Social Icons

Showing posts with label ipv6. Show all posts
Showing posts with label ipv6. Show all posts

Sunday, September 29, 2013

BACKTRACK 5 R3 : dnsrecon

1.   Dnsrecon is another nice easy to use tool for pen testers for enumeration. The kinds of things dnsrecon can do are as follows:

    - Reverse Lookup against IP range
    - Perform general DNS query for NS,SOA and MX records
    - Cache snooping against Name Servers
    - Google Scanning for Sub Domains and Host

 2.   The command line usage and the few imp switch execution details are briefed here down :

   -h       --help                 Show this help message and exit
   -d       --domain            Domain to Target for enumeration.
   -c       --cidr                  CIDR for reverse look-up brute force (range/bitmask).
   -r       --range               IP Range for reverse look-up brute force
   -n      --name_server    Domain server to use, if none is given the SOA of the
                                      target will be used
   -D     --dictionary         Dictionary file of sub-domain and hostnames to use for
                                       brute force.
    -t     --type                  Specify the type of enumeration to perform:

Available through :
                           
Backtrack -> Information Gathering -> Network Analysis -> DNS Analysis -> dnsrecon

In this blog post,I  will be covering 3 enumeration techniques. These being:

    SRV records Enumeration
    Top Level Enumeration
    Standard Enumeration


(Click on image to Enlarge)

(Click on image to Enlarge)  
To perform an SRV records enumeration against a domain the following input command will be run:

Code:

./dnsrecon.py -t srv -d

As an example if we wanted to do this to certifiedhacker.com, our command would be as follows:

Code:
./dnsrecon.py -t srv -d google.com


(Click on image to Enlarge)


Top Level Enumeration

For performing a top level enumeration the following command will be used :

Code:
./dnsrecon.py -t tld -d

If the same command is run for google.com,the following command will be used

Code:
./dnsrecon.py -t tld -d google.com
 
(Click on image to Enlarge)

(Click on image to Enlarge)

and similarly,to perform an STD (standard) enumeration,the following command is used :

Code:

./dnsrecon.py -t std -d


Using Google as an example again, our command would be:

Code:

./dnsrecon.py -t std -d google.com

The result as seen below in a standard enumeration :

(Click on image to Enlarge)

(Click on image to Enlarge)
 

BACKTRACK 5 R3 : dnsmap

1.  Another useful tool for information gathering is dnsmap....few of you guys may wonder of why to use a variety of tools for information gathering when most of them give more or less the same result.The answer lies in the fact that any kind of additional information can be a hole to exploit later...so in the stage of information gathering,it is always better to collect as much info as possible...so few quickies about what is the purpose of this tool...

-  Get IP addresses associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain.
   
Bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards.

Abort the bruteforcing process in case the target domain uses wildcards.
   
-  Ability to be able to run the tool without providing a wordlist by using a built-in list of keywords.
   
Saving the results in human-readable and CSV format for easy processing.
   
Improved built-in subdomains wordlist.
   
New bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion.
   
[ Source : http://stylodj.wordpress.com/category/how-to-use-dnsmap-tool-backtrack-5-rx/]

2.  So to get to this tool...we need to follow the same route as we have been doing it in past...vide the information gathering sub menu as shown below :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsmap
 
(Click on the image to enlarge)

(Click on the image to enlarge)  


3.   The basic syntax and switches for the tool are :

./dnsmap sitename.com [options]

and the switches are :

- w for wordlist file)
- r for regular results file
- c for csv results file
- d for delay millisec
i for ip's to ignore

4.   The screens below show the usage and execution part as it happens on the screen.

(Click on the image to enlarge)

(Click on the image to enlarge)
(Click on the image to enlarge)
5.    What we are attempting vide the command executed is to bruteforce all of the subdomains of certifiedhacker.com and saving them to a file called result. I have truncated the output since its very long and thus avoided.So I have only shown some part from the beginning and then as it ends.IN addition if one has a custom wordlist of subdomains he/she can use that as well simply by specifying the -w argument and then the path to the wordlist.So after the run is executed,the final results are seen in a manner shown below vide the screenshots :

(Click on the image to enlarge)
So as seen in the results above...we see there are 924 subdomains with their respective IP addresses.Though in the  screen shots above,we see a common IP address since it is a site for CEH testers.

(Click on the image to enlarge)
(Click on the image to enlarge)
In the screen shots above,the result file created is seen and read...so u can see the kind of contents that are stored in the file so generated....

Saturday, September 28, 2013

BACKTRACK 5 R3 : dnsenum


1.  Coming to next good information gathering tool in Backtrack 5 R3...here I give the command run details and a sample result by a tool known as dnsenum

First a small Intro about the tool :

DNSenum is a tool that is designed with the purpose of enumerating DNS information about a domain.Then information that one obtain's from this tool is useful for the phase of information gathering when one is conducting a penetration test.Thus the basic purpose of Dnsenum is to gather as much information as possible about a domain. The program performs the following operations:

-  Get the host's addresse (A record)
-  Get the nameservers (threaded)
-  Get the MX record (threaded)
- Perform axfr (ie DNS zone transfer) queries on nameservers
- Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain")
- Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded)
- Calculate C class domain network ranges and perform whois queries on them (threaded)
- Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded)
- Write to domain_ips.txt file ip-blocks


(Click on the image to enlarge)
2.   So coming to executing the command,once you click the dnsenum available vide the following route :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsenum
you get to see the following screen...
(Click on the image to enlarge)
Now the run syntax for the command is pretty simple that goes like :

./dnsenum.pl sitename.com

(Click on the image to enlarge)
In the above sample run...I have taken a site dvwa.co.uk
(Click on the image to enlarge)

BACKTRACK 5 R3 : DNSDICT6

1.    I have been using and playing with BT5 R3 for quiet some time now...and having used and practised about 50% of them...I have decided to start sharing and how to use them on my blog for the firstimers..with screen shots and screen cast when required....although I have shown few tools and exploits of BT5 earlier .... now I wish to just make it all systematic....and in the first attempt here I am giving out a step by step screen shot of how to use the tool DNSDICT6...

2. The route to dnsdict6 is show in the screen shot below :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsdict6

3.  As can be made out from the Backtrack menu drop down...since it is listed in the information gathering sub menu..it is a Information Gathering tool. This tool is used to find all the sub-domains of a website or web server. The most advanced use of DSNDICT6 is to enumerate all IPv4 and IPv6 addresses and extract the dumps like sub-domains, IP information. This tool is quite a powerful tool because it also extracts those sub domains which are restricted or invisible for users.With respect to the usage and screens...they are seen below :

(Click on the image to Enlarge)
Once you click this dnsdict6...u get the following screen :
(Click on the image to Enlarge)
Before we execute the command,let us see the command syntax & switches available :


The switches details are seen below :

    - d is used to display information on Name Servers and MX Records
    - 4 is used to dump IPv4 addresses.

Four types of dictionary are inbuilt in this tool as follows :

     - s    (mall=50), 
     - m   (edium=796) (DEFAULT) 
     - l     (arge=1416), and
     - x    (treme=3211).
     - t      is used to specify no. of threads.

MX record ie mail exchanger record is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with the Simple Mail Transfer Protocol (SMTP).

So for example we run this command on http://certifiedhacker.com/

(Click on the image to Enlarge)

The command reads :

dnsdict6 -d46 -s -t 10 certifiedhacker.com

(Click on the image to Enlarge)
In the command above I have used the small dictionary with 10 threads to minimize the running time...so actually this is a limited result...would have been slightly different had the same been run with xtreme dict and large number of threads...

Thursday, March 14, 2013

Power of PING

In our respective interactions with various networks accessible to us.....as administrators we keep pinging so many IPs for testing the connectivity at various times like ping 192.121.23.1 etc....and we get a response...but ping it self has so many switches that most of us hardly use......i came across a chart today that in a summarized form tells the switches of ping command with examples and a brief explanation.....sharing here with you...thanks http://www.activexperts.com

ping -c countping -c 10Specify the number of echo requests to send.
Ping -dping -dSet the SO_DEBUG option.
Ping -fping -fFlood ping. Sends another echo request immediately
after receiving a reply to the last one.
Only the super-user can use this option.
Ping hostping 121.4.3.2Specify the host name (or IP address) of computer
to ping
ping -i waitping -i 2Wait time. The number of seconds to wait between
each ping
ping -l preloadping -l 4Sends "preload" packets one after another.
Ping -nping -nNumeric output, without host to symbolic name lookup.
Ping -p patternping -p ff00Ping Pattern. The example sends two bytes, one
filled with ones, and one with zeros.
Ping -qping -qQuiet output. Only summary lines at startup and
completion
ping -rping -rDirect Ping. Send to a host directly, without using
routing tables. Returns an error if the host is not on
a directly attached network.
Ping -RPing -RRecord Route. Turns on route recording for the
Echo Request
packets, and display the route
buffer on returned packets (ignored by many
routers).
ping -s PacketSizeping -s 10Sets the packet size in number of bytes, which will
result in a total  packet size of PacketSize plus 8
extra bytes for the ICMP header
ping -vping -vVerbose Output. Lists individual ICMP packets, as well    
as Echo Responses
Powered By Blogger