View difference between Paste ID: <a href="/dyap3srg">dyap3srg</a> and <a href="/JZdCHrN4">JZdCHrN4</a>

#################
1	-	#################
1	+	############################################################
2	-	# Passive Recon #
2	+	# Pentester Academy External Security Testing Walk-Through #
3	-	#################
3	+	############################################################
4
5	-	- Wikipedia Page
5	+	My good friend Vivek Ramachandran asked me to do a set a videos for Pentester Academy.
6	-	- Are they Public or Private?
6	+
7	-	- Does the target have any subsidiaries?
7	+	Vivek is a such a dear friend so I couldn't say no. I sincerely hope that you guys find this valuable.
8	-	- Have they had any scandals?
8	+
9
10	-	- Robtex
10	+	If you want to follow along with me you can use this Pastebin for all of the download links for the slides, the virtual machine, and the list of all of the commands I will be covering today.
11	-	- Show system map
11	+
12		Here are the slides I am using today:
13		https://s3.amazonaws.com/StrategicSec-Files/PentesterAcademy/1-External+Scanning.pdf
14	-	###################################################
14	+
15	-	# Day 1: Identifying External Security Mechanisms #
15	+
16	-	###################################################
16	+
17		# VMWare #
18	-	- I prefer to use Putty to SSH into my Linux host.
18	+
19	-	- You can download Putty from here:
19	+	- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
20	-	- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
20	+
21		- A 30-day trial of Workstation 11 can be downloaded from here:
22	-	Here is the information to put into putty
22	+	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
23
24	-	Host Name: 107.191.39.106
24	+	- A 30-day trial of Fusion 7 can be downloaded from here:
25	-	protocol: ssh
25	+	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
26	-	port: 22
26	+
27	-	username: ceh
27	+	- The newest version of VMWare Player can be downloaded from here:
28	-	password: passtheceh
28	+	- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
29
30		- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
31
32
33		################################
34	-	---------------------------Type This-----------------------------------
34	+	# Download the virtual machine #
35		################################
36		https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
37		username: strategicsec
38		password: strategicsec
39
40
41		############################################
42	-	http://whois.domaintools.com/
42	+	# Identifying External Security Mechanisms #
43		############################################
44
45		Performing an external penetration test today is significantly harder than it was years ago.
46
47	-	---------------------------Type This-----------------------------------
47	+	There are so many external security mechanisms such as load balancers, reverse proxies, intrusion prevention systems, and web application firewalls.
48	-	dig axfr @nsztm1.digi.ninja zonetransfer.me
48	+
49		Ok, let's do this!
50
51
52	-	./ipcrawl 148.87.1.1 148.87.1.254
52	+
53		###########################
54		# Target IP Determination #
55		###########################
56		cd /home/strategicsec/toolz
57		perl blindcrawl.pl -d motorola.com
58
59		-- Take each IP address and look ip up here:
60		http://www.networksolutions.com/whois/index.jsp
61
62		cd ~/toolz/fierce2
63		fierce -dns motorola.com
64		cd ..
65
66	-	########################
66	+
67	-	# Scanning Methodology #
67	+	dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
68	-	########################
68	+
69
70	-	- Ping Sweep
70	+
71	-	What's alive?
71	+	./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
72	-	------------
72	+
73
74	-	---------------------------Type this command-----------------------------------
74	+
75	-	sudo nmap -sP 157.166.226.*
75	+
76	-	-------------------------------------------------------------------------------
76	+
77
78
79		###########################
80	-	-if -SP yields no results try:
80	+
81	-	---------------------------Type this command-----------------------------------
81	+
82	-	sudo nmap -sL 157.166.226.*
82	+
83	-	-------------------------------------------------------------------------------
83	+
84		- http://toolbar.netcraft.com/site_report/
85		- Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)
86
87	-	-Look for hostnames:
87	+	Here is an example:
88	-	---------------------------Type this command-----------------------------------
88	+	http://toolbar.netcraft.com/site_report/?url=citigroup.com
89	-	sudo nmap -sL 157.166.226.* \| grep cnn
89	+
90	-	-------------------------------------------------------------------------------
90	+	We found out that they are using a Citrix Netscaler Load Balancer.
91		192.193.103.222 Citrix Netscaler
92		192.193.219.58
93
94	-	- Port Scan
94	+
95	-	What's where?
