HackerTarget.com https://hackertarget.com Security Vulnerability Scanners and Assessments Wed, 20 Feb 2019 00:26:30 +0000 en-US hourly 1 https://wordpress.org/?v=5.0.3 SSH Examples, Tips & Tunnels https://hackertarget.com/ssh-examples-tunnels/ Fri, 28 Dec 2018 05:50:11 +0000 https://hackertarget.com/?p=12397 Practical SSH examples to take your remote system admin game to the next level. Commands and tips to not only use SSH but master ways to move around the network. Knowing a few ssh tricks will benefit any system administrator, network engineer or security professional.

The post SSH Examples, Tips & Tunnels appeared first on HackerTarget.com.

]]>
SSH examples, tips and tunnelsPractical SSH examples to take your remote system admin game to the next level. Commands and tips to not only use SSH but master ways to move around the network.

Knowing a few ssh tricks will benefit any system administrator, network engineer or security professional.

Even if you are an experienced *nix guru there are a couple of examples further down that are only available in later versions of OpenSSH. Take a look at Proxy Jump -J and reverse dynamic forwarding -R.

First The Basics

Breaking down the SSH Command Line

The following ssh example command uses common parameters often seen when connecting to a remote SSH server.

localhost:~$ ssh -v -p 22 -C neo@remoteserver

-v : Print debug information, particularly helpful when debugging an authentication problem. Can be used multiple times to print additional information.
-p 22 : Specify which port to connect to on the remote SSH server. 22 is not required as this is the default, but if any other port is listening connect to it using the -p parameter. The listening port is configured in the sshd_config file using the Port 2222 format.
-C : Compression is enabled on the connection using this parameter. If you are using the terminal over a slow link or viewing lots of text this can speed up the connection as it will compress the data transferred on the fly.
neo@ : The string before the @ symbol denotes the username to authenticate with against the remote server. Leaving out the user@ will default to using the username of the account you are currently logged in to (~$ whoami). User can also be specified with the -l parameter.
remoteserver : The hostname that the ssh is connecting to, this can be a fully qualified domain name, an IP address or any host in your local machines hosts file. To connect to a host that resolves to both IPv4 and IPv6 you can specify add a parameter -4 or -6 to the command line so it resolves correctly.

Each of the above a parameters are optional apart from the remoteserver.

Using a Configuration File

While many users are familiar with the sshd_config file, there is also a client configuration file for the ssh command. This defaults to ~/.ssh/config but can also be specified as a parameter with the -F option.

Host remoteserver
     HostName remoteserver.thematrix.io
     User neo
     Port 2112
     IdentityFile /home/test/.ssh/remoteserver.private_key

Host *
     Port 2222

In the above example ssh configuration file you can see that there are two Host entries. The first is a specific host entry with Port 2112 configured, as well as a custom IdentifyFile and username. The second is a wildcard value of * that will match all hosts. Note that the first configuration option found will be used, so the most specific should be at the top of the configuration. More information is found in the man page (man ssh_config).

The configuration file can save a lot of typing by including advanced configuration shortcuts any time a connection is made to particular hosts.

Copy Files over SSH with SCP

The ssh client comes with two other very handy tools for moving files around over an encrypted ssh connection. The commands are scp and sftp, see the examples below for basic usage. Note that many parameters for the ssh can be applied to these commands also.

localhost:~$ scp mypic.png neo@remoteserver:/media/data/mypic_2.png

In this example the file mypic.png was copied to the remoteserver to file system location /media/data and was renamed to mypic_2.png.

Don't forget the difference in the port parameter. This is a gotcha that hits everyone using scp on the command line. The port parameter is -P not -p as it is in the ssh client.!. You will forget, but don't worry everyone does.

For those familiar with command line ftp, many of the commands are similar when using sftp. You can push, put and ls to your hearts desire.

sftp neo@remoteserver

Practical Examples

In many of these examples we could achieve the result using a number of methods. As in all our tutorials and example command sheets, the focus is practical examples that simply get the job done.

