P5- Reconnaisance (part-1)

-
Hi everyone! let's just get straight to the lecture.

==============================
Passive Reconnaissance
==============================
There are types of Passive Reconnaisssance as explained below:
1)Physcial/social reconnaissance:
In physical reconnnaisance, we may go through the company and try to gather information, maybe we have the location informatrion of the compoany and we search for the badge photos , we may be flying a drone and seeing that what the building layout is? where are the doors? how can a person enter into the building? where is the security in the building etc etc.

Whereas the social reconnaissance is that we can do social engineering or phishing kind of things to gather information, we may be looking at the pictures of the employees that they post on their social sites and try to gather information, maybe we are looking at the badge photos, desktop photos, computer photos, etc, 
For instance, a person posted his photo with his laptop at work, and from that photo, we can see that what computer is he using? what application is he running at his desktop etc?

2)Web/Host Assessment
a)Target Validation
In this we try to validate our target, for instance, a client has given us an IP and by accident, he gave us the wrong IP, and we, without validation, start to work on that, so now we are going in the wrong direction. First of all, we need to validate that if our target is right or wrong. for that, we can use "WHOIS", "nsloookup", "dnsrecon" etc.

b)Finding subdomains
Once we get the IP, the most important thing is to find the subdomains, for that we can use "Google-Fu", "dig", "Nmap", "Sublist3r", "Bluto", "crt.sh" etc

c)Fingerprinting
Means that what services are running on the servers, WebHost or website, are they running a web server? which server IIS? APACHE? what is the version of the service they are using etc? 
for that we can use "Nmap" ,"Wappalyzer" , "whatWeb","BuiltWith","Netcat" etc.

d)Data Breaches
Data breaches are the most common way when we are doing an external assessment that we get into the networks. When we talk about data breaches, we are talking about breaches incidents from the past that have leaked data. Again these are like Equifax, LinkedIn. All kinds of breaches that are out there that have had credentials dumped and then those credentials become available to us eventually. And we try to utilize those to gain access or at least utilize the user names to gain access.

So we are looking for these data breaches. The better you do scanning and enumeration, the more good you can exploit any target. 


==============================
Identifying Our Target
==============================
In identifying our target , i am takign an example of bugbounty program, if we go to https://bugcrowd.com/  , and search for a specific client, there are many usefull information that we can gather. and also its like many reputable companies have a bungbounty program, lets take  a look

if we go to the "programs" tab, here are the companies that are paying the hackers to find a vulnerability in them, but make sure to not go out of the scope as in their description.
we are taking the example of  https://www.tesla.com/  
==============================
E-Mail Address Gathering with Hunter.io
==============================

Firts of all go to https://hunter.io/   and signup with a valid email.

Here just write tesla.com in the search bar and it will give you the results.

So at the top right, you can see that it gave us a total of 453 results that we can export. Also at the left, it is written that "Most common pattern: {f}{last}@tesla.com" which means that if a person is working in tesla, his email will be the initial of his first name and then his full last name with @tesla.com as his email address. for instance a person "John Maiythan" email will be like "j.maiythan@tesla.com", 
Also, you can see that, it is telling us the resource, which means that from which resources that email or information has been gathered by hunter.io...
The benefit of gathering these email addresses is that after we gathered all the emails, we can do a password spraying so that the email and user will be valid and the password may match and we may log in to the account. 
==============================
Utilizing theHarvester
==============================
"theHarverster" is a tool that is built into the kali linux. It is also used for gathering usernames and subdomains.
Just go to the kali linux terminal and type "theHarvester", it will show information about the tool. see the image below

after I wrote theHarvester, these are the examples that are shown.

"theharvester -d microsoft.com -l 500 -b google -f myresults.html"
-d microsoft.com means we are specifying the domain
-l 500  means how deep in search you wanna go, as you want to do 500 searches, and
-b google means what you wanna search on e.g I want to search on google on the domain of microsoft.com and at the last, -f myresults.html means I wanna save my results into an HTML document
so let's do an example on https://www.tesla.com/  

The tool searched 500 results and below are the results that it gave us
Email addresses are found, subdomains along their IP address are found.
so the harvester is a great tool for information gathering

==============================
Hunting subdomains - Part 1
==============================
We are going to talk about web information gatheirng. This is important if we are doing web penetration testing interanlly or externally.

