Pentester Academy External Security Testing: Part 1

############################################################
# Pentester Academy External Security Testing Walk-Through #
############################################################

My good friend Vivek Ramachandran asked me to do a set a videos for Pentester Academy.

Vivek is a such a dear friend so I couldn't say no. I sincerely hope that you guys find this valuable.


If you want to follow along with me you can use this Pastebin for all of the download links for the slides, the virtual machine, and the list of all of the commands I will be covering today.

Here are the slides I am using today:
https://s3.amazonaws.com/StrategicSec-Files/PentesterAcademy/1-External+Scanning.pdf


##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- A 30-day trial of Workstation 11 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0

- A 30-day trial of Fusion 7 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0

- The newest version of VMWare Player can be downloaded from here:
- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0

- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.


################################
# Download the virtual machine #
################################
https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
username: strategicsec
password: strategicsec


############################################
# Identifying External Security Mechanisms #
############################################

Performing an external penetration test today is significantly harder than it was years ago.

There are so many external security mechanisms such as load balancers, reverse proxies, intrusion prevention systems, and web application firewalls.

Ok, let's do this!


###########################
# Target IP Determination #
###########################
cd /home/strategicsec/toolz
perl blindcrawl.pl -d motorola.com

-- Take each IP address and look ip up here:
http://www.networksolutions.com/whois/index.jsp

cd ~/toolz/fierce2
fierce -dns motorola.com
cd ..

Zone Transfer fails on most domains, but here is an example of one that works:
dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk


cd ~/toolz/
./ipcrawl 148.87.1.1 148.87.1.254				(DNS forward lookup against an IP range)


sudo nmap -sL 148.87.1.0-255
sudo nmap -sL 148.87.1.0-255 | grep oracle


###########################
# Load Balancer Detection #
###########################

Here are some options to use for identifying load balancers:
	- http://toolbar.netcraft.com/site_report/
	- Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)

Here is an example:
http://toolbar.netcraft.com/site_report/?url=citigroup.com

We found out that they are using a Citrix Netscaler Load Balancer.
192.193.103.222         Citrix Netscaler
192.193.219.58


Here are some command-line options to use for identifying load balancers:

dig google.com

cd ~/toolz
./lbd-0.1.sh motorola.com


halberd microsoft.com
halberd motorola.com
halberd oracle.com


##################################
# Intrusion Prevention Detection #
##################################


osstmm-afd -P HTTP -t www.strategicsec.com -v

cat /etc/xinetd.d/ssltest

cat /home/strategicsec/toolz/ssl_proxy.sh

service xinetd status

osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v

****** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ******


######################################
# Web Application Firewall Detection #
######################################

cd ~/toolz/wafw00f
python wafw00f.py http://www.oracle.com
python wafw00f.py http://www.strategicsec.com


cd ~/toolz/
sudo nmap -p 80 --script http-waf-detect.nse oracle.com

sudo nmap -p 80 --script http-waf-detect.nse imperva.com


################################################
# 3rd Party Scanning, and scanning via proxies #
################################################

https://www.shodan.io

        Create a FREE account and login

        net:129.188.8.0/24


cd /home/strategicsec/toolz/
perl proxyfinder-0.3.pl multiproxy 3 proxies.txt	<-- This takes a long time to run, but provides a good list of proxies


sudo vi /etc/proxychains.conf  				<--- Make sure that last line of the file is: ocks4  127.0.0.1 9050


----------------------------------------------------------------------
vi ~/toolz/fix-proxychains-dns.sh

#!/bin/bash
# This script is called by proxychains to resolve DNS names
# DNS server used to resolve names
# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
DNS_SERVER=4.2.2.2

if [ $# = 0 ] ; then
echo " usage:"
echo " proxyresolv <hostname> "
exit
fi

export LD_PRELOAD=libproxychains.so.3
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
-----------------------------------------------------------------------


sudo ntpdate pool.ntp.org

tor-resolve strategicsec.com

proxychains nmap -sT -p80 204.244.123.113

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113