1. Proxy Traffic over SSH using SOCKS

The SSH Proxy feature has been placed at number 1 for good reason. It is more powerful than many users realise giving you access to any system that the remote server can reach, using almost any application. The ssh client can tunnel traffic over the connection using a SOCKS proxy server with a quick one liner. A key thing to understand is that traffic to the remote systems will have a source of the remote server. For example in a web server log file.

localhost:~$ ssh -D 8888 user@remoteserver

localhost:~$ netstat -pan | grep 8888
tcp        0      0 127.0.0.1:8888       0.0.0.0:*               LISTEN      23880/ssh

Here we start the socks proxy server running on TCP port 8888, the second command checks that the port is now listening. The 127.0.0.1 indicates the service is running on localhost only. We can use a slightly different command to listen on all interfaces including ethernet or wifi, this will allow other applications (browsers or other) on our network to connect to the ssh socks proxy service.

localhost:~$ ssh -D 0.0.0.0:8888 user@remoteserver

Now we can configure our browser to connect to the socks proxy. In Firefox select preferences | general | network settings. Add the IP address and the port for the browser to connect to.

SSH Socks Proxy with DNS

Note the option at the bottom of the form to force browser DNS requests to also go over the socks proxy. If you are using the proxy to encrypt your web traffic on the local network you will definitely want to select this option so the DNS requests are also tunnelled over the SSH connection.

Enable Socks Proxy on Chrome

Using a command line parameter when launching Chrome will use the socks proxy and also tunnel DNS requests from the browser over the socks5 proxy. Trust but verify, use tcpdump (tcpdump not port 22) to confirm the DNS requests are no longer visible.

localhost:~$ google-chrome --proxy-server="socks5://192.168.1.10:8888"
Using other applications with the Proxy

Keep in mind that there are many other applications that can utilise a socks proxy. A web browser is simply the most popular. Some applications will have configuration options for use of the proxy. Others may need some help by using a helper program that talks the socks protocol. An example of this is proxychains. Using this tool we can for example use Microsoft RDP over the socks proxy.

localhost:~$ proxychains rdesktop $RemoteWindowsServer

The configuration options for the socks proxy are set in the proxychains configuration file.

Hot Tip: Using remote desktop from Linux to Windows? Try the FreeRDP client. A more modern implementation than rdesktop with much smoother interaction.
Use Case for the SSH Socks Proxy

You are in a cafe or hotel having to use the somewhat sketchy WIFI. From our Laptop we run the ssh proxy locally and establish an ssh tunnel into our home network using a our local Rasberry Pi. Using the browser or other applications configured for the SOCKS proxy we can access any network services on our home network or browse to the Internet via our Home Network Connection. Everything between our Laptop and the Home Server (across the WIFI and Internet to home) is encrypted in the SSH tunnel.

2. SSH Tunnel (port forward)

In its simplest form an SSH tunnel simply opens a port on your local system that connects through to another port at the other end of the tunnel.

localhost:~$ ssh  -L 9999:127.0.0.1:80 user@remoteserver

Lets break down the -L parameter. Think of -L as the Local listening side. So in our example above the port 9999 is listening on localhost and port forwards through to port 80 on remoteserver, note that the 127.0.0.1 refers to localhost on the remote server!

Lets take it up a notch. In this following example the port that is listening can be connected to from other hosts on the local network.

localhost:~$ ssh  -L 0.0.0.0:9999:127.0.0.1:80 user@remoteserver

In these examples the port we are connecting is a listening web server. It could also be a proxy server or any other TCP service.

3. SSH Tunnel Forward to Secondary Remote host

We can use the same options seen above to have the tunnel connect to another service running on a secondary system from the remote server.

localhost:~$ ssh  -L 0.0.0.0:9999:10.10.10.10:80 user@remoteserver

In this example we are forwarding the tunnel from remoteserver to the web server running on 10.10.10.10. The traffic from remoteserver -> 10.10.10.10 is no longer within the ssh tunnel. The web server on 10.10.10.10 will see remoteserver as the source of the web requests.

