Passive Information Gathering

I prepared this presentation for the 757 White Hat Hackers meeting on 10/26 where I presented on Passive Information Gathering. Passive Information Gathering is simply reconnaissance methods that don’t touch the target and leave any traces of your presence.

Topics:

  • Whois
  • Dig
  • Recon-ng
  • Theharvester
  • Network-tools.com
  • Netcraft Toolbar
  • SiteDigger
  • Shodan
  • Maltego

Whois

Whois is usually installed in all Linux systems and returns the following domain information:

Registrar: The company/organization that registered the domain on behalf of the domain’s owner.
Name Servers: The servers that control the domain’s DNS.
Creation Date: The date the domain was originally registered.
Expiration Date: When the domain will expire.
Contacts: Publicly accessible information, required by registrars

Usage: “whois <domainName>”

root@DESKTOP-7ETQJM7:~# whois nasa.gov
% DOTGOV WHOIS Server ready
 Domain Name: NASA.GOV
 Status: ACTIVE

>>> Last update of whois database: 2016-10-28T17:55:42Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.
root@DESKTOP-7ETQJM7:~# whois yahoo.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Server Name: YAHOO.COM.ACCUTAXSERVICES.COM
 IP Address: 98.136.43.32
 IP Address: 66.196.84.168
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.ANGRYPIRATES.COM
 IP Address: 8.8.8.8
 Registrar: NAME.COM, INC.
 Whois Server: whois.name.com
 Referral URL: http://www.name.com


 Server Name: YAHOO.COM.AU
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.BGPETERSON.COM
 IP Address: 66.218.71.205
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.BIGROCK.IN
 Registrar: BIGROCK SOLUTIONS LIMITED
 Whois Server: Whois.bigrock.com
 Referral URL: http://www.bigrock.com


 Server Name: YAHOO.COM.BR
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.CN
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn


 Server Name: YAHOO.COM.DALLARIVA.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.ELPOV.COM
 IP Address: 66.21.71.205
 Registrar: TIERRANET INC. D/B/A DOMAINDISCOVER
 Whois Server: whois.domaindiscover.com
 Referral URL: http://www.domaindiscover.com


 Server Name: YAHOO.COM.HACKED.BY.JAPTRON.ES
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.HK
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
 IP Address: 80.190.192.24
 Registrar: COREHUB, S.R.L.
 Whois Server: whois.corehub.net
 Referral URL: http://corehub.net


 Server Name: YAHOO.COM.JTNELECTRIC.COM
 IP Address: 66.218.71.205
 IP Address: 216.109.116.20
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.MX
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.MY
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.SG
 Registrar: DOTSTER, INC.
 Whois Server: whois.dotster.com
 Referral URL: http://www.dotster.com


 Server Name: YAHOO.COM.TW
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.TWIXTEARS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VIRGINCHASSIS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VN
 Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
 Whois Server: whois.melbourneit.com
 Referral URL: http://www.melbourneit.com.au


 Server Name: YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
 IP Address: 69.41.185.196
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.ZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
 IP Address: 209.126.190.70
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Domain Name: YAHOO.COM
 Registrar: MARKMONITOR INC.
 Sponsoring Registrar IANA ID: 292
 Whois Server: whois.markmonitor.com
 Referral URL: http://www.markmonitor.com
 Name Server: NS1.YAHOO.COM
 Name Server: NS2.YAHOO.COM
 Name Server: NS3.YAHOO.COM
 Name Server: NS4.YAHOO.COM
 Name Server: NS5.YAHOO.COM
 Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
 Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
 Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
 Updated Date: 26-aug-2015
 Creation Date: 18-jan-1995
 Expiration Date: 19-jan-2023

