Tuesday, May 25, 2010

Adding and using hostmap.rb to BT4

The next is hostmap.rb a ruby script for DNS
This tool is available at http://hostmap.lonerunners.net/

So to get started visit the above link, download and save the tarball.

root@dorkness:/tmp/# tar xvf hostmap-0.2.2.tar

Remove the tarball, move the directory to /pentest/enumeration/hostmap-0.2.2/

root@dorkness:/tmp/# rm -rf hostmap-0.2.2.tar*


root@dorkness:pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb -h

Usage: hostmap.rb [options] -t [target]
Target options:
-t, --target [STRING] set target domain
Discovery options:
--with-zonetransfer
enable DNS zone transfer check
--without-bruteforce
disable DNS bruteforcing
--without-dnsexpansion
disable DNS TLD expansion
--bruteforce-level [STRING]
set bruteforce aggressivity, values are lite, custom or full (default is lite)
--without-be-paranoid
don't check the results consistency
--http-ports [STRING]
set a comma separated list of custom HTTP ports to check
--only-passive
passive discovery, don't make network activity to the target network
--timeout [STRING]
set plugin timeout
--threads [STRING]
set concurrent threads number
Networking options:
-d, --dns [STRING] set a comma separated list of DNS servers IP addresses to use instead of system defaults
Output options:
--print-maltego
set output formatted for Maltego
-v, --verbose set verbose mode
Misc options:
--without-update
skip update check
-h, --help show this help message

root@dorkness:pentest/enumeration/hostmap-0.2.2#


Note: You will need to give an IP address, you can not use domain names.

An example of usage is as follows:

root@dorkness:/pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb --only-passive --without-update -t 80.65.162.250
hostmap 0.2.2 codename truppola
Coded by Alessandro `jekil` Tanasi

[2010-05-25 22:41] Skipping SSL because only passive checks are enabled
[2010-05-25 22:41] Found new hostname queer.ba
[2010-05-25 22:41] Found new domain queer.ba
[2010-05-25 22:41] Found new hostname diocletian.httpool.ba
[2010-05-25 22:41] Found new domain httpool.ba
[2010-05-25 22:41] Found new nameserver ns.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new nameserver ns02.europronet.ba
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks
[2010-05-25 22:41] Found new mail server mx2.europronet.ba
[2010-05-25 22:41] Found new mail server mx3.europronet.ba
[2010-05-25 22:41] Found new mail server mx1.europronet.ba
[2010-05-25 22:41] Found new nameserver ns1.httpool.com
[2010-05-25 22:41] Found new nameserver ns2.httpool.com
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks

Results for 80.65.162.250
Served by name server (probably)
ns2.httpool.com
ns1.httpool.com
ns.queer.ba
ns02.europronet.ba
Served by mail exchange (probably)
mx1.europronet.ba
mx3.europronet.ba
mx2.europronet.ba
Hostnames:
www.queer.ba
diocletian.httpool.ba
queer.ba
root@dorkness:/pentest/enumeration/hostmap-0.2.2#


Note: I used the --only-passive flag, the --without-update flags this should be self explanatory. -t is for target

As you can see there are several other options to work with. Those I will leave up to you to work with.

Enjoy

Adding more DNS tools to BT4 part 3

The next tool is subdomainer.py

To get it, download the .tar here

http://www.edge-security.com/subdomainer.php
Again you can save it wherever, I chose /pentest/enumeration/
untar the package cd to the directory chmod +x the subdomainer.pyand then you are set to go.
To untar the package tar xvf subd*
Deleted the tarball rm -rf subdomainer.tar

Generic usage is:

root@dorkness:/pentest/enumeration/subdomainer# python subdomainer.py

*************************************
*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies2k@yahoo.com.ar *
*************************************

usage: subdomainer.py options

-d: domain to search
-l: limit of results to work with. (msn and yahoo goes in 10 to 10
google in 100's, and pgp does not need this option)
-m: data source (msn, yahoo, google, pgp-veridis, all)

-o: output to html file. (optional, good for long lists.)

Example:
subdomainer.py -d microsoft.com -l 200 -m google

subdomainer.py -d microsoft.com -l 100 -m all -o microsoft.html

root@dorkness:/pentest/enumeration/subdomainer#




Due to the length of the results I will leave it to you to run them.