4. SSH Reverse Tunnel

In this scenario we want to setup a listening port on the remote server that will connect back to a local port on our localhost (or other system).

localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserver

With this ssh session established a connection to the remoteserver port 1999 will be forwarded to port 902 on our local client.

5. SSH Reverse Proxy

In this case we are establishing a SOCKS proxy with our ssh connection, however the proxy is listening at the remote server end. With connections to that remote socks proxy now emerging from the tunnel as traffic originating from our localhost. Requires OpenSSH version 7.6+.

localhost:~$ ssh -v -R 0.0.0.0:1999 192.168.1.100 user@remoteserver
Troubleshooting Remote SSH Tunnels

If you are having trouble getting the remote SSH options to work, check with netstat which interface the listening port is attached too. Even though we have specified 0.0.0.0 in the above examples, if GatewayPorts is set to no in the sshd_config then the listener will only bind to localhost (127.0.0.1).

Security Warning
Note that when you are opening tunnels and socks proxies you may be exposing internal network resources to untrusted networks (like the Internet!). This can be a serious security risk so ensure you understand what is listening and what it has access too.

6. Establish a VPN over SSH

A common term amongst offensive security folks (pentesters / red teams / etc), is to pivot into a network. Once you have a connection established on one system that system becomes a gateway point for further access to the network. This is known as pivoting and enables lateral movement through the network.

We can use the SSH proxy for this and proxychains, however there are some limitations. For example we cannot use raw sockets, so Nmap SYN scans cannot be used to port scan the Internal network.

Using this more advanced VPN option we move the connectivity down to layer 3. We can then simply route traffic through the tunnel using standard network routing.

This technique uses ssh, iptables, tun interfaces and routing.

First we need these options set in the sshd_config. Since we are making interface changes on the remote system and the client system, we will need root privileges on both sides.

PermitRootLogin yes
PermitTunnel yes

Then we will establish our ssh connection using the parameter that requests tun devices be initialised.

localhost:~# ssh -v -w any root@remoteserver

Now you should have a tun device when you show interfaces (# ip a). Next step is to add IP addresses to the tunnel interfaces.

SSH Client Side:

localhost:~# ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0
localhost:~# ip tun0 up

SSH Server Side:

remoteserver:~# ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0
remoteserver:~# ip tun0 up

Now we should have a direct route to the other host (route -n and ping 10.10.10.10).

It is now possible to route any subnet through the other side host.

localhost:~# route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0

On the remote side we need to enable ip_forward and iptables.

remoteserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward
remoteserver:~# iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADE

Boom! Layer three VPN through an SSH tunnel. Now that's winning.

Any trouble, try tcpdump and ping to see where its broken. Since we are playing at layer 3 our icmp packets should be jumping through that tunnel.

7. Copy your SSH key (ssh-copy-id)

There are multiple ways to achieve this however this command is a shortcut that saves time. What does it actually do? Well this command simply replicates what you can also do manually. Copying the ~/.ssh/id_rsa.pub (or the default) key from your system and adds it to an ~/.ssh/authorized_keys file on the remote server.

localhost:~$ ssh-copy-id user@remoteserver

8. Run Command Remotely (non-interactive)

The ssh command can be chained to other commands for the usual piping fun. Simply add the command you want to run on the remote host as a final parameter in quotes.

localhost:~$ ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.php

In this example the grep is being performed on the local system after the log file has been pushed across the ssh session. If the file is large it would be more efficient to run the grep on the remote side simply by enclosing the pipe and grep in the double quotes.

Another example performs the same function as the ssh-copy-id short cut in Tip 7.

localhost:~$ cat ~/.ssh/id_rsa.pub | ssh remoteserver 'cat >> .ssh/authorized_keys'

9. Remote Packet Capture & View in Wireshark

I grabbed this one from our tcpdump examples. Use it for a remote packet capture with the results feeding directly into your local Wireshark GUI.

:~$ ssh root@remoteserver 'tcpdump -c 1000 -nn -w - not port 22' | wireshark -k -i -

10. SSH Copy Folder from Local to Remote

A neat trick that compresses a folder using bzip2 (that's the -j in the tar command), then extracts the bzip2 stream on the other side creating a duplicate of the folder on the remote server.

localhost:~$ tar -cvj /datafolder | ssh remoteserver "tar -xj -C /datafolder"

11. Remote GUI Applications with SSH x11 Forwarding

If the client and remote server both have X installed. It is possible to run a GUI command remotely, with the Window appearing on your local desktop. This feature has been around since the beginning of time, but can still be very useful. Run a remote web browser or even the VMWawre Workstation console as I do in this example.

localhost:~$ ssh -X remoteserver vmware

Requires X11Forwarding yes in the sshd_config.

12. Copy files remotely with rsync and SSH

Using the rsync has many advantages over scp, if periodically need to backup a directory, large numbers of files or very large files it should be used. It has the ability to recover from failed transfers and only copy differences between two locations saving bandwidth and time.

The example here uses gzip compression (-z) and archive mode (-a) that includes recursive copy.

:~$ rsync -az /home/testuser/data remoteserver:backup/

13. SSH over Tor Network

The anonymised Tor Network can tunnel SSH traffic by using the torsocks command. The following command will proxy the ssh connection through the Tor network.

localhost:~$ torsocks ssh myuntracableuser@remoteserver

Torsocks will use the localhost port 9050 to proxy traffic. As always when using tor serious consideration must be taken to understand what traffic is being tunnelled and other operational security (opsec) concerns. Where are your DNS requests going?

14. SSH to EC2 instance

When using SSH to connect to your EC2 instance within Amazon you will need to use a private key. Download the key (extension .pem) from your Amazon EC2 control panel and change the permissions (chmod 400 my-ec2-ssh-key.pem. Keep this key somewhere safe or put it in your ~/.ssh/ folder.

localhost:~$ ssh -i ~/.ssh/my-ec2-key.pem ubuntu@my-ec2-public

The -i parameter simply tells the ssh client to use this key. This would be an ideal example of where to use the ~/.ssh/config to configure the use of the key automatically when connecting to the ec2 host.

Host my-ec2-public
   Hostname ec2???.compute-1.amazonaws.com
   User ubuntu
   IdentityFile ~/.ssh/my-ec2-key.pem

15. Edit text files with VIM over ssh/scp

For all those vim users out there, this one can save some time. Using vim we can edit files over scp with one command. Using this method simply creates a file in /tmp on the local system and then copies it back once we write the file in vim.

localhost:~$ vim scp://user@remoteserver//etc/hosts

Note the format is slightly different to regular scp. After the host we have a double //. This references the absolute path. A single slash will have a path that is relative to the users home directory.

**warning** (netrw) cannot determine method (format: protocol://[user@]hostname[:port]/[path])

If you see this error, double check the format of your command. It usually means there is a syntax error.

16. Mount remote SSH location as local folder with SSHFS

Using sshfs - an ssh filesystem client, we can mount a local directory to a remote location with all file interaction taking place over the encrypted ssh session.

localhost:~$ apt install sshfs

On Ubuntu and Debian based system we install the sshfs package and then simply mount the remote location.

localhost:~$ sshfs user@remoteserver:/media/data ~/data/

17. SSH Multiplex using ControlPath

By default when you have an existing connection to a remote server with ssh, a second connection using ssh or scp will establish a new session with the overhead of authentication. Using the ControlPath options we can have the existing session be used for all subsequent connections. This will speed things up significantly. It is noticeable even on a local network but even more so when connecting to remote resources.

Host remoteserver
        HostName remoteserver.example.org
        ControlMaster auto
        ControlPath ~/.ssh/control/%r@%h:%p
        ControlPersist 10m

ControlPath denotes a socket that is checked by new connections to see if there is an existing ssh session that can be used. The ControlPersist option above means even after you exit the terminal, the existing session will remain open for 10 minutes, so if you were to reconnect within that time you would use that existing socket. See the ssh_config man page for more information.

