Metasploit Information Gathering Basic[Search for info]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Metasploit is an open source penetration testing framework. Using some metasploit auxiliary  modules we can gather information against our target. Let’s see how to do it in simple step to collect emails.

 msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   —-           —————  ——–  ———–
   DOMAIN                          yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine
   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

msf auxiliary(search_email_collector) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails …..
[*] Searching Google for email addresses from microsoft.com
[*] Extracting emails from Google search results…
[*] Searching Bing email addresses from microsoft.com
[*] Extracting emails from Bing search results…
[*] Searching Yahoo for email addresses from microsoft.com
[*] Extracting emails from Yahoo search results…
[*] Located 0 email addresses for microsoft.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) > set DOMAIN cisco.com
DOMAIN => cisco.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails …..
[*] Searching Google for email addresses from cisco.com
[*] Extracting emails from Google search results…
[*] Searching Bing email addresses from cisco.com
[*] Extracting emails from Bing search results…
[*] Searching Yahoo for email addresses from cisco.com
[*] Extracting emails from Yahoo search results…
[*] Located 2 email addresses for cisco.com
[*]     gsahagun@cisco.com
[*]     vern@cisco.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) >

Microsoft is little scary to post their email address publicly ?

Let’s find some DNS information with Metasploit against microsoft:

msf auxiliary(shodan_search) > use auxiliary/gather/dns_info
msf auxiliary(dns_info) > show options

Module options (auxiliary/gather/dns_info):

   Name    Current Setting  Required  Description
   —-    —————  ——–  ———–
   DOMAIN                   yes       The target domain name
   NS                       no        Specify the name server to use for queries, otherwise use the system configured DNS Server is used.

msf auxiliary(dns_info) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_info) > run

[*] Enumerating microsoft.com
[+] microsoft.com – Address 134.170.188.221 found. Record type: A
[+] microsoft.com – Address 134.170.185.46 found. Record type: A
[+] microsoft.com – Name server ns4.msft.net (208.76.45.53) found. Record type: NS
[+] microsoft.com – Name server ns4.msft.net (2620:0:37::53) found. Record type: NS
[+] microsoft.com – Name server ns1.msft.net (208.84.0.53) found. Record type: NS
[+] microsoft.com – Name server ns1.msft.net (2620:0:30::53) found. Record type: NS
[+] microsoft.com – Name server ns2.msft.net (208.84.2.53) found. Record type: NS
[+] microsoft.com – Name server ns2.msft.net (2620:0:32::53) found. Record type: NS
[+] microsoft.com – Name server ns3.msft.net (193.221.113.53) found. Record type: NS
[+] microsoft.com – Name server ns3.msft.net (2620:0:34::53) found. Record type: NS
[+] microsoft.com – ns1.msft.net (208.84.0.53) found. Record type: SOA
[+] microsoft.com – ns1.msft.net (2620:0:30::53) found. Record type: SOA
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.170) found. Record type: MX
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.138) found. Record type: MX
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.215) found. Record type: MX
[+] microsoft.com – Text info found: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all . Record type: TXT
[+] microsoft.com – Text info found: FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ== . Record type: TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_info) > 


to find SRV record do the following:

msf auxiliary(dns_info) > use auxiliary/gather/dns_srv_enum
msf auxiliary(dns_srv_enum) > show options

Module options (auxiliary/gather/dns_srv_enum):

   Name    Current Setting  Required  Description
   —-    —————  ——–  ———–
   ALL_NS  false            no        Run against all name servers for the given domain.
   DOMAIN                   yes       The target domain name.

msf auxiliary(dns_srv_enum) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_srv_enum) > run

[*] Enumerating SRV Records for microsoft.com
[+] Host: sipfed.microsoft.com IP: 131.107.255.86 Service: sipfederationtls Protocol: tcp Port: 5061
[+] Host: sipdog3.microsoft.com IP: 131.107.1.47 Service: xmpp-server Protocol: tcp Port: 5269
[*] Auxiliary module execution completed

Bit lazy to format the text to code. So this might be little hard to read. But I think you still now have basic idea that how you can use metasploit for information gathering. If you like to see more in details or any questions …. you can post comments here.

  

Leave a Reply

Your email address will not be published. Required fields are marked *