>>> Last update of whois database: Fri, 28 Oct 2016 17:56:10 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: yahoo.com
Registry Domain ID: 3643624_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-08-26T15:30:44-0700
Creation Date: 1995-01-18T00:00:00-0800
Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Yahoo! Inc.
Registrant Street: 701 First Avenue
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 94089
Registrant Country: US
Registrant Phone: +1.4083493300
Registrant Phone Ext:
Registrant Fax: +1.4083493301
Registrant Fax Ext:
Registrant Email: domainadmin@yahoo-inc.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Yahoo! Inc.
Admin Street: 701 First Avenue
Admin City: Sunnyvale
Admin State/Province: CA
Admin Postal Code: 94089
Admin Country: US
Admin Phone: +1.4083493300
Admin Phone Ext:
Admin Fax: +1.4083493301
Admin Fax Ext:
Admin Email: domainadmin@yahoo-inc.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Yahoo! Inc.
Tech Street: 701 First Avenue
Tech City: Sunnyvale
Tech State/Province: CA
Tech Postal Code: 94089
Tech Country: US
Tech Phone: +1.4083493300
Tech Phone Ext:
Tech Fax: +1.4083493301
Tech Fax Ext:
Tech Email: domainadmin@yahoo-inc.com
Name Server: ns4.yahoo.com
Name Server: ns2.yahoo.com
Name Server: ns1.yahoo.com
Name Server: ns5.yahoo.com
Name Server: ns3.yahoo.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-10-28T10:52:20-0700 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
 (1) allow, enable, or otherwise support the transmission of mass unsolicited,
 commercial advertising or solicitations via e-mail (spam); or
 (2) enable high volume, automated, electronic processes that apply to
 MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
 https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Dig

Domain Internet Groper

Options:

root@DESKTOP-7ETQJM7:~# dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
 {global-d-opt} host [@local-server] {local-d-opt}
 [ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
 q-class is one of (in,hs,ch,...) [default: in]
 q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
 (Use ixfr=version for type ixfr)
 q-opt is one of:
 -x dot-notation (shortcut for reverse lookups)
 -i (use IP6.INT for IPv6 reverse lookups)
 -f filename (batch mode)
 -b address[#port] (bind to source address/port)
 -p port (specify port number)
 -q name (specify query name)
 -t type (specify query type)
 -c class (specify query class)
 -k keyfile (specify tsig key file)
 -y [hmac:]name:key (specify named base64 tsig key)
 -4 (use IPv4 query transport only)
 -6 (use IPv6 query transport only)
 -m (enable memory usage debugging)
 d-opt is of the form +keyword[=value], where keyword is:
 +[no]vc (TCP mode)
 +[no]tcp (TCP mode, alternate syntax)
 +time=### (Set query timeout) [5]
 +tries=### (Set number of UDP attempts) [3]
 +retry=### (Set number of UDP retries) [2]
 +domain=### (Set default domainname)
 +bufsize=### (Set EDNS0 Max UDP packet size)
 +ndots=### (Set NDOTS value)
 +[no]edns[=###] (Set EDNS version) [0]
 +[no]search (Set whether to use searchlist)
 +[no]showsearch (Search with intermediate results)
 +[no]defname (Ditto)
 +[no]recurse (Recursive mode)
 +[no]ignore (Don't revert to TCP for TC responses.)
 +[no]fail (Don't try next server on SERVFAIL)
 +[no]besteffort (Try to parse even illegal messages)
 +[no]aaonly (Set AA flag in query (+[no]aaflag))
 +[no]adflag (Set AD flag in query)
 +[no]cdflag (Set CD flag in query)
 +[no]cl (Control display of class in records)
 +[no]cmd (Control display of command line)
 +[no]comments (Control display of comment lines)
 +[no]rrcomments (Control display of per-record comments)
 +[no]question (Control display of question)
 +[no]answer (Control display of answer)
 +[no]authority (Control display of authority)
 +[no]additional (Control display of additional)
 +[no]stats (Control display of statistics)
 +[no]short (Disable everything except short
 form of answer)
 +[no]ttlid (Control display of ttls in records)
 +[no]all (Set or clear all display flags)
 +[no]qr (Print question before sending)
 +[no]nssearch (Search all authoritative nameservers)
 +[no]identify (ID responders in short answers)
 +[no]trace (Trace delegation down from root [+dnssec])
 +[no]dnssec (Request DNSSEC records)
 +[no]nsid (Request Name Server ID)
 +[no]sigchase (Chase DNSSEC signatures)
 +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
 +[no]topdown (Do DNSSEC validation top down mode)
 +[no]split=## (Split hex/base64 fields into chunks)
 +[no]multiline (Print records in an expanded format)
 +[no]onesoa (AXFR prints only one soa record)
 +[no]keepopen (Keep the TCP socket open between queries)
 global d-opts and servers (before host name) affect all queries.
 local d-opts and servers (after host name) affect only that lookup.
 -h (print help and exit)
 -v (print version and exit)