18. Stream Video over SSH using VLC + SFTP

Long time users of ssh and vlc (Video Lan Client) are not always of aware of this handy option for when you simply need to watch video over the network. Using the vlc option to File | Open Network Stream one can simply enter the location as a an sftp:// location. A prompt will appear for authentication details if password is required.

sftp://remoteserver//media/uploads/myvideo.mkv

19. Two Factor Authentication

Most readers will understand the value in using Two Factor Authentication, the same benefits that apply to your banking or Google Account can be applied to your SSH service.

Of course ssh comes with a form of Two Factor capability included, that being a passphrase and an SSH key. An advantage of using a hardware based token or the Google Authenticator App is the fact that they are generally coming from a second physical device.

See our 8 minute guide to getting started with Google Authenticator and SSH.

20. Bouncing through jump hosts with ssh and -J

When network segmentation means you are jumping through multiple ssh hosts to get to a final destination network or host, this jump host shortcut might be just what you need. Requires OpenSSH version 7.3+.

localhost:~$ ssh -J host1,host2,host3 user@host4.internal

A key thing to understand here is that this is not the same as ssh host1 then user@host1:~$ ssh host2, the -J jump parameter uses forwarding trickery so that the localhost is establishing the session with the next host in the chain. So our localhost is authenticating with host4 in the above example; meaning our localhost keys are used and the session from localhost to host4 is encrypted end to end.

To use this ability in the ssh_config use the ProxyJump configuration option. If you regularly have to jump through multiple hosts; use the config file and your alias to host4 will save you a lot of time.

21. Block SSH Brute Force Attempts with iptables

Anyone who has managed an SSH service on the Internet, and viewed the logs will be aware of the amount of SSH brute force attempts that take place every hour of every day. An immediate way to reduce the noise in your logs is to move SSH to a port other than 22. Make the change in the sshd_config file using the Port ## configuration option.

Using iptables we can also simply block attempts to connect to the port from sources that reach a certain threshold. A simple way to do this is to use OSSEC, as this not only blocks SSH but will also perform a bunch of other host based intrusion detection functions (HIDS).

22. Modify Port Forwarding within a session with ~C

And our final ssh example is for modifying port forwarding on the fly within an existing ssh session. Picture this example scenario. You are deep in a network; perhaps you have jumped through half a dozen jump hosts and need a local port on your workstation forwarded to Microsoft SMB on the old Windows 2003 system you spotted (ms08-67 anyone?).

After hitting enter try typing ~C in your terminal. This a control escape sequence within the session that allows to make changes to the existing connection.

localhost:~$ ~C
ssh> -h
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -D[bind_address:]port                  Request dynamic forward
      -KL[bind_address:]port                 Cancel local forward
      -KR[bind_address:]port                 Cancel remote forward
      -KD[bind_address:]port                 Cancel dynamic forward
ssh> -L 1445:remote-win2k3:445
Forwarding port.

You can see here we have forwarded our local port 1445 to the Windows 2003 host we found on the internal network. Now simply launch msfconsole and we are good to go (assuming you were planning on exploiting that host).

Wrapping Up

These ssh examples, tips and commands are intended to give you a starting point; additional detail on each of the commands and capabilities is available using the man pages (man ssh, man ssh_config, man sshd_config).

Being able to reach out and run commands on systems anywhere in the world has always fascinated me. By developing your skills with tools such as ssh you will become more productive and effective at whatever game you play.

Thanks for reading and if you have any comments or suggestions please drop me a note using the contact form. Have fun!

Know Your Attack Surface
From OSINT to Vulnerability Identification

The post SSH Examples, Tips & Tunnels appeared first on HackerTarget.com.

]]>
Two factor (2FA) SSH with Google Authenticator https://hackertarget.com/ssh-two-factor-google-authenticator/ Fri, 28 Dec 2018 04:29:55 +0000 https://hackertarget.com/?p=12439 Configuring two factor authentication on SSH is actually quite straightforward. Using Google Authenticator we can get setup and running in about 8 minutes. If we were to use another method such as a hardware based token we would have to wait for delivery of the token (for example YubiKey) - that would take way longer. […]

The post Two factor (2FA) SSH with Google Authenticator appeared first on HackerTarget.com.