Here we are gathering web site information passively, so the very first and most important thing is that we need to identify what subdomains are out there. so we are going to use a tool called "sublist3r" to identify subdomains because there may be several separate websites running on subdomains.
first, we need to install tool sublist3r by the following command
now
This tool is gonna go through several search engines and try to find subdomains as shown below and so sublist3r gives us subdomain up to 3 levels(most of the time), but what if there are subdomains with 4 levels? like *.*.tesla.com?
for this purpose, we are going to use a site called "crt.sh"
Now, all we are doing is we are using cert fingerprinting as shown below. write the following, hit search and see the results. It will give us the subdomains that the tool sublist3r may have missed.
also

==============================
Hunting subdomains - Part 2
==============================
Go to goole and write "owasp amass" and open https://github.com/OWASP/Amass  . You need to configure this on your machines and the instructions are given over there.
This tool is really popular while information gathering i.e finding subdomains 

The last tool in subdomains searching and filtering is "tomnomnom httprobe" 
https://github.com/tomnomnom/httprobe  . This tool will probe a list and will tell you that if a website is alive or not, so you can narrow down your searches. 
Thats it for today! 

Comments

  1. Govind DucatNovember 9, 2021 at 3:35 AM


    Great post. Thanks for sharing. Keep Sharing.
    Ducat is the best ethical hacking institute in Delhi. . It is used for the benefit of the employee and gives the best to the organization and saves from unwanted threats. Our organization provides 100% job assistance to the students.

    ReplyDelete

Post a Comment

Popular posts from this blog

P3- Basic Bash Scripting

-
Image
Hi Everyone! Today we are learning basic bash scripting. So let's begin. We will learn about the following commands grep cut tr scripting with bash for loop grep : it will narrow down our results, for example, if we ping any IP, and we want to gather info, if ping was valid or not, so for that, we will use grep to narrow down, let say we have a list of pings of different IP addresses, and we want to get only those pings that were valid, we will use grep on that list and so narrowing our results. cut, tr, both also narrow down our results. let's get started First, I am gonna ping my very own machine with my IP address If we wanna send only one packet to see if the host machine is alive or not, we will use "-c 1" to send only one packet to the host. Now as you can see, if I write -c 3, it will send only 3 packets, so it depends. I am gonna put the ping results into a text file, and after placing the results in i.txt file, I cat the file, so it
Read more

P2- Intro to Kali Linux

-
Image
Hi Everyone! Today we are recalling some Kali Linux commands, So let's begin. ============================== Navigate to File System ============================== ·     Command:   ls -la It shows hidden folders. mkdir  For making a new folder. cd cd for changing the folders or going in other folders or directories.  cd .. For going backward in the folder in the same directory. man command e.g man ls it now gives a manual guide of the command, man is like a help command, both are pretty close but man gives more detailed guide. also, ls --help can be used echo "hi" > test.txt This command makes a txt file with name "test" and writes "hi" inside of it cp test.txt downloads/ This command  means copy "test.txt" to "downloads" folder rm Downloads/test.txt remove command, so it removes the "test.txt" command that we just made. mv test.txt Downloads/ move command, it moves the "tes
Read more

P4- Stages of Ethical Hacking

-
Image
Hi, Today we are starting to learn the actual course content that we are here for, "Ethical Hacking". let's begin! There are five stages of ethical hacking: Reconnaissance Scanning & Enumeration Gaining Access Maintaining Access Covering tracks Reconnaissance: Reconnaissance aka information gathering. There are two types of Reconnaissance, Active and Passive Reconnaissance. Passive Reconnaiosece is where an ethical hacker google about any company, gather the information by going through different search engines, by going through the Facebook page of the company or by visiting the profile of the employees, making a list of the email of the employees by going through their twitter or FB account, etc, etc, so not doing anything directly, the company does not know about this. Whereas Active Rconnaisence is where an ethical hacker goes through the network of any company by any means. In this, the ethical hacker actually discovers the hosts Ip, servers,
Read more