My favorite dig option is axfr, for a zone transfer. Zone transfers are a DNS transaction used to replicate records between DNS servers. It’s rare to find a DNS server these days that allow a zone transfer, but it’s something you should check. If you succeed in performing a zone transfer, you will have all dns records for a domain.

Example: dig axfr @dns-server domain.name

Recon-ng

https://bitbucket.org/LaNMaSteR53/recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

If you know how to use Metasploit, you should feel right at home using recon-ng. You can even automate recon-ng using resource files like you can with Metasploit.

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are targeting.

To install recon-ng in Kali, enter the command:

apt-get update && apt-get install recon-ng

At each level in recon-ng you can get help by typing the help and show commands.

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces

[recon-ng][default] > show
Shows various framework items

Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|keys|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|repositories|schema|vulnerabilities|workspaces]

Recon-ng uses the concept of workspaces to organize targets. To add a workspace, use “workspaces add <workspaceName>”. The prompt will change from “default” to display the current workspace.

[recon-ng][default] > workspaces add demo

In the new workspace, add a company and domain:

[recon-ng][demo] > add companies
company (TEXT): SANS
description (TEXT): SANS
[recon-ng][demo] > add domains
domain (TEXT): sans.org

Full list of modules:

[recon-ng][default] > show modules

 Discovery
 ---------
 discovery/info_disclosure/cache_snoop
 discovery/info_disclosure/interesting_files

 Exploitation
 ------------
 exploitation/injection/command_injector
 exploitation/injection/xpath_bruter

 Import
 ------
 import/csv_file
 import/list

 Recon
 -----
 recon/companies-contacts/bing_linkedin_cache
 recon/companies-contacts/indeed
 recon/companies-contacts/jigsaw/point_usage
 recon/companies-contacts/jigsaw/purchase_contact
 recon/companies-contacts/jigsaw/search_contacts
 recon/companies-contacts/linkedin_auth
 recon/companies-multi/github_miner
 recon/companies-multi/whois_miner
 recon/contacts-contacts/mailtester
 recon/contacts-contacts/mangle
 recon/contacts-contacts/unmangle
 recon/contacts-credentials/hibp_breach
 recon/contacts-credentials/hibp_paste
 recon/contacts-domains/migrate_contacts
 recon/contacts-profiles/fullcontact
 recon/credentials-credentials/adobe
 recon/credentials-credentials/bozocrack
 recon/credentials-credentials/hashes_org
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts
 recon/hosts-hosts/bing_ip
 recon/hosts-hosts/freegeoip
 recon/hosts-hosts/ipinfodb
 recon/hosts-hosts/resolve
 recon/hosts-hosts/reverse_resolve
 recon/hosts-hosts/ssltools
 recon/hosts-locations/migrate_hosts
 recon/hosts-ports/shodan_ip
 recon/locations-locations/geocode
 recon/locations-locations/reverse_geocode
 recon/locations-pushpins/flickr
 recon/locations-pushpins/instagram
 recon/locations-pushpins/picasa
 recon/locations-pushpins/shodan
 recon/locations-pushpins/twitter
 recon/locations-pushpins/youtube
 recon/netblocks-companies/whois_orgs
 recon/netblocks-hosts/reverse_resolve
 recon/netblocks-hosts/shodan_net
 recon/netblocks-ports/census_2012
 recon/netblocks-ports/censysio
 recon/ports-hosts/migrate_ports
 recon/profiles-contacts/dev_diver
 recon/profiles-contacts/github_users
 recon/profiles-profiles/namechk
 recon/profiles-profiles/profiler
 recon/profiles-profiles/twitter_mentioned
 recon/profiles-profiles/twitter_mentions
 recon/profiles-repositories/github_repos
 recon/repositories-profiles/github_commits
 recon/repositories-vulnerabilities/gists_search
 recon/repositories-vulnerabilities/github_dorks

