-
Notifications
You must be signed in to change notification settings - Fork 8
Example walkthrough
The Orca has plenty of contextual help, so please refer to it with the -h or --help option if you get stuck. If you have enabled tab completion, then that's also a bit of a life saver!
Orca is centered around a "project" which is the collection of all the information you want to collect about a specific target. The project is given a title which is used with (almost) all Orca commands to reference the information you've collected.
Let's get started!
Before the fun begins, you need to:
- Initialize the SHODAN API access with your key, e.g.,
orca-recon init <API KEY> - Initialize the PyASN db which contains Autonomous System ownership information. This will be done automatically when Orca starts if Orca does not detect the PyASN database on start-up.
In order to perform an effective recon task, we need some initial information about the target. The Orca calls this "asset data". In order to get going we need to add some asset data.
We can either:
- Add asset data from the command line, e.g.,
orca-recon add from_cli tesla -d tesla.com - Add asset data from a file, e.g.,
orca-recon add from_file tesla -f tesla.txt -t domain - Add asset data from Domain Tools, specifically a CSV export from a reverse WHOIS search, e.g.,
orca-recon add import_domaintools -i tesla.csv tesla
We can add assets of different types:
- domains, e.g.,
tesla.com - IP addresses, e.g.,
8.8.8.8 - hostnames, e.g.,
ftp.tesla.com - CIDR prefixes, e.g.,
205.234.27.192/26
In the case where you have only a target's name, but no domains, you can use the two Discover modules to attempt to find domains related to a target:
- Discover domains related to a target via a Google search, e.g.,
orca-recon discover domains_google tesla -o tesla - Discover domains related to a target via a SHODAN search, e.g.,
orca-recon discover domains_shodan tesla -o tesla
for each domain that is discovered by this method, the tool will prompt you if you wish to save the domain to the asset data in the database, for example:
[?] Starting Google scraping for domains for tesla
[!] Found 12 from Google
Discovered domain: tesla.com
Accept domain? [y/N]:
If you want to see the assets that you have added, you can review the contents by using the commands in the "Explore" command group.
Once asset data has been loaded into the database, additional information about those assets can be discovered. If you have added target domains as asset data.
The first natural step is discover subdomains (in this case, hostnames) associated with the target's domains:
- Enumerate subdomains with DNS Dumpster,e.g.,
orca-recon enum subdomains_dumpster tesla - Enumerate subdomains with Certificate Transparency logs (via crt.sh), e.g.,
orca-recon enum subdomains_crtsh tesla
Once subdomains (hostnames) have been added, they can be looked up in SHODAN.
For example, orca-recon enum services_shodan tesla
This will take all the IP addresses associated with the subdomains (hostnames) that you have discovered, look up the results in SHODAN and store the results in the database.
In addition to the standard information about ports and services, Orca will also collect the CVE information if provided by SHODAN, for example:
IP Address - 45.33.49.119 [ack.nmap.org]
Ports: 25,443,80,22
Modules: smtp,https,http,ssh
AS Number: AS63949
Netblock: 45.33.49.0/24
Organization: Linode, LLC
Country: USA
CPE: smtp:cpe:/a:postfix:postfix,https:cpe:/a:apache:http_server:2.4.6,http:cpe:/a:apache:http_server:2.4.6
CVE-2014-0117 [CVSS: 4.3 - Module: https]: "The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers..."
CVE-2014-0118 [CVSS: 4.3 - Module: https]: "The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when..."
CVE-2016-0736 [CVSS: 5.0 - Module: https]: "In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured..."
CVE-2015-3185 [CVSS: 4.3 - Module: https]: "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a..."
This information can be used to discover publicly available exploits for certain CVEs through the CVE-Search tool.
Orca can lookup DNS information related to a domain or all subdomains (hostnames) that have been discovered, for example:
orca-recon enum dns_db nmap
this give you the DNS information about the domains that you have gathered. This can be useful for identifying which cloud providers are being used by the target for security services, email, marketing, etc.
You can discover the DNS records for all the subdomains (hostnames) that have been discovered too, for example:
orca-recon enum dns_db paypal -a
which will look up all DNS records for all subdomains. This is a particularly useful technique for discovering CNAME records for hosts which can reveal which service is actually being used to implement a particular system, such as SSO.
At any time you can view which assets are loaded into the database. There are three main database tables which the Orca uses to store its data.