Adding more DNS tools to BT4 part 2

DNSbf.py
Ok again this is a simple copy and paste.
Get the source here:
https://docs.google.com/View?docid=dg23j87b_213fh46kgfp

EDIT: Since the above google doc seems to no longer be valid, I will leave it to the user to find it by searching google. Frankly as I stated in the comments below if you can't find this or any other tool I write about then you probably shouldn't be using them since it's obvious you don't know what you are doing.

Copy and paste to wherever you want. I used the same directory as before.
The name is dnsbf.py The purpose of the tools is to use DNS and find hostnames in a subnet.
save and give execute permissions.

Generic usage with no flags set.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

wrong number of arguments

exemple: ./dnsbf.py 192.168.1.0/24

root@dorkness:/pentest/enumeration/dnsenum#


This time we have some targets to scan.
root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py 80.65.162.0/24

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

80.65.162.2 bbr-gtz.europronet.ba
80.65.162.201 fa11_ssw-gadzo01.europronet.ba
80.65.162.202 smtps.bihgap.ba
80.65.162.205 fa05_ssw-sa02.europronet.ba
80.65.162.206 hotcasino03.europronet.ba
80.65.162.209 fa23_ssw-sa01.europronet.ba
80.65.162.210 ulk-srv01.linux.org.ba
80.65.162.213 fa15_ssw-sa01.europronet.ba
80.65.162.214 voip-gw01.europronet.ba
80.65.162.217 fa32_ssw-sa01.europronet.ba
80.65.162.218 yellow.europronet.ba
80.65.162.221 fa42_ssw-sa01.europronet.ba
80.65.162.225 fa06_ssw-sa02.europronet.ba
80.65.162.226 hotcasino2.europronet.ba
80.65.162.250 queer.ba
80.65.162.229 fa13_ssw-sa01.europronet.ba
80.65.162.230 mx2.europronet.ba
80.65.162.233 fa07_ssw-sa02.europronet.ba
80.65.162.234 hotcasinogb.europronet.ba
80.65.162.237 fa31_ssw-sa01.europronet.ba
80.65.162.241 fa34_ssw-sa01.europronet.ba
80.65.162.242 mail.triptih.europronet.ba
80.65.162.245 fa36_ssw-sa01.europronet.ba
80.65.162.1 fe08_asw-sa01.europronet.ba
80.65.163.78 mailsrvsa.octas.com
80.65.163.81 rg-ice.europronet.ba
80.65.163.108 terme-centrala.europronet.ba
80.65.163.162 mail2.procreditbank.ba
80.65.163.194 ip-65-163-194.europronet.ba
80.65.163.254 robot-vgw.europronet.ba
80.65.162.70 ns.queer.ba
80.65.162.34 posao.ba
80.65.162.35 mposao.ba

end of search
511 ip tested, 33 names found, in 11 s

root@dorkness:/pentest/enumeration/dnsenum#


So there you go another cool tool to add to BT for your
reconaissance efforts.

Adding more DNS tools to BT4 part 1

So here is a write up on adding some tools to the BT4 DNS collection.
I will first show how to install and give a brief usage of each tool.
They are not hard to install and are simple to use. The power lies in what they can do.
These tools are ones that I found, and credit goes to their authors. Also note that since the tools are not included in BT by default you are on your own if something goes wrong. However since they are simple python and or ruby scripts with no real dependencies things should work just fine.
NOTE: Most output info has been slightly modified.

So without further delay the first up is
DNSDic.py
Code is here:
https://docs.google.com/View?docid=dg23j87b_214cdwmbjfx

So copy and paste the code from the link to a file named dnsdic.py and make the file executable. I added these tools to the following directory to keep things somewhat organised.
The script will need a dictionary when running. A good one and the one the author recommends is located in the dnsenum directory.

root@dorkness:/pentest/enumeration/#


Again executable is
root@dorkness:/pentest/enumeration/# chmod +x dnsdic.py


Generic run with no options:


root@dorkness:/pentest/enumeration/#python dnsdic.py

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

wrong number of arguments

exemple: dnsdic.py -f ./dico.txt infond.blogspot.com



Ok now a run with some actual usage and results.

