Advertisement
joemccray

Pentester Academy External Security Testing: Part 1

Aug 30th, 2015
7,740
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################################################
  2. # Pentester Academy External Security Testing Walk-Through #
  3. ############################################################
  4.  
  5. My good friend Vivek Ramachandran asked me to do a set a videos for Pentester Academy.
  6.  
  7. Vivek is a such a dear friend so I couldn't say no. I sincerely hope that you guys find this valuable.
  8.  
  9.  
  10. If you want to follow along with me you can use this Pastebin for all of the download links for the slides, the virtual machine, and the list of all of the commands I will be covering today.
  11.  
  12. Here are the slides I am using today:
  13. https://s3.amazonaws.com/StrategicSec-Files/PentesterAcademy/1-External+Scanning.pdf
  14.  
  15.  
  16. ##########
  17. # VMWare #
  18. ##########
  19. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  20.  
  21. - A 30-day trial of Workstation 11 can be downloaded from here:
  22. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
  23.  
  24. - A 30-day trial of Fusion 7 can be downloaded from here:
  25. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
  26.  
  27. - The newest version of VMWare Player can be downloaded from here:
  28. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
  29.  
  30. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  31.  
  32.  
  33. ################################
  34. # Download the virtual machine #
  35. ################################
  36. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
  37. username: strategicsec
  38. password: strategicsec
  39.  
  40.  
  41. ############################################
  42. # Identifying External Security Mechanisms #
  43. ############################################
  44.  
  45. Performing an external penetration test today is significantly harder than it was years ago.
  46.  
  47. There are so many external security mechanisms such as load balancers, reverse proxies, intrusion prevention systems, and web application firewalls.
  48.  
  49. Ok, let's do this!
  50.  
  51.  
  52.  
  53. ###########################
  54. # Target IP Determination #
  55. ###########################
  56. cd /home/strategicsec/toolz
  57. perl blindcrawl.pl -d motorola.com
  58.  
  59. -- Take each IP address and look ip up here:
  60. http://www.networksolutions.com/whois/index.jsp
  61.  
  62. cd ~/toolz/fierce2
  63. fierce -dns motorola.com
  64. cd ..
  65.  
  66. Zone Transfer fails on most domains, but here is an example of one that works:
  67. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  68.  
  69.  
  70. cd ~/toolz/
  71. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  72.  
  73.  
  74. sudo nmap -sL 148.87.1.0-255
  75. sudo nmap -sL 148.87.1.0-255 | grep oracle
  76.  
  77.  
  78.  
  79. ###########################
  80. # Load Balancer Detection #
  81. ###########################
  82.  
  83. Here are some options to use for identifying load balancers:
  84. - http://toolbar.netcraft.com/site_report/
  85. - Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)
  86.  
  87. Here is an example:
  88. http://toolbar.netcraft.com/site_report/?url=citigroup.com
  89.  
  90. We found out that they are using a Citrix Netscaler Load Balancer.
  91. 192.193.103.222 Citrix Netscaler
  92. 192.193.219.58
  93.  
  94.  
  95. Here are some command-line options to use for identifying load balancers:
  96.  
  97. dig google.com
  98.  
  99. cd ~/toolz
  100. ./lbd-0.1.sh motorola.com
  101.  
  102.  
  103. halberd microsoft.com
  104. halberd motorola.com
  105. halberd oracle.com
  106.  
  107.  
  108. ##################################
  109. # Intrusion Prevention Detection #
  110. ##################################
  111.  
  112.  
  113. osstmm-afd -P HTTP -t www.strategicsec.com -v
  114.  
  115. cat /etc/xinetd.d/ssltest
  116.  
  117. cat /home/strategicsec/toolz/ssl_proxy.sh
  118.  
  119. service xinetd status
  120.  
  121. osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
  122.  
  123. ****** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ******
  124.  
  125.  
  126.  
  127. ######################################
  128. # Web Application Firewall Detection #
  129. ######################################
  130.  
  131. cd ~/toolz/wafw00f
  132. python wafw00f.py http://www.oracle.com
  133. python wafw00f.py http://www.strategicsec.com
  134.  
  135.  
  136. cd ~/toolz/
  137. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  138.  
  139. sudo nmap -p 80 --script http-waf-detect.nse imperva.com
  140.  
  141.  
  142.  
  143.  
  144. ################################################
  145. # 3rd Party Scanning, and scanning via proxies #
  146. ################################################
  147.  
  148. https://www.shodan.io
  149.  
  150. Create a FREE account and login
  151.  
  152. net:129.188.8.0/24
  153.  
  154.  
  155.  
  156. cd /home/strategicsec/toolz/
  157. perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run, but provides a good list of proxies
  158.  
  159.  
  160.  
  161. sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: ocks4 127.0.0.1 9050
  162.  
  163.  
  164.  
  165.  
  166. ----------------------------------------------------------------------
  167. vi ~/toolz/fix-proxychains-dns.sh
  168.  
  169. #!/bin/bash
  170. # This script is called by proxychains to resolve DNS names
  171. # DNS server used to resolve names
  172. # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
  173. DNS_SERVER=4.2.2.2
  174.  
  175. if [ $# = 0 ] ; then
  176. echo " usage:"
  177. echo " proxyresolv <hostname> "
  178. exit
  179. fi
  180.  
  181. export LD_PRELOAD=libproxychains.so.3
  182. dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
  183. -----------------------------------------------------------------------
  184.  
  185.  
  186. sudo ntpdate pool.ntp.org
  187.  
  188. tor-resolve strategicsec.com
  189.  
  190. proxychains nmap -sT -p80 204.244.123.113
  191.  
  192. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement