############################################################
# Pentester Academy External Security Testing Walk-Through #
############################################################
##########
# VMWare #
##########
- For this workshop you'll involve the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
- Influenza A virus subtype H5N1 30-day lawsuit of Workstation eleven tin move downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
- Influenza A virus subtype H5N1 30-day lawsuit of Fusion seven tin move downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
- The newest version of VMWare Player tin move downloaded from here:
- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
- Although you lot tin instruct the VM to run inwards VirtualBox, I volition non move supporting this configuration for this class.
################################
# Download the virtual machine #
################################
https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
username: strategicsec
password: strategicsec
############################################
# Identifying External Security Mechanisms #
############################################
Performing an external penetration attempt out today is significantly harder than it was years ago.
There are hence many external safety mechanisms such every bit charge balancers, contrary proxies, intrusion prevention systems, together with spider web application firewalls.
Ok, let's produce this!
###########################
# Target IP Determination #
###########################
cd /home/strategicsec/toolz
perl blindcrawl.pl -d motorola.com
-- Take each IP address together with expect ip upwards here:
http://www.networksolutions.com/whois/index.jsp
cd /toolz/fierce2
tearing -dns motorola.com
cd ..
Zone Transfer fails on around domains, merely hither is an instance of 1 that works:
dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
cd /toolz/
./ipcrawl 148.87.1.1 148.87.1.254 (DNS forwards lookup against an IP range)
sudo nmap -sL 148.87.1.0-255
sudo nmap -sL 148.87.1.0-255 | grep oracle
###########################
# Load Balancer Detection #
###########################
Here are around options to purpose for identifying charge balancers:
- http://toolbar.netcraft.com/site_report/
- Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)
Here is an example:
http://toolbar.netcraft.com/site_report/?url=citigroup.com
We establish out that they are using a Citrix Netscaler Load Balancer.
192.193.103.222 Citrix Netscaler
192.193.219.58
Here are around command-line options to purpose for identifying charge balancers:
dig google.com
cd /toolz
./lbd-0.1.sh motorola.com
halberd microsoft.com
halberd motorola.com
halberd oracle.com
##################################
# Intrusion Prevention Detection #
##################################
osstmm-afd -P HTTP -t www.strategicsec.com -v
truthful cat /etc/xinetd.d/ssltest
truthful cat /home/strategicsec/toolz/ssl_proxy.sh
service xinetd status
osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
****** If you lot are getting your IP blocked you lot tin purpose a service similar AceVPN to give you lot multiple IPs to launches your tests from. ******
######################################
# Web Application Firewall Detection #
######################################
cd /toolz/wafw00f
python wafw00f.py http://www.oracle.com
python wafw00f.py http://www.strategicsec.com
cd /toolz/
sudo nmap -p fourscore --script http-waf-detect.nse oracle.com
sudo nmap -p fourscore --script http-waf-detect.nse imperva.com
################################################
# third Party Scanning, together with scanning via proxies #
################################################
https://www.shodan.io
Create a FREE trouble organisation human relationship together with login
net:129.188.8.0/24
cd /home/strategicsec/toolz/
perl proxyfinder-0.3.pl multiproxy iii proxies.txt <-- This takes a long fourth dimension to run, merely provides a practiced listing of proxies
sudo vi /etc/proxychains.conf <--- Make certain that concluding describe of the file is: ocks4 127.0.0.1 9050
----------------------------------------------------------------------
vi /toolz/fix-proxychains-dns.sh
#!/bin/bash
# This script is called past times proxychains to resolve DNS names
# DNS server used to resolve names
# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
DNS_SERVER=4.2.2.2
if [ $# = 0 ] ; then
echo " usage:"
echo " proxyresolv <hostname> "
exit
fi
export LD_PRELOAD=libproxychains.so.3
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
-----------------------------------------------------------------------
sudo ntpdate pool.ntp.org
tor-resolve strategicsec.com
proxychains nmap -sT -p80 204.244.123.113
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
# Pentester Academy External Security Testing Walk-Through #
############################################################
##########
# VMWare #
##########
- For this workshop you'll involve the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
- Influenza A virus subtype H5N1 30-day lawsuit of Workstation eleven tin move downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
- Influenza A virus subtype H5N1 30-day lawsuit of Fusion seven tin move downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
- The newest version of VMWare Player tin move downloaded from here:
- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
- Although you lot tin instruct the VM to run inwards VirtualBox, I volition non move supporting this configuration for this class.