 Reporting
 ---------
 reporting/csv
 reporting/html
 reporting/json
 reporting/list
 reporting/pushpin
 reporting/xlsx
 reporting/xml

Striker Security has published an excellent guide to recon-ng modules. Get it here: https://strikersecurity.com/pdfs/recon-ng-guide.pdf

Instead of viewing the full list of modules, you can search for them.

[recon-ng][demo] > search domains
[*] Searching for 'domains'...

 Recon
 -----
 recon/contacts-domains/migrate_contacts
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts

To use a module, enter “use <full path to module>”. Recon-ng offers tab completion, so you can type a partial path and hit the tab key to complete each section of the path between slashes. Once you’ve entered a module, use “show info” to find module info and required parameters.

[recon-ng][demo][shodan_hostname] > use recon/domains-hosts/bing_domain_web
[recon-ng][demo][bing_domain_web] > show info

 Name: Bing Hostname Enumerator
 Path: modules/recon/domains-hosts/bing_domain_web.py
 Author: Tim Tomes (@LaNMaSteR53)

Description:
 Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
 results.

Options:
 Name Current Value Required Description
 ------ ------------- -------- -----------
 SOURCE default yes source of input (see 'show info' for details)

Source Options:
 default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
 <string> string representing a single input
 <path> path to a file containing a list of inputs
 query <sql> database query returning one column of inputs

[recon-ng][demo][bing_domain_web] >

To start the module, enter “run”.

[recon-ng][demo][bing_domain_web] > run

--------
SANS.ORG
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asans.org
[*] [host] files.sans.org (<blank>)
[*] [host] labs.sans.org (<blank>)
[*] [host] www.sans.org (<blank>)
[*] [host] cyber-defense.sans.org (<blank>)
[*] [host] redmine.sans.org (<blank>)
[*] [host] securingthehuman.sans.org (<blank>)
[*] [host] software-security.sans.org (<blank>)
[*] [host] lists.sans.org (<blank>)
[*] [host] access.sans.org (<blank>)
[*] [host] digital-forensics.sans.org (<blank>)
[*] [host] sic.sans.org (<blank>)
[*] [host] uk.sans.org (<blank>)
[*] [host] ics.sans.org (<blank>)
[*] [host] pen-testing.sans.org (<blank>)
[*] [host] qms.sans.org (<blank>)
[*] [host] handlers.sans.org (<blank>)
[*] Sleeping to avoid lockout...

Now lets check out any new hosts added to the database.

[recon-ng][demo][bing_domain_web] > show hosts

 +---------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +---------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
 | 5 | redmine.sans.org | | | | | | bing_domain_web |
 | 6 | securingthehuman.sans.org | | | | | | bing_domain_web |
 | 7 | software-security.sans.org | | | | | | bing_domain_web |
 | 8 | lists.sans.org | | | | | | bing_domain_web |

(cropped for brevity)

Let’s try a different module then take another look at the hosts.

[recon-ng][demo][bing_domain_web] > search shodan
[*] Searching for 'shodan'...