95	+
96	-	------------
96	+
97	-	---------------------------Type this command-----------------------------------
97	+	dig google.com
98	-	sudo nmap -sS 162.243.126.247
98	+
99	-	-------------------------------------------------------------------------------
99	+
100		./lbd-0.1.sh motorola.com
101
102
103	-	- Bannergrab/Version Query
103	+
104	-	What versions of software are running
104	+
105	-	-------------------------------------
105	+
106
107	-	---------------------------Type this command-----------------------------------
107	+
108	-	sudo nmap -sV 162.243.126.247
108	+
109	-	-------------------------------------------------------------------------------
109	+	# Intrusion Prevention Detection #
110		##################################
111
112
113		osstmm-afd -P HTTP -t www.strategicsec.com -v
114	-	- Vulnerability Research
114	+
115	-	Lookup the banner versions for public exploits
115	+	cat /etc/xinetd.d/ssltest
116	-	----------------------------------------------
116	+
117	-	https://www.exploit-db.com/search
117	+	cat /home/strategicsec/toolz/ssl_proxy.sh
118	-	http://securityfocus.com/bid
118	+
119	-	https://packetstormsecurity.com/files/tags/exploit/
119	+	service xinetd status
120
121		osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
122
123	-	Network Penetration Testing Process (known vulnerabilities)
123	+	**** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ****
124	-	-----------------------------------------------------------
124	+
125
126
127	-	1. Ping Sweep:
127	+
128	-	The purpose of this step is to identify live hosts
128	+
129		######################################
130	-	nmap -sP <ip-address/ip-range>
130	+
131		cd ~/toolz/wafw00f
132		python wafw00f.py http://www.oracle.com
133	-	2. Port Scan
133	+	python wafw00f.py http://www.strategicsec.com
134	-	Identify running services. We use the running services to map the network topology.
134	+
135
136	-	nmap -sS <ip-address/ip-range>
136	+
137		sudo nmap -p 80 --script http-waf-detect.nse oracle.com
138
139	-	3. Bannergrab
139	+	sudo nmap -p 80 --script http-waf-detect.nse imperva.com
140	-	Identify the version of version of software running on each port
140	+
141
142	-	nmap -sV <ip-address/ip-range>
142	+
143	-
143	+
144		################################################
145		# 3rd Party Scanning, and scanning via proxies #
146	-	4. Vulnerability Research
146	+	################################################
147	-	Use the software version number to research and determine if it is out of date (vulnerable).
147	+
148		https://www.shodan.io
149	-	exploit-db.com/search
149	+
150		Create a FREE account and login
151
152		net:129.188.8.0/24
153
154
155
156		cd /home/strategicsec/toolz/
157		perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run, but provides a good list of proxies
158
159	-	Skill Level 1. Run the scanners
159	+
160	-	-------------------------------
160	+
161	-	Nexpose
161	+	sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: ocks4 127.0.0.1 9050
162	-	Qualys
162	+
163	-	Retina
163	+
164	-	Nessus known vulnerabilities
164	+
165	-	OpenVas
165	+
166	-	Foundscan
166	+
167	-	GFI LanGuard
167	+	vi ~/toolz/fix-proxychains-dns.sh
168	-	NCircle
168	+
169		#!/bin/bash
170		# This script is called by proxychains to resolve DNS names
171	-	Skill Level 2. Manual vulnerability validation (known vulnerabilities)
171	+	# DNS server used to resolve names
172		# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
173		DNS_SERVER=4.2.2.2
174	-	windows -> systeminfo
174	+
175	-	Linux-> dpkg -l
175	+	if [ $# = 0 ] ; then
176	-	rpm -qa
176	+	echo " usage:"
177		echo " proxyresolv <hostname> "
178	-	Mac OS X -> sudo find / -iname *.app
178	+	exit
179		fi
180
181		export LD_PRELOAD=libproxychains.so.3
182		dig $1 @$DNS_SERVER +tcp \| awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
183		-----------------------------------------------------------------------
184
185
186		sudo ntpdate pool.ntp.org
187	-	- http://toolbar.netcraft.com/site_report
187	+
188	-	- https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
188	+	tor-resolve strategicsec.com
189
190		proxychains nmap -sT -p80 204.244.123.113
191
192	-	---------------------------Type This-----------------------------------
192	+	proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113