################################
# Download the virtual machine #
################################
https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
username: strategicsec
password: strategicsec
############################################
# Identifying External Security Mechanisms #
############################################
Performing an external penetration attempt out today is significantly harder than it was years ago.
There are hence many external safety mechanisms such every bit charge balancers, contrary proxies, intrusion prevention systems, together with spider web application firewalls.
Ok, let's produce this!
###########################
# Target IP Determination #
###########################
cd /home/strategicsec/toolz
perl blindcrawl.pl -d motorola.com
-- Take each IP address together with expect ip upwards here:
http://www.networksolutions.com/whois/index.jsp
cd /toolz/fierce2
tearing -dns motorola.com
cd ..
Zone Transfer fails on around domains, merely hither is an instance of 1 that works:
dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
cd /toolz/
./ipcrawl 148.87.1.1 148.87.1.254 (DNS forwards lookup against an IP range)
sudo nmap -sL 148.87.1.0-255
sudo nmap -sL 148.87.1.0-255 | grep oracle
###########################
# Load Balancer Detection #
###########################
Here are around options to purpose for identifying charge balancers:
- http://toolbar.netcraft.com/site_report/
- Firefox LiveHTTP Headers (https://addons.mozilla.org/en-Us/firefox/addon/live-http-headers/)
Here is an example:
http://toolbar.netcraft.com/site_report/?url=citigroup.com
We establish out that they are using a Citrix Netscaler Load Balancer.
192.193.103.222 Citrix Netscaler
192.193.219.58
Here are around command-line options to purpose for identifying charge balancers:
dig google.com
cd /toolz
./lbd-0.1.sh motorola.com
halberd microsoft.com
halberd motorola.com
halberd oracle.com
##################################
# Intrusion Prevention Detection #
##################################
osstmm-afd -P HTTP -t www.strategicsec.com -v
truthful cat /etc/xinetd.d/ssltest
truthful cat /home/strategicsec/toolz/ssl_proxy.sh
service xinetd status
osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
****** If you lot are getting your IP blocked you lot tin purpose a service similar AceVPN to give you lot multiple IPs to launches your tests from. ******
######################################
# Web Application Firewall Detection #
######################################
cd /toolz/wafw00f
python wafw00f.py http://www.oracle.com
python wafw00f.py http://www.strategicsec.com
cd /toolz/
sudo nmap -p fourscore --script http-waf-detect.nse oracle.com
sudo nmap -p fourscore --script http-waf-detect.nse imperva.com
################################################
# third Party Scanning, together with scanning via proxies #
################################################
https://www.shodan.io
Create a FREE trouble organisation human relationship together with login
net:129.188.8.0/24
cd /home/strategicsec/toolz/
perl proxyfinder-0.3.pl multiproxy iii proxies.txt <-- This takes a long fourth dimension to run, merely provides a practiced listing of proxies
sudo vi /etc/proxychains.conf <--- Make certain that concluding describe of the file is: ocks4 127.0.0.1 9050
----------------------------------------------------------------------
vi /toolz/fix-proxychains-dns.sh
#!/bin/bash
# This script is called past times proxychains to resolve DNS names
# DNS server used to resolve names
# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
DNS_SERVER=4.2.2.2
if [ $# = 0 ] ; then
echo " usage:"
echo " proxyresolv <hostname> "
exit
fi
export LD_PRELOAD=libproxychains.so.3
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
-----------------------------------------------------------------------
sudo ntpdate pool.ntp.org
tor-resolve strategicsec.com
proxychains nmap -sT -p80 204.244.123.113
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113