 Recon
 -----
 recon/domains-hosts/shodan_hostname
 recon/hosts-ports/shodan_ip
 recon/locations-pushpins/shodan
 recon/netblocks-hosts/shodan_net

[recon-ng][demo][bing_domain_web] > use recon/domains-hosts/shodan_hostname
[recon-ng][demo][shodan_hostname] > run

--------
SANS.ORG
--------
[*] Searching Shodan API for: hostname:sans.org
[*] [port] 204.51.94.14 (25/<blank>) - smtp31b.sans.org
[*] [host] smtp31b.sans.org (204.51.94.14)
[*] [port] 66.35.59.19 (80/<blank>) - web23a.den.sans.org
[*] [host] web23a.den.sans.org (66.35.59.19)
[*] [port] 66.35.59.8 (53/<blank>) - dns21b.sans.org
[*] [host] dns21b.sans.org (66.35.59.8)
(cropped for brevity)

[recon-ng][demo][shodan_hostname] > show hosts

 +--------------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +--------------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
(cropped for brevity)
   42 | smtp31b.sans.org | 204.51.94.14 | | | | | shodan_hostname |
 | 43 | web23a.den.sans.org | 66.35.59.19 | | | | | shodan_hostname |
 | 44 | dns21b.sans.org | 66.35.59.8 | | | | | shodan_hostname |
 | 45 | admin.sans.org | 204.51.94.215 | | | | | shodan_hostname |
 | 46 | 204-51-94-246.clp.sans.org | 204.51.94.246 | | | | | shodan_hostname |
 | 47 | labs.sans.org | 204.51.94.233 | | | | | shodan_hostname |


Theharvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization. Source: https://code.google.com/p/theharvester/

┌─[kali]─[~]
└──> theharvester -d chkd.org -b all -e chsext1.chkd.org

*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.7 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************


Full harvest..
[-] Searching in Google..
 Searching 0 results...
 Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
 Searching 50 results...
 Searching 100 results...
[-] Searching in Exalead..
 Searching 50 results...
 Searching 100 results...
 Searching 150 results...


[+] Emails found:
------------------
+john.harrington@chkd.org
ASampson@chkd.org
Amy.Sampson@chkd.org
Amy@chkd.org
Barbara.Benson@chkd.org
Beach@chkd.org
Beverly.Jacobson@chkd.org
(cropped for brevity)
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 
92.242.140.21:2Fwww.chkd.org
208.255.163.169:apihrp.chkd.org
157.21.35.200:kdmedia.chkd.org
208.255.163.168:mekids.chkd.org
208.255.163.189:webmail.chkd.org
208.255.163.163:www.chkd.org
[+] Virtual hosts:
==================
208.255.163.169 apihrp.chkd.org
157.21.35.200 kdmedia.chkd.org
208.255.163.189 webmail.chkd.org
208.255.163.163 www.chkd.org
208.255.163.163 208.255.163.163

Network-tools.com

This site offers a number of web-based tools, including:

Express
Ping
Trace
Whois (IDN Conversion Tool)
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
URL Decode
URL Encode
HTTP Headers SSL
Email Tests

One of the tools I find useful on this site is the Network Lookup. Enter an IP address or domain name and it will show the network address/range which is useful for finding IP address ranges owned by the target to include in active scans. This is the output of checking “Network Lookup” on www.sans.org.

NetRange: 66.35.59.0 - 66.35.59.255
CIDR: 66.35.59.0/24

Netcraft Toolbar

http://toolbar.netcraft.com/site_report

This site is useful to see what technology a website is running.

SiteDigger

http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SiteDigger 3.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

sitedigger

Shodan.io

https://www.shodan.io/

The search engine for the Internet of Things

Think of Shodan as a search engine that returns results that include the banner of a site or device. Want to find open vulnerable sites, VNC servers, IoT devices, webcams that don’t require authentication and allow you to waste hours of your day? You can also use shodan to generate a list of target IP addresses, export the list, and import into your security tool of choice.

You can find a free guide to Shodan on exploit-db.com:  https://www.exploit-db.com/docs/33859.pdf

Maltego

Maltego Community Edition is pre-installed in Kali Linux.

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet. Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis.

Currently there are three versions of the Maltego client namely Maltego CE, Maltego Classic and Maltego XL. This page will focus on Maltego Community Edition (CE). All three Maltego clients come with access to a library of standard transforms for the discovery of data from a wide range of public sources that are commonly used in online investigations and digital forensics.