-
Asset data table: this table contains the assets which have been added by the operator, this can be queried by
orca-recon explore show_assets paypal
+----------+------------+--------+--------+----------------------+----------+----------------------------+
| Asset ID | Value | Type | Origin | Infrastructure Check | Verified | Insert Time |
+----------+------------+--------+--------+----------------------+----------+----------------------------+
| 1 | paypal.com | domain | cli | False | False | 2019-07-16 15:57:22.147912 |
+----------+------------+--------+--------+----------------------+----------+----------------------------+
-
Host data table: this table contains the subdomains (hostnames) that have been discovered by the operator, this can be queried by
orca-recon explore show_hosts paypal
+Hosts Data-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
| Host ID | IP Address | Hostname | Shodan Hostname | Asset ID | In Shodan | Host Data Origin |
+---------+-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
| 2 | 216.113.171.71 | www.stage2mb100.paypal.com | N/A | 1 | False | dnsdumpster |
+---------+-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
| 3 | 216.113.171.91 | www.stage2mb110.paypal.com | N/A | 1 | False | dnsdumpster |
+---------+-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
| 4 | 216.113.171.202 | api.stage2mobile10.paypal.com | N/A | 1 | False | dnsdumpster |
+---------+-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
| 5 | 216.113.171.114 | www.stage2mobile10.paypal.com | N/A | 1 | False | dnsdumpster |
+---------+-----------------+----------------------------------------------+---------------------------------------------------+----------+-----------+------------------+
-
SHODAN data table: this table contains the information gathered from SHODAN by the operator, this can be queried by
orca-recon explore show_shodan paypal
+[ Host - 66.211.169.157]------------------------+
| Shodan Updated | 2019-07-02 16:19:57 |
| Date Added | 2019-07-17 00:00:00 |
| Hostnames | phx-origin-history.paypal.com |
| | origin-history.paypal.com |
| Ports | 443 |
| Net Range | 66.211.168.0/22 |
| ASN | AS17012 |
| Netname | PayPal |
| Country | USA |
| Shodan Modules | https |
+----------------+-------------------------------+
+[ Services - 66.211.169.157 ]+------------------------------------------------------------------------------------------------------+
| Shodan Module | Port | CPEs | Banner |
+---------------+------+------+------------------------------------------------------------------------------------------------------+
| https | 443 | None | HTTP/1.1 302 Found Date: Tue, 02 Jul 2019 16:19:56 GMT Server: Apache X-Frame-Options: SAMEORIGIN |
| | | | Set-Cookie: cwrClyrK4LoCV1fydGbAxiNL6iG=MM_U2UF3NH7P3yVwShMQLhLtGKR4jG1YI6g0KZjfkHWxc30CUJlNADY0sYca |
| | | | Mw8-R6TMqOLecoTTaSZDJgWfpKEpT-dmgXXuG1I7Tz5hJvj4zdu6b6IsxJJsxEa36dXkLu4JcEL_CNSRwm21HxADW02CeITn- |
| | | | agYAD4W7OLdqZYaY5TgmSwbqVrqhF7pn2MM0NzluaV0_CdtSp1YaH-67oEDxlR_PYLuRz0QpGfacpJy90BYnyEfZLsSB6a; |
| | | | domain=.paypal.com; path=/; Secure; HttpOnly Set-Cookie: cookie_check=yes; expires=Fri, 29-Jun-2029 |
| | | | 16:19:57 GMT; domain=.paypal.com; path=/; Secure; HttpOnly Location: https://www.paypal.com/cgi- |
| | | | bin/webscr X-Cnection: close Transfer-Encoding: chunked Content-Type: text/plain; |
| | | | charset=ISO-8859-1 DC: phx-origin-history-1.paypal.com |
+---------------+------+------+------------------------------------------------------------------------------------------------------+
Projects can be listed with the orca-recon explore list_projects command and projects can be deleted with the orca-recon explore delete_project paypal command
Orca has a comprehensive rules library which can be used for tagging the results that have collected, for example:
orca-recon explore tag_results paypal
The rules library contains rules for detecting many types of systems, such as load balancers, VPN appliances and more.
If you wish to export from Orca into CSV, you can supply the -o csv option to one of the show_ commands, e.g., orca-recon explore show_hosts paypal -o csv
Host ID,IP Address,Hostname,Shodan Hostname,Asset ID,In Shodan,Host Data Origin
2,216.113.171.71,www.stage2mb100.paypal.com,N/A,1,False,dnsdumpster
3,216.113.171.91,www.stage2mb110.paypal.com,N/A,1,False,dnsdumpster
4,216.113.171.202,api.stage2mobile10.paypal.com,N/A,1,False,dnsdumpster
5,216.113.171.114,www.stage2mobile10.paypal.com,N/A,1,False,dnsdumpster
6,173.0.84.15,slc-a-origin-ipnpb-1.paypal.com,N/A,1,False,dnsdumpster
Orca supports exporting the results of a project as an XLSX file for further processing in Microsoft Excel, for example:
orca-recon export file_xlsx --filename /tmp/paypal.xlsx paypal
The filename option is mandatory. Once the XLSX file can be generated, it can be opened in Microsoft Excel or Libreoffice Calc.