]]>
Configuring two factor authentication on SSH is actually quite straightforward. Using Google Authenticator we can get setup and running in about 8 minutes. If we were to use another method such as a hardware based token we would have to wait for delivery of the token (for example YubiKey) - that would take way longer. 🙂

First the Basics

Two factor authentication means there are two different methods used to authenticate access to a service by a user. The first method is something that everyone is familiar with, that being a password or passphrase. A second factor is a computationally generated code that can be sent to your phone via SMS, Phone APP or read off a hardware token. Many will be familiar with these for access to banking or online services such as Google.

Tip: If you don't use two factor on your Google Account and Banking, go and sort it now. In fact if you are using SMS as a 2FA on your Google Account, think about changing it to use the Google Authenticator App. Recent breaches have highlighted the weakness in SMS based 2FA.

Configuring SSH for 2FA on Ubuntu

These steps for configuring ssh and 2FA will no doubt be similar for any Linux distribution, our focus for now is on Ubuntu and locking down our SSH service.

Requirements

  • Ubuntu 18.04
  • Phone with Google Authenticator (iPhone or Android)
  • SSH server with sudo access **

** You need to be the administrator of the SSH server otherwise the actual administrator will get cross when they get locked out.

Warning: Ensure you have a pretty good grasp of what we are doing here. If you are not familiar with editing config files and running services on Linux take care. If you mess up the configuration you may lock yourself out of your SSH access. It is probably a good idea to ensure you have console access to your system.

1. Install Ubuntu Packages

The required package is in the Ubuntu repositories so installation is a simple apt install.

sudo apt install libpam-google-authenticator

2. Configure SSH Server

First we will edit /etc/pam.d/sshd adding the following line:

auth required pam_google_authenticator.so

Now change the following line in /etc/ssh/sshd_config to yes to enable use of the Authenticator we added to the pam configuration.

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Restart SSH service

sudo service sshd restart

3. Configure Google Authenticator on Ubuntu

With our installed package we now have a binary that allows us to configure the Google Authenticator.

google-authenticator

Read the options presented and decide which you wish to use. Selecting time based authentication tokens is a good option and the simplest.

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=<>

<< ------ Here right in your Terminal is a Large QR Code ---------- >>

<< ------ Also here is your secret key and backup codes ------ >>

Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. 
Do you want to enable rate-limiting? (y/n) y

Write down the backup codes on a piece of paper. Put them somewhere safe, these will allow you to login to your ssh server if you don't have your phone.

Add key to the Google Authenticator App

On your phone launch the Google Authenticator App and hit the big red plus button. This is to add a new service to the Authenticator. Use the option to scan the QR code. It is as easy as that. You will now have access to your ssh service with an added authentication factor - that being the code on your Google App.

Test your access still works

Try to login to your ssh server. You should now be prompted for the code as well as the usual password. If you are using keys to access the ssh you will still have access using the key. The 2FA code has been configured to only apply to the password based authentication.

Know Your Attack Surface
We Host the Tools to Save You Time

The post Two factor (2FA) SSH with Google Authenticator appeared first on HackerTarget.com.

]]>
Tcpdump Examples https://hackertarget.com/tcpdump-examples/ Sun, 27 May 2018 23:34:30 +0000 https://hackertarget.com/?p=10933 Practical tcpdump examples to lift your network troubleshooting and security testing game. Commands and tips to not only use tcpdump but master ways to know your network. Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer or security professional.

The post Tcpdump Examples appeared first on HackerTarget.com.

]]>
tcpdump examples needle in haystackPractical tcpdump examples to lift your network troubleshooting and security testing game. Commands and tips to not only use tcpdump but master ways to know your network.

Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer or security professional.

First The Basics

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.

:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80

-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.
-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.
-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.
-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information.
port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.

:~$ sudo tcpdump -A -s0 port 80

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.

:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.

:~$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.

:~$ sudo tcpdump -i eth0 dst 10.10.1.20

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.

:~$ sudo tcpdump -i eth0 -s0 -w test.pcap

Line Buffered Mode

Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.

:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combine Filters

Throughout these examples you can use standard logic to combine different filters.

and or &&
or or ||
not or !

Practical Examples

In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.

