1     0.0.0.0         UG        0 0          0 eth0
172.31.80.0     0.0.0.0         255.255.240.0   U         0 0          0 eth0
root@kali:~#


-------------------------------------------------------------------------------------------------------------------------


DNS Zone transfers with Dig :-

root@kali:~# dig axfr facebook.com @A.NS.FACEBOOK.COM

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> axfr facebook.com @A.NS.FACEBOOK.COM
;; global options: +cmd
facebook.com.           3600    IN      SOA     a.ns.facebook.com. dns.facebook.com. 1573464454 14400 1800 604800 300
; Transfer failed.
root@kali:~#



root@kali:~# dig google.com

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34527
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             60      IN      A       172.217.15.78

;; Query time: 2 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Mon Nov 11 09:25:09 UTC 2019
;; MSG SIZE  rcvd: 55


----------------------------------------------------------------------------------------------------------------------

dnsenum :-   is same kind of dig tool but it will give more information



root@kali:~# dnsenum google.com
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4

-----   google.com   -----


Host's addresses:
__________________

google.com.                              60       IN    A        172.217.12.238


Name Servers:
______________

ns4.google.com.                          60       IN    A        216.239.38.10
ns1.google.com.                          60       IN    A        216.239.32.10
ns2.google.com.                          60       IN    A        216.239.34.10
ns3.google.com.                          60       IN    A        216.239.36.10


Mail (MX) Servers:
___________________

alt2.aspmx.l.google.com.                 60       IN    A        209.85.202.26
alt3.aspmx.l.google.com.                 45       IN    A        172.253.120.26
alt4.aspmx.l.google.com.                 60       IN    A        172.217.218.27
aspmx.l.google.com.                      60       IN    A        172.217.197.26
alt1.aspmx.l.google.com.                 60       IN    A        64.233.186.27


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for google.com on ns4.google.com ...
AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns1.google.com ...
AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns2.google.com ...
AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns3.google.com ...
AXFR record query failed: corrupt packet

brute force file not specified, bay.
root@kali:~#

1 comment:

  1. Hello everyone , here’s your opportunity for you to achieve your dreams of being a multi million dollar rich through trading , I once loss all I got through trading but was fortunate to come across a woman with great virtue and selfless heart (Mary ) i was introduce to her masterclass strategy while searching online which has revived me of all my losses and made me gain more and more . With her unique strategy you are entitled to daily signals and instant withdraw ,be rest assured of getting a refund of all your loss investment with any platform that has denied you in one way or the other in getting your money . Mrs Mary masterclass strategy is simply the best for beginners and those that are finding it difficult to succeed through trading she’ll help you with just a simple step . Email her ( maryshea03 @ Gmail .com) WhatsApp +1 562 384 7738 . Remember this is absolutely free!!!

    ReplyDelete