Port scan and grab banners in Python

Just a simple port scanner and banner grabber written in Python. I made it because I didn’t have admin privs to install nmap at the time because I was a new employee < 90 days and I wanted to sharpen my Python skills and find out if that port was open.

The instructions are simple. Just run “python simpleportscanner.py” and it will prompt for an IP address. It scans for specific tcp ports as is. Edit the code to scan the ports you desire or enter ports on the cli.

#!/usr/bin/env python
import socket
from multiprocessing.dummy import Pool as ThreadPool
import sys
from datetime import datetime

# Clear the screen
# subprocess.call('cls', shell=True)

# Ask for input
remoteServer = raw_input("Enter a remote host to scan: ")
remoteServerIP = socket.gethostbyname(remoteServer)

# Print a nice banner with information on which host we are about to scan
print "-" * 60
print "Please wait, scanning remote host", remoteServerIP
print "-" * 60

# Check what time the scan started
t1 = datetime.now()

def scan(ports):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    result = sock.connect_ex((remoteServerIP, ports))
    if result == 0:
        byte = str.encode("Server:\r\n")
        sock.send(byte)
        banner = sock.recv(1024)
        print "Port {}: Open".format(ports), " - ", banner
    sock.close()

# function to be mapped over
def scanParallel(ports, threads=4):
    pool = ThreadPool(threads)
    results = pool.map(scan, ports)
    pool.close()
    pool.join()
    return results

if __name__ == "__main__":
    ports =(20,21,22,23,53,69,80,88,110,123,135,137,138,139,143,161,389,443,445,464,512,513,631,860,1080,1433,1434,3124,3128,3306,3389,5800,5900,8080,10000)
    results = scanParallel(ports, 4)

   # Checking the time again
   t2 = datetime.now()

   # Calculates the difference of time, to see how long it took to run the  script
   total = t2 - t1

   # Printing the information to screen
   print 'Scanning Completed in: ', total

Get the code: https://raw.githubusercontent.com/sdcampbell/simpleportscanner/master/simpleportscanner.py

Bounce Scan Python Script

I was giving a presentation on Passive Information Gathering this week to the 757 White Hat Hacker meetup group that I organize. I found this website, yougetsignal.com that allows you to scan a limited range of ports on your internet gateway IP address, or specify an IP address and port to scan.

The hacker in me thought about how I could use this to perform passive reconnaissance. I’m always looking for a reason to solve a problem or save some time using Python, and this seemed like a good excuse to brush up on my Python web request skills. Sure, this may not be very useful to some. For me it’s an excuse to learn Python web requests. Feel free to use it and suggest improvements on my github page. Don’t be too harsh, I know there are a lot of things I can improve in this script. This is just something I whipped up quickly before breakfast this morning.

The http request captured by Burp Suite:

youscanrequest

The code:

#!/usr/bin/env python

# Import our libraries
import sys
import requests
from bs4 import BeautifulSoup

# Get the IP address from the command line
ipAddress = sys.argv[1]
# Self-explanatory
url = "http://ports.yougetsignal.com/short-scan.php"
# Our post value
values = {"remoteAddress":ipAddress}
# Do the post
r = requests.post(url, data=values)
# Use BeautifulSoup to parse html
soup = BeautifulSoup(r.content, 'html.parser')
# Strip html out and print text
print(soup.get_text())

The result of scanning 8.8.8.8:

C:\Users\sdcam\Documents>python bounce-scan.py 8.8.8.8
 Port 21 is closed on 8.8.8.8.
 Port 22 is closed on 8.8.8.8.
 Port 23 is closed on 8.8.8.8.
 Port 25 is closed on 8.8.8.8.
 Port 53 is open on 8.8.8.8.
 Port 80 is closed on 8.8.8.8.
 Port 110 is closed on 8.8.8.8.
 Port 115 is closed on 8.8.8.8.
 Port 135 is closed on 8.8.8.8.
 Port 139 is closed on 8.8.8.8.
 Port 143 is closed on 8.8.8.8.
 Port 194 is closed on 8.8.8.8.
 Port 443 is closed on 8.8.8.8.
 Port 445 is closed on 8.8.8.8.
 Port 1433 is closed on 8.8.8.8.
 Port 3306 is closed on 8.8.8.8.
 Port 3389 is closed on 8.8.8.8.
 Port 5632 is closed on 8.8.8.8.
 Port 5900 is closed on 8.8.8.8.
 Port 6112 is closed on 8.8.8.8.