The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.

When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grep, cut or awk will often get that result. You can always go deeper into the packet if required.

For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.

This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.

1. Extract HTTP User Agents

Extract HTTP User Agent from HTTP request header.

:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

2. Capture only HTTP GET and POST packets

Going deep on the filter we can specify only packets that match GET.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

The hexadecimal being matched in these expressions matches the ascii for GET and POST.

As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.

3. Extract HTTP Request URL's

Simply parse Host and HTTP Request location from traffic. By not targeting port 80 we may find these requests on any port such as HTTP services running on high ports.

:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

4. Extract HTTP Passwords in POST Requests

Lets get some passwords from the POST data. Will include Host: and request location so we know what the password is used for.

:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1

5. Capture Cookies from Server and from Client

MMMmmm Cookies! Capture cookies from the server by searching on Set-Cookie: (from Server) and Cookie: (from Client).

:~$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: dev.example.com
Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga=GA1.2.21343434343421934; _gid=GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439

6. Capture all ICMP packets

See all ICMP packets on the wire.

:~$ sudo tcpdump -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IP 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, length 64
11:34:27.680307 IP 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115

7. Show ICMP Packets that are not ECHO/REPLY (standard ping)

Filter on the icmp type to select on icmp packets that are not standard ping packets.

:~$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 udp port 36078 unreachable, length 156

8. Capture SMTP / POP3 Email

It is possible to extract email body and other data, in this example we are only parsing the email recipients.

:~$ sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

9. Troubleshooting NTP Query and Response

In this example we see the NTP query and response.

:~$ sudo tcpdump dst port 123

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:02:19.112502 IP test33.ntp > 199.30.140.74.ntp: NTPv4, Client, length 48
21:02:19.113888 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
21:02:20.150347 IP test33.ntp > 216.239.35.0.ntp: NTPv4, Client, length 48
21:02:20.150991 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol scanner we test an SNMP service on our local network and capture the GetRequest and GetResponse. For anyone who has had the (dis)pleasure of troubleshooting SNMP, this is a great way to see exactly what is happening on the wire. You can see the OID clearly in the traffic, very helpful when wrestling with MIBS.

:~$ onesixtyone 10.10.1.10 public

Scanning 1 hosts, 1 communities
10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
:~$ sudo tcpdump -n -s0  port 161 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826:  GetResponse(109)  .1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"

11. Capture FTP Credentials and Commands

Capturing FTP commands and login details is straight forward. After the authentication is established an FTP session can be active or passive this will determine whether the data part of the session is conducted over TCP port 20 or another ephemeral port. With the following command you will USER and PASS in the output (which could be fed to grep) as well as the FTP commands such as LIST, CWD and PASSIVE.

:~$ sudo tcpdump -nn -v port ftp or ftp-data

12. Rotate Capture Files

When capturing large amounts of traffic or over a long period of time it can be helpful to automatically create new files of a fixed size. This is done using the parameters -W, -G and -C.

In this command the file capture-(hour).pcap will be created every (-G) 3600 seconds (1 hour). The files will be overwritten the following day. So you should end up with capture-{1-24}.pcap, if the hour was 15 the new file is (/tmp/capture-15.pcap).

:~$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

13. Capture IPv6 Traffic

Capture IPv6 traffic using the ip6 filter. In these examples we have specified the TCP and UDP protocols using proto 6 and proto 17.

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

14. Detect Port Scan in Network Traffic

In the following example you can see the traffic coming from a single source to a single destination. The Flags [S] and [R] can be seen and matched against a seemingly random series of destination ports. These ports are seen in the RESET that is sent when the SYN finds a closed port on the destination system. This is standard behaviour for a port scan by a tool such as Nmap.

We have another tutorial on Nmap that details captured port scans (open / closed / filtered) in a number of Wireshark captures.

