0x5-osint

-----------------------------------------------------------------
osint
6:55 p.m.
Thursday, November 28, 2019, Toronto, ON
------------------------------------------------------------------
#1 recon:
passive: use social media like LI,gmail, etc
active: traffic against site (nmap, nikto, etc)

location imaging: drones, satellite images, building layouts (badge readers, security, break areas, fencing)
job info: employee (name, title, job title, phone #, manager) -- profile/topology
pictures (badge photos, desk photos, computer photos, etc)

[[web/host recon]]
target validation: whois, nslookup, dnsrecon
finding subdomains: google fu, dig, nmap, sublist3r, bluto, crt.sh, etc
fingerprinting: nmap, wappalyzer, whatweb, builtwith, netcat(to get the headers of the site)
databreaches: haveibeenpwned, + etc

active: using nmap etc

[[round 1]]
riddler.io
findsubdomains.com>spyse.com
certdb.com/api-documentation
bugcrowd-->choose prgam
hunter.io-->find pattern in name
google> site:tesla.com -www filetype:pdf
~$ theharvester (built in kali)
netcraft
crt.sh


#-----------------------------------------t-0-0-l-z-----------------------------------------------------------------------------
# zmap/masscan - fast/new scanner for iPv4
# mmkatz -post exploit tool (extract pwds + ntlm hashes)
# canvas comm.(immunity) -exploit fwork, like cobaltstrike, 
# innuendo comm.(immunity) - postexploit implant fwork
# binwalk - analyze firmware images + serach hardcoded pwds, apikeys,etc
# tor - anonymity/not encryption
# cain/able - pwd cracker/snip voip/mitm against rdp, etc (windows only)
# ncrack((creator of nmap))- bforce pwds for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet
# oclhashcat - hash db>pwd
# aircrack-ng - wireless nwork attacks
# sqlmap - detect sqlinj + dump db info + inject w/ shell access
# set (social engineer tk)-client side attack (create phish email, send, exploit)
# evilgrade - mitm attck via fake upgrade (over 63 fakeupdates) 
# sslstrip - attacks httpS + replaces unencrypted connection favicon with padlock for brownie poointz!
# ettercap - tools for mitm attck(from inj>xploit)
# metasploit - xploit dev+pentest tool(both server/client attcks+meterpreter(custom payload)+armitage point n click attcks)
#-----------------------------------------------------------------------------------------------------------------------------


wappalyzer - use to get site info, w/o sharingip

#2 scanning/enumeration:

tcp (connection-oriented):
-http,ftp, telnet,
-has handshake
-uses apps tht needs high reliability

udp (connection-less):dns,dhcp,snmp
-no handshake
-used on apps tht needs fast connections

#-------------------------N-M-A-P-----------------------------------------
#
# nmap -T4
# T1:T5 (speeds-t1 slow - t5 fast : faster might miss / migt get detected)
# -A (all, enables OS/version detection, script scan, tracert, much info as possible)
# -P (port range, 1-65,535k, otherwise will search thru commmon 1k)
#
# nmap -sU -T4 10.88.111.10
#
# udp is rlly slow(need to use it for oscp,htb,etc)
#
#---------------------------------M-E-T-A-S-P-L-O-I-T-----------------
#
# ls /usr/share/nmap/scripts
# ^all scripts available via nmap
#
# eternal blue
# smd-vuln-ms17-010.nse
# enumeration is the most !!
#
# check for ciphers first 
#
# nmap -p 443 --script=all #runs all scripts in the folder + time consume)
# nmap -p 443 --script=ssl-enum-ciphers rbc[.]com
#
# CDE5-3998-F178-FBDE-0EFB
#
#
# msploit(msfconsole):
# -5 modules?
# -auxiliary (enumeration/scaning)
# -xploit
# -post-x
#
#  >msfconsole (exes msploit
#  >search portscan (looks for modules)
#  >use auxiliary/scanner/portscan/tcp (specific scanner for syn packets)
#  >options (more requirements)
#  >set ports 1-65535 (change ports)
#  >set rhosts 192.168.0.1
#  >run (or >exploit)
#
#  >use auxiliary (lists all)
#  >search tomcat (lists xploits)
#  >search apache
#  >search eternalblue 
#
#
#  (rhost = 1 target)
#  (rhosts= a range of targets)
#
# webapp assessment vs pentest
# e.g, vulnerabilites(xss,csrf) < exploit (sql inj, cred stuff, pwd spray)
#
#--------------------------------------------N-I-K-T-O--------------------------------
# webserver vulns (missing headers, xss etc)
#
# $ nikto -h https://example.com	
#
#
#
#
#
#----------------B-U-R-P-S-U-I-T-E------------
# invest $400 to get the pro edition - webapp vulns
# need nessus+burpsuite=~2900 (cobaltstrike=~7k)
#
# first congifure browser settings to manual proxy > 127.0.0.1 port 8080 (accept all protocols)
#	proxy tab > intercept on > fwd x 10
#	target tab > r.clk main domain > add to scope   
#	filter > show only in scope
#	right click scope domain > scan (pro version)
# scan details > crawl/audit+crawl>audit only
#	default resource pool > 10 (default) or 1
#
#
#
#
#----------------K-I-O-P-T-R-I-X------------------------------
#
download kioptrix1
apt get install unrar
unrar -e 

<a>discovering the -range of this network (192.168.0.10) try to findhost
<b> /etc/init.d/nessusd start 
----sudo !!
<c>https://hostname:8834

list usrs:
 /opt/nessus/sbin/nessuscli lsuser

1.run nessus basic scan
2.run nmap (nmap -A -T4 -Pn -p22,80,111,139,443,32768 10.88.xxx.x)
*up arrow to get update*
**rpcbind is open wen 139 samba smdb is open

7:20:8
#
#
#
#
#
#
#
#
#-------------------------------------------




#3 gaining access:

#4 maintaining access:

#5 covering tracks:


6:50:45 / 15:11:37
--


https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
https://booksite.elsevier.com/9781597499576/chapters.php