My first Capture the Flag

I participated in my first CTF at Bsides Raleigh last week. I had an awesome time and placed 4th out of 23 teams despite losing more than half of the competition time while watching conference presentations, and competing solo. I was really surprised to receive a prize for 4th place. I got a Software Defined Radio (SDR) USB device. I jokingly said that they must have felt sorry for the old guy competing in his first CTF and dug a prize out of their personal stash. 🙂

20161020_231411_1024

 

Hacking the Internet of Things

I’m sitting around the house on a rainy Saturday, hacking on IoT (Internet of Things) devices (that I own) and discovered these command injection vulnerabilities.  🙂

The first command injection vulnerability was blind. I started up Wireshark and filtered on icmp and saw the pings. I removed the PHPSESSID from the cookie and the exploit worked without authentication.

blind-command-injection

This command injection vulnerability was a little easier to find due to the run_cmd in the response. It was so gratifying to see “root” printed on the screen!

capture20202

I removed the PHPSESSID from the cookie and resubmitted the request from another computer and got unauthenticated command injection.

capture10101

I’ve disclosed these vulnerabilities to the manufacturer and will provide an update with full disclosure after they have had time to fix the issues.

Seattle 0.3 Walk Through Part 1

This is my walk through of the Seattle 0.3 Vulnhub challenge by Holly Graceful. I did this challenge as a basic tutorial on the OWASP Top Ten web vulnerabilities that I presented to my infosec meetup group during our October 5th meeting. I performed this penetration test on level 1 and will follow up later with a post on level 2. Level 2 includes input filtering.

I began the pentest by performing nmap scans. The nmap option -sS is for a SYN scan, -A is shorthand for a few other common options and means “Enable OS detection, version detection, script scanning, and traceroute”. The -p- option is shorthand for scan all 65535 TCP ports.

root@kali:~# nmap -sS -A -p- 10.0.2.4
Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-04 05:32 EDT
Nmap scan report for 10.0.2.4
Host is up (0.00100s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.16 ((Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14)
|_http-server-header: Apache/2.4.16 (Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:28:50:62 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 3.19, Linux 3.2 – 4.0
Network Distance: 1 hop

A search of cvedetails.com for this version of Apache turned up nothing. All listed vulnerabilities for OpenSSL were related to DoS or info.

An nmap UDP scan didn’t detect any open ports.

A nikto scan discovered a few interesting details.

Issue #1: Sensitive file disclosure. The /admin and /downloads directories allow directory indexes. The /info.php and /config.php files are available. The /info.php file prints the output of phpinfo() which exposes the server configuration which may come in handy. The /config.php file doesn’t output anything to the page, however we’ll circle back to that later. 😉

root@kali:~# nikto -h http://10.0.2.4
– Nikto v2.1.6
—————————————————————————
+ Target IP: 10.0.2.4
+ Target Hostname: 10.0.2.4
+ Target Port: 80
+ Start Time: 2016-10-04 05:38:54 (GMT-4)
—————————————————————————
+ Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14
+ Retrieved x-powered-by header: PHP/5.6.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie level created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Uncommon header ‘content-disposition’ found, with contents: filename=”downloads”
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting…
+ OSVDB-3268: /downloads/: Directory indexing found.
+ OSVDB-3092: /downloads/: This might be interesting…
+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x2304 0x51b0c59e09040
+ OSVDB-3092: /manual/: Web server manual found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie lang created without the httponly flag
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake’s list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 8345 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time: 2016-10-04 05:39:06 (GMT-4) (12 seconds)
—————————————————————————
+ 1 host(s) tested

The main page

screenshot-at-2016-10-04-055943

A quick check for a /robots.txt file wasn’t found. The robots.txt file tells search engines which directories it shouldn’t index in the search results. This file is a good place to check for sensitive directories that a webmaster wouldn’t want to be in the search results.

