Songer - Offensive Security: Enumeration

ISBN: 9781728959320 This version was published on 2018-10-18 2018 Austin Songer
DNS offers a variety of information about public (and sometimes private!) organization servers, suchas IP addresses, server names, and server functionality. Interacting with a DNS Server > host -t ns megacorpone.com # -t : type , ns: dns > host -t mx megacorpone.com # mx : mail server Also you can use nslookup > nslookup anasboureada.comdig also can be used > dig aboureada.comAutomating lookups we have some initial data from the megacorpone.com domain, we can continue to use additionalDNS queries to discover more host names and IP addresses belonging to megacorpone.com. > host www.megacorpone.com > host idontexist.megacorpone.com # we will found that it has an ip# this is not found Forward Lookup Brute Force Taking the previous concept a step further, we can automate the Forward DNS Lookup of commonhost names using the host command and a Bash script.

> echo www > list.txt
> echo ftp >> list.txt
> echo mail >> list.txt
> echo owa >> list.txt
> echo proxy >> list.txt
> echo router >> list.txt
> echo api >> list.txt
> for ip in $( cat list.txt ) ; do host $ip .megacorpone.com; done

If the DNS administrator of megacorpone.com configured PTR records for the domain, we mightfind out some more domain names that were missed during the forward lookup brute-force phase. > for ip in $( seq 155 190 ) ; do host .7.67. $ip ; done | grep -v "not found" # grep -v :: --invert-match DNS Zone Transfers

A zone transfer is similar to a database replication act between related DNS servers. Thisprocess includes the copying of the zone file from a master DNS server to a slave server.The zone file contains a list of all the DNS names configured for that zone. Zone transfersshould usually be limited to authorized slave DNS servers.

> host -l megacorpone.com ns1.megacorpone.com # ns1 refused us our zone transfer r\
equest and -l :: list all hosts in a domain
3
4 # The result is a full dump of the zone file for the megacorpone.com domain,
# providing us a convenient list of IPs and DNS names for the megacorpone.com domain.
6
7 > host -t axfr zonetransfer.me nsztm1.digi.ninja.
8
9 > dig axfr nsztm1.digi.ninja zonetransfer.me

Now Lets automate the process: To get the name servers for a given domain in a clean format, we can issue the followingcommand.

```Bash
> host -t ns megacorpone.com | cut -d " " -f 4
# -d :: --delimiter=DELIM ;
# -f :: --fields=LIST select only these fields on each line;
```

Taking this a step further, we could write the following simple Bash script to automatethe procedure of discovering and attempting a zone transfer on each DNS server found.

```Bash
# /bin/bash
if [-z "$1" ]; then # $1 is the first argument given after the bash script
echo "[-] Simple Zone transfer script"
echo "[-] Usage : $0 "
exit 0
fi
8
9 for server in $(host -t ns $1 | cut -d" " -f4);do # if argument was given, ident\ ify the DNS servers for the domain
host -l $1 $server | grep "has address" # For each of these servers, attempt a zone \ transfer
done
```

Running this script on megacorpone.com should automatically identify both name serversand attempt a zone transfer on each of them

```Bash
chmod 755 dns- -axfr.sh
./dns- -axfr.sh megacorpone.com
```

Relevant Tools in Kali Linux
DNSRecon> dnsrecon -d megacorpone.com -t axfr

-d :: domain
-t :: type of Enumeration to perform
axfr :: test all ns servers for zone transfer

DNSEnum> dnsenum zonetransfer.mefierce> pip3 install fierce> fierce --domain zonetransfer.meNMAP DNS Hostnames Lookup nmap -F --dns-serverHost Lookup host -t ns [megacorpone.com](http://megacorpone.com/)Reverse Lookup Brute Force - find domains in the same range for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"Perform DNS IP Lookup dig a [domain-name-here.com](http://domain-name-here.com/) @nameserverPerform MX Record Lookup dig mx [domain-name-here.com](http://domain-name-here.com/) @nameserverPerform Zone Transfer with DIG dig axfr [domain-name-here.com](http://domain-name-here.com/) @nameserverDNS Zone Transfers
Windows DNS zone transfer nslookup -> set type=any -> ls -d [blah.com ](http://blah.com/)Linux DNS zone transfer dig axfr [blah.com](http://blah.com/) @[ns1.blah.com](http://ns1.blah.com/)Dnsrecon DNS Brute Force dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xmlDnsrecon DNS List of megacorp dnsrecon -d [megacorpone.com](http://megacorpone.com/) -t axfrDNSEnum dnsenum zonetransfer.m /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\\\\ ; 2>/dev/null

wget
chmod +x ./linux-local-enum.sh
./linux-local-enum.sh

find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs\ls -lh | grep Aug find /. -name suid\\\*\\ strings file gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip OWasp DirBuster - Http folder enumeration - can take a dictionary file dirb http://$ip/ wordlist.dict dirb <> dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129 nikto -h $ip nmap --script=http-enum -p80 -n $ip/24 nmap --script http-methods --script-args http-methods.url-path='/test' $ip curl -vX OPTIONS vm/test uniscan -qweds -u <>

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page\
=FUZZ
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mai\
l=FUZZ"
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/F\ UZZ for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 -max-retries 0 -p $x server_\ ip_address; done wpscan --url $ip/blog --proxy $ip:3129 auxiliary/scanner/rservices/rsh_login finger @$ip finger batman@$ip ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html