Results 1 to 3 of 3

Thread: Tutorial : Internet Enumeration

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Tutorial : Internet Enumeration

    This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post.

    Discovery

    There are various methods at enumerating the net blocks of your target. But to start, perform the following:

    Code:
    Whois -h cymru.whois.arin.net > file.txt
    If a specific IP does not have an ASN number associated with it, then that IP address is not routable.
    Code:
     whois -h whois.cymru.com 207.168.119.1
    querying whois.cymru.com
    whois.cymru.com
    ASN|IP|Name
    4565|207.168.119.1|EPOCH-INTERNET - Epoch Network
    To perform bulk queries, create a text file in this format:

    begin
    207.168.119.135
    207.168.119.136
    142.5.0.1
    end

    Feed the text file to whois by using netcat.
    Code:
     ./netcat whois.cymru.com 43 <ip_list.txt |sort -n > ip_list_asn.txt
    Look through the results for ASN numbers to determine if the netblocks are routable.

    You can also login to a BGP router connected to the internet and display the route:
    Code:
     telnet route-views.oregon-ix.net
    Username: rviews
    
    route-views.oregon-ix.net> show ip bgp regexp _31830$
    
    BGP table version is 2197815, local router ID is 198.32.162.100
    Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight Path
    *  63.71.89.0/24    64.125.0.137           119             0 6461 701 31830 i
    *                   193.0.0.56                             0 3333 3356 701 31830i
    *                   207.46.32.34                           0 8075 701 31830 i
    *                   209.10.12.125         4103             0 4513 13789 701 31830 i
    <truncated>
    Learn more here:
    http://www.team-cymru.org/Services/ip-to-asn.html

    Once you have netblocks for your target, check bind versions and perform zone transfers against the name servers:
    Code:
     dig @ns1.example.com version.bind txt chaos
    dig @ns1.example.com axfr
    or
    Code:
     perl fierce.pl -dns example.com
    If the zone transfers are successful, you now have a list of target IP's. Clean up your list so only the IP addresses remain. The easiest method is to open the ip list in excel and applying a filter. Now feed the IP list to nmap:
    Code:
     nmap -sS -P0 -iL ip_ranges.txt -p 21,22,23,25,53,79,80,81,88,110,111,113,135,139,143,254,264,265,443,445,1026,1027,1433,1434,1494,1521,1723,2049,2001,2301,2381,3389,4001,4662,5631,6000,6001,8080,10000 --max_rtt_timeout 2000 -oA formatted_list
    You can now take the output files and run them through the nmap report generator:
    http://forums.remote-exploit.org/showthread.php?t=13134

    At this point, you should have a list of IP addresses with open ports. Lets target a few of the ports.

    21 - FTP - If you see port 21 open, attempt to connect. Record the login banner and try "anonymous" as the username. If that is not successful, you may want to try running medusa against it to brute force.
    Code:
     medusa -h host -U logins.txt -P passwords.txt -O results.txt -M ftp
    25 - SMTP - Connect the the SMTP server and attempt to enumerate valid users. You can use this to target specific employees within the company through phishing or brute force attacks at login pages.
    Code:
     nc mail.example.com 25
    expn root
    expn test
    vrfy someone@example.com
    quit
    80 - HTTP - Look for methods that are not necessary. Namely PUT. If you find this, then you may be able to upload your own files to the server. Use put.pl to transfer cmd.asp to the server. Both files should be on BT3.

    Code:
     curl -I -X OPTIONS www.example.com
    That should get you started. Follow up with a nessus scan:
    http://forums.remote-exploit.org/showthread.php?t=13127

    Some additional tools I use that are not based on Backtrack are:
    LDAPMiner
    Acunetix Web Vulnerability Scanner
    N-Stalker Free Edition
    SNScan

    If you have anything to add, please do!

    William

  2. #2
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by williamc View Post
    This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post....
    .... ....

    ....If you have anything to add, please do!

    William
    Yet another great tutorial bud. Just a "here's how I do it" kinda thing, when I'm listing ports via Nmap I usually simplify/organize the list by utilizing the U: and T: delimiter for UDP/TCP distinction and 21-23 etc to shorten the string a bit. This just makes it a bit easier, at least for me, to remember what, exactly, I'm scanning for.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  3. #3
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    http://rmccurdy.com/scripts/myipneighbors.bash.txt

    myipneighbors > google search for param to help find exploitable scripts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •