Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Thursday, April 30, 2020
Quick Tip #3 - Christmas Scan in nmap
nmap determines the OS of the target by the responses it gets. Different operating systems send back slightly different packets in response to what TCP flag is set. The TCP flags are SYN, ACK, FIN, PSH, URG, RST. The mnemonic I use is: Unskilled Attackers Pester Real Security Folks. When you run an XMAS scan in nmap you are setting all TCP flags at the same time. Obviously, this isn’t a valid packet and requires the ability to modify the network stack, hence the need to be root to run this scan. This scan can help identify the target when other OS fingerprinting techniques are inconclusive, but a good IDS/Next Gen Firewall will probably block these packets. But it’s worth a shot when you can’t figure out the OS of the target. Also realize this is NOT stealthy. You’re announcing your intentions are to recon the network and it may get you blacklisted. You run the XMAS scan with the -sX flag.
Friday, April 24, 2020
Quick Tip #2 - dnsmap
dnsmap - command line utility to map out DNS records, bypassing the prohibition on zone transfers...
dnsmap is a great little tool to enumerate as many sub-domains on a target as possible. It's very easy to use and add to a script. Here's the parameters:
[root@legolas /]# dnsmap
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
usage: dnsmap [options]
options:
-w
-r
-c
-d
-i (useful if you're obtaining false positives)
e.g.:
dnsmap target-domain.foo
dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
dnsmap target-fomain.foo -r ./domainbf_results.txt
Now a quick run for the wired.com domain... I stopped it before it completed as this was just an example for educational purposes only
[root@legolas /]# dnsmap wired.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for wired.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
accounts.wired.com
IP address #1: 199.232.64.239
al.wired.com
IP address #1: 206.221.206.72
ar.wired.com
IP address #1: 209.202.221.208
beta.wired.com
IP address #1: 199.232.66.194
blog.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
br.wired.com
IP address #1: 209.202.221.209
bw.wired.com
IP address #1: 206.221.206.104
cl.wired.com
IP address #1: 209.202.221.208
co.wired.com
IP address #1: 209.202.221.208
cr.wired.com
IP address #1: 209.202.221.208
demo.wired.com
IP address #1: 192.168.243.17
[+] warning: internal IP address disclosed
do.wired.com
IP address #1: 209.202.221.208
downloads.wired.com
IP address #1: 199.232.64.239
e.wired.com
IP address #1: 184.51.156.42
f.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
gp.wired.com
IP address #1: 206.221.207.10
gt.wired.com
IP address #1: 209.202.221.208
hl.wired.com
IP address #1: 206.221.207.17
hn.wired.com
IP address #1: 209.202.221.208
home.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
labs.wired.com
IP address #1: 10.91.34.27
[+] warning: internal IP address disclosed
m.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
mc.wired.com
IP address #1: 206.221.206.157
media.wired.com
IP address #1: 199.232.64.239
^C
[root@legolas /]#
dnsmap is a great little tool to enumerate as many sub-domains on a target as possible. It's very easy to use and add to a script. Here's the parameters:
[root@legolas /]# dnsmap
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
usage: dnsmap
options:
-w
-r
-c
-d
-i
e.g.:
dnsmap target-domain.foo
dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
dnsmap target-fomain.foo -r ./domainbf_results.txt
Now a quick run for the wired.com domain... I stopped it before it completed as this was just an example for educational purposes only
[root@legolas /]# dnsmap wired.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for wired.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
accounts.wired.com
IP address #1: 199.232.64.239
al.wired.com
IP address #1: 206.221.206.72
ar.wired.com
IP address #1: 209.202.221.208
beta.wired.com
IP address #1: 199.232.66.194
blog.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
br.wired.com
IP address #1: 209.202.221.209
bw.wired.com
IP address #1: 206.221.206.104
cl.wired.com
IP address #1: 209.202.221.208
co.wired.com
IP address #1: 209.202.221.208
cr.wired.com
IP address #1: 209.202.221.208
demo.wired.com
IP address #1: 192.168.243.17
[+] warning: internal IP address disclosed
do.wired.com
IP address #1: 209.202.221.208
downloads.wired.com
IP address #1: 199.232.64.239
e.wired.com
IP address #1: 184.51.156.42
f.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
gp.wired.com
IP address #1: 206.221.207.10
gt.wired.com
IP address #1: 209.202.221.208
hl.wired.com
IP address #1: 206.221.207.17
hn.wired.com
IP address #1: 209.202.221.208
home.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
labs.wired.com
IP address #1: 10.91.34.27
[+] warning: internal IP address disclosed
m.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
mc.wired.com
IP address #1: 206.221.206.157
media.wired.com
IP address #1: 199.232.64.239
^C
[root@legolas /]#
Subscribe to:
Posts (Atom)