root@dorkness:/pentest/enumeration/# python dnsdic.py -f ./dns.txt exampleweb.ba

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

exampleweb.ba ['ftp.exampleweb.ba'] ['81.61.112.150']
mail.exampleweb.ba [] ['81.61.112.10']
ns.exampleweb.ba [] ['81.61.112.70']
exampleweb.ba ['www.exampleweb.ba'] ['81.61.112.250']

end of search
95 names tested, 4 hostnames found, in 16.110284 s

root@dorkness:/pentest/enumeration/#

Sunday, May 23, 2010

SSLScan in BT

SSLScan in BT4

No need to write a description since the intro below already has one as well as usage details.
In order to use grab some shell or find it in the menu structure under:
BT> NetworkMapping> ALL> sslscan

Running the command without any options returns the following.
root@dorkness~:# sslscan

_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.6
http://www.titania.co.uk
Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers prefered ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.

Command:
sslscan [Options] [host:port | host]

Options:
--targets= A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk= A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass= The password for the private key or
PKCS#12 file.
--certs= A file containing PEM/ASN1 formatted
client certificates.
--xml= Output results to an XML file.
--version Display the program version.
--help Display the help text you are now
reading.
Example:
sslscan 127.0.0.1



Ok here is a generic run without any flags, against our target website.
Of course the output has been truncated and a little bit munged.

root@bt:~# sslscan www.examplewebsite.net

Testing SSL server www.examplewebsite.net on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5

Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA

SSL Certificate:
Version: 2
Serial Number: -4294967123
Signature Algorithm: sha1WithRSAEncryption
Issuer: /OU=Extended Validation CA/O=GlobalSign/CN=GlobalSign Extended Validation CA
Not valid before: Sep 16 16:14:35 2009 GMT
Not valid after: Sep 17 16:14:32 2010 GMT
Subject: /2.5.4.15=V1.0, Clause 5.(b)/serialNumber=32123374/1.3.6.1.5.7.311.60.2.1.3=DK/C=DK/ST=Oerum Djurs/L=Oerum Djurs/streetAddress= Main 6/OU=FairSSL/O=Not Yours v/Some Name /CN=www.examplewebsite.net
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit): truncated
00:99:2b:cf:e4:f8:e3:40:88:41:58:8a:41:16:1f:
f3:09:01:99:e5:f3:09:02:89:e4
43:93:7c:6a:3c:bb:c5:cf:
43:df
Exponent: 65421 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
keyid:34:B1:E0 truncated

Authority Information Access:
CA Issuers - URI:http://secure.globalsign.net/cacert/extendval1.crt
OCSP - URI:http://ocsp.globalsign.com/ExtendedSSL

X509v3 CRL Distribution Points:
URI:http://crl.globalsign.net/ExtendVal1.crl

X509v3 Subject Key Identifier:
87:D2:7C:2B:D1:B0 truncated
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.4146.1.1
CPS: http://www.globalsign.net/repository/

Netscape Cert Type:
SSL Client, SSL Server
X509v3 Subject Alternative Name:
DNS:www.examplewebsite.net, DNS:examplewebsite.net
Verify Certificate:
unable to get local issuer certificate

root@dorkness~:#


So a generic run returns a lot of information. We learn the properties such as validity, CN CDP OSCP even the EV attributes are returned.

Note: This information is all publicly available. This tool just presents said info in a nice format such as .xml files, using the --xml=file flag, where file is the name to save as.

The other flags above can be used to further refine the output. One of the more important ones is the --no-failed flag which only lists accepted ciphers (see output above), the default of course is to list them all. The ssl2, ssl3, and tls1 flags of course will check for and list only those ciphers defined. If you have several servers to check on then you can also pass a list to sslscan using the --targets=file flag. The other flags are pretty self explanatory.

So the question become "Why is any or all of this important?" Well easy. When auditing servers you may find ones that use weak cypher or protocols, think NULL cipher, or SSLv1.

Well that's about all there is to it, have fun and enjoy.

Wednesday, May 19, 2010

Remove and Renew Gnome Panels

So your messing around with your panels in gnome and maybe you did like me and biffed them.
Well here is a quick way to remove and renew them.
Get a shell opened up and type the following commands in succession and then you will kill the panels, delete them and create the default panels when you first installed gnome.

----------------CODE-------------------------

aa@dork:~# gconftool --recursive-unset /apps/panel

aa@dork:~# -rf ~/.gconf/apps/panel

aa@dork:~# pkill gnome-panel

----------------CODE-------------------------


So that's pretty much it. Again this will kill your panels and then recreate the defaults for you.