Web enumeration
It is important to note that OSINT is an independent procedure and should be performed separately from enumeration because OSINT is based exclusively on passive information gathering and does not involve active enumeration of the given target. Enumeration is a loop in which we repeatedly gather information based on what data we have or have already discovered.
No. Principle
- There is more than meets the eye. Consider all points of view.
- Distinguish between what we see and what we do not see.
- There are always ways to gain more information. Understand the target.
The layers of the methodology are like walls that must be penetrated to reach the next layer. The following is a checklist of areas to explore based on the diagram above.
| Layer | Description | Information Categories |
|---|---|---|
1. Internet Presence | Identification of internet presence and externally accessible infrastructure. We aim to identify all possible target systems and interfaces that can be tested. | Domains, Subdomains, vHosts, ASN, Netblocks, IP Addresses, Cloud Instances, Security Measures |
2. Gateway | Identify the possible security measures to protect the company’s external and internal infrastructure. We need to understand what we are dealing with and what we need to watch out for. | Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare |
3. Accessible Services | Identify accessible interfaces and services that are hosted externally or internally. We aim to gain the necessary knowledge to communicate with the target system and exploit it. | Service Type, Functionality, Configuration, Port, Version, Interface |
4. Processes | Identify the internal processes, sources, and destinations associated with the services. | PID, Processed Data, Tasks, Source, Destination |
5. Privileges | Identification of the internal permissions and privileges to the accessible services. | Groups, Users, Permissions, Restrictions, Environment |
6. OS Setup | Identification of the internal components and systems setup. We use internal access to get an overview of the internal security of the systems to see how they are managed and what sensitive information we can glean from them. | OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files |
Gobuster
GoBuster is a versatile tool that allows for performing DNS, vhost, and directory brute-forcing. A 200 status indicates the request was successful.
[!bash!]$ gobuster dir -u http://10.10.10.121/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.121/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/11 21:47:25 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/12/11 21:47:46 Finished
===============================================================Banner grabbing
cURL
The -I instructs to show document info only (also —head). -L (or —location) instructs to follow redirects.
[!bash!]$ curl -IL https://www.inlanefreight.com
HTTP/1.1 200 OK
Date: Fri, 18 Dec 2020 22:24:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Link: https://www.inlanefreight.com/index.php/wp-json/; rel="https://api.w.org/"
Link: https://www.inlanefreight.com/; rel=shortlink
Content-Type: text/html; charset=UTF-8Whatweb
[!bash!]$ whatweb 10.10.10.121
http://10.10.10.121 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], Email[license@php.net], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.121], Title[PHP 7.4.3 - phpinfo()]Misc
Check certificates for information.
Check robots.txt.
Check source code for page.
Infrastructure Enumeration
This can be gathered passively without direct or active scans. Begin by scrutinizing the company’s website. Think about what services and technologies the company would use to conduct their business.
Check the company’s SSL certificate. Are there other domains tied to it?
crt.sh
Another source to find more subdomains is https://crt.sh. You can output the results as JSON like this:
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .or filter them by domains like this:
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -uShodan
Shodan can be used to find devices and systems permanently connected to the Internet like Internet of Things (IoT). It searches the Internet for open TCP/IP ports and filters the systems according to specific terms and criteria. For example, open HTTP or HTTPS ports and other server ports for FTP, SSH, SNMP, Telnet, RTSP, or SIP are searched. As a result, we can find devices and systems, such as surveillance cameras, servers, smart home systems, industrial controllers, traffic lights and traffic controllers, and various network components.
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;donefor i in $(cat ip-addresses.txt);do shodan host $i;donedig
Then use dig to find all available DNS records
dig any inlanefreight.comdomain.glass
Third-party providers such as htps://domain.glass can also tell us a lot about the company’s infrastructure.
GrayHatWarfare
Another very useful provider is GrayHatWarfare.
Staff
Searching for and identifying employees on social media platforms can also reveal a lot about the teams’ infrastructure and makeup. This, in turn, can lead to us identifying which technologies, programming languages, and even software applications are being used.
DNS subdomain enumeration
There also may be essential resources hosted on subdomains, such as admin panels or applications with additional functionality that could be exploited. The SecLists GitHub repo contains many useful lists for fuzzing and exploitation.
Install SecLists
[!bash!]$ git clone https://github.com/danielmiessler/SecLists[!bash!]$ sudo apt install seclists -yNext, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company.
[!bash!]$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Domain: inlanefreight.com
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/namelist.txt
===============================================================
2020/12/17 23:08:55 Starting gobuster
===============================================================
Found: blog.inlanefreight.com
Found: customer.inlanefreight.com
Found: my.inlanefreight.com
Found: ns1.inlanefreight.com
Found: ns2.inlanefreight.com
Found: ns3.inlanefreight.com
===============================================================
2020/12/17 23:10:34 Finished
===============================================================Host Enumeration
FTP
Read about FTP hacking.
SMB
Read about SMB hacking.
NFS
Read about NFS hacking.
DNS
Read about DNS hacking.
SMTP
Read about SMTP hacking.
IMAP/POP3
Read about IMAP/POP3 hacking.
SNMP
Read about SNMP hacking.
MySQL
Read about MySQL hacking.
Oracle TNS
Read about Oracle hacking.
IPMI
Read about IPMI hacking.
nmap
nmap --help
<SNIP>
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
<SNIP>Read more about nmap.
Service Enumeration
Using Tcpdump and nc to enumerate a service
Of course, Nmap may not be entirely accurate but it is quick. It primarily identifies services by their banners. You could manually examine the banners using a combination of tcpdump and nc.
First, start tcpdump.
sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytesThen connect to the service using nc to capture the banners (and traffic).
nc -nv 10.129.2.28 25
Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)The intercepted traffic gives more information about the service than we would get from Nmap. In this dump, the first three lines are the handshape. After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags, where PSH states that the target server is sending data to us and with ACK simultaneously informs us that all required data has been sent. The last TCP packet that we sent confirms the receipt of the data with an ACK.
8:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0