I started up OWASP ZAP and configured Firefox to use the ZAP proxy for further testing.

While mousing over the links at the bottom of the page I find some interesting links. The Catalouge link points to /download.php?item=Brochure.pdf.

Issue #2: LFI (and path traversal) at /download.php?item=../../../../../etc/passwd.

screenshot-at-2016-10-04-220723

This means we can also grab any other files on the system that the current user has access to. Let’s grab that config.php file I mentioned earlier. Now we have the database credentials and we can also save all of the php source code files to analyze for vulnerabilities.

screenshot-at-2016-10-04-221021

Issue #3: SQL Injection, time-based blind and error-based – There were numerous SQL injection vulnerabilities in this site so I grouped them together.

Error-based SQL Injection in the cookie SessionId. I added a single quote after the cookie SessionId and found a SQL error in the response.

10-9-2016-1

I visited the Vinyl page at URL /products.php?type=1. I added a single quote and was redirected back to the main index page. I though that was odd so I checked the response in ZAP.

screenshot-at-2016-10-04-222007

Notice that in the lower pane, the request URL is highlighted. The “%27” at the end of the URL is URL encoding of the single quote. In the upper-right pane the response is selected. In the middle pane I’ve highlighted the SQL error that illustrates that there is a blind SQL injection present. I fed the URL to sqlmap to verify.

root@kali:~# sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4" -u "http://10.0.2.4/products.php?type=1" --level=5 --risk=3 --dbms=MYSQL

screenshot-at-2016-10-05-051014

Select any product, then insert a single quote after the prod id to exploit an error-based SQL injection.

screenshot-at-2016-10-05-051247

root@kali:~# sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4" -u "http://10.0.2.4/details.php?prod=5&type=2" -p prod --level=5 --risk=3 --dbms=MYSQL

screenshot-at-2016-10-05-053037

SQL Injection in the login form – I’m able to login with an email of admin@seattlesounds.net, password

"' or 1=1 -- "

Issue #4: Local File Include (LFI) – The footer of each page includes a link to set the currency: GBP, EUR, or USD. The currency is set in the cookie. I selected USD at /products.php?lang=USD. Next I changed the URL to /products.php?lang=/etc/passwd and then clicked on the Vinyl page.

screenshot-at-2016-10-05-053644

Another way to exploit this to get the contents of php files is to use the php://filter stream wrapper. I change the URL to /products.php?lang=php://filter/convert.base64-encode/resource=config.php, then click on the Vinyl or Clothing page and get the contents of config.php echoed to the page in base64. I copied and pasted the base64 string into a command prompt and piped it to “base64 -d” to decode.

screenshot-at-2016-10-05-054651

Issue #5: User name and password enumeration – On the My Account page, the page tells you if the email or password is incorrect.

When entering an invalid email address:

screenshot-at-2016-10-05-055053

When entering an invalid password:

screenshot-at-2016-10-05-055309

Issue #6: Insecure Direct Object Reference – The URL /blog.php?author=1 gives us the admin email address (admin@seattlesounds.net) which is half of the info we need to login.

Issue #7: Weak administrator password – I sent a login request from ZAP to the fuzzer and found the password was “password”. Of course I could have also used sqlmap with one of the SQL injection vulnerabilities found earlier to dump the password.

screenshot-at-2016-10-05-19-14-44

Issue #8: Stored XSS – In the blog posts there wasn’t any filtering of user input. In this example I echoed the document cookie. We could have inserted a malicious link to hook the user with BeEF or other malicious payload.

screenshot-at-2016-10-05-19-23-33

Issue #9: Hard-coded SessionId. The admin account has the same cookie SessionId value after every login. An attacker can intercept the http request using the ZAP or Burp Suite browser proxies or the Tamper Data Firefox add-on to substitute the cookie SessionID to gain admin access.