:~$ tcpdump -nn

21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693626 IP 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693762 IP 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], seq 0, ack 2214070268, win 0, length 0
21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], seq 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS val 3547090334 ecr 0,nop,wscale 7], length 0
21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], seq 0, ack 3230403373, win 0, length 0
21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Flags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], seq 0, ack 3289070069, win 0, length 0
21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Flags [R.], seq 0, ack 140319148, win 0, length 0
21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Flags [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], seq 0, ack 635990432, win 0, length 0

15. Example Filter Showing Nmap NSE Script Testing

In this example the Nmap NSE script http-enum.nse is shown testing for valid urls against an open HTTP service.

On the Nmap machine:

:~$ nmap -p 80 --script=http-enum.nse targetip

On the target machine:

:~$ tcpdump -nn port 80 | grep "GET /"

GET /w3perl/ HTTP/1.1
GET /w-agora/ HTTP/1.1
GET /way-board/ HTTP/1.1
GET /web800fo/ HTTP/1.1
GET /webaccess/ HTTP/1.1
GET /webadmin/ HTTP/1.1
GET /webAdmin/ HTTP/1.1

16. Capture Start and End Packets of every non-local host

This example is straight out of the tcpdump man page. By selecting on the tcp-syn and tcp-fin packets we can show each established TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be reduced in order to focus in on the information that you care about.

:~$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

17. Capture DNS Request and Response

Outbound DNS request to Google public DNS and the A record (ip address) response can be seen in this capture.

:~$ sudo tcpdump -i wlp58s0 -s0 port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.domain: 26977+ [1au] A? play.google.com. (44)
14:19:07.022618 IP google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)

18. Capture HTTP data packets

Only capture on HTTP data packets on port 80. Avoid capturing the TCP session setup (SYN / FIN / ACK).

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

19. Capture with tcpdump and view in Wireshark

Parsing and analysis of full application streams such as HTTP is much easier to perform with Wireshark (or tshark) rather than tcpdump. It is often more practical to capture traffic on a remote system using tcpdump with the write file option. Then copy the pcap to the local workstation for analysis with Wireshark.

Other than manually moving the file from the remote system to the local workstation it is possible to feed the capture to Wireshark over the SSH connection in real time. This tip is a favorite, pipe the raw tcpdump output right into wireshark on your local machine. Don't forget the not port 22 so you are not capturing your SSH traffic.

:~$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Another tip is to use count -c on the remote tcpdump to allow the capture to finish otherwise hitting ctrl-c will not only kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the top talkers for a period of time or number of packets. Using simple command line field extraction to get the IP address, sort and count the occurrances. Capture is limited by the count option -c.

sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
200 packets captured
261 packets received by filter
0 packets dropped by kernel
    108 IP 10.10.211.181
     91 IP 10.10.1.30
      1 IP 10.10.1.50

21. Capture all the plaintext passwords

In this command we are focusing on standard plain text protocols and chosing to grep on anything user or password related. By selecting the -B5 option on grep the aim is to get the preceding 5 lines that may provide context around the captured password (hostname, ip address, system).

:~$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

22. DHCP Example

And our final tcpdump example is for monitoring DHCP request and reply. DHCP requests are seen on port 67 and the reply is on 68. Using the verbose parameter -v we get to see the protocol options and other details.

:~$ sudo tcpdump -v -n port 67 or 68

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:50.059662 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.059667 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.060780 IP (tos 0x0, ttl 64, id 53564, offset 0, flags [none], proto UDP (17), length 339)
    10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, length 311, xid 0xc9779c2a, Flags [none]
	  Your-IP 10.10.1.163
	  Server-IP 10.10.1.1
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: ACK
	    Server-ID Option 54, length 4: 10.10.1.1
	    Lease-Time Option 51, length 4: 86400
	    RN Option 58, length 4: 43200
	    RB Option 59, length 4: 75600
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    BR Option 28, length 4: 10.10.1.255
	    Domain-Name-Server Option 6, length 4: 10.10.1.1
	    Hostname Option 12, length 14: "test-ubuntu"
	    T252 Option 252, length 1: 10
	    Default-Gateway Option 3, length 4: 10.10.1.1

Wrapping Up

These tcpdump examples, tips and commands are intended to give you a base understanding of the possibilities. Depending on what you are trying to achieve there are many ways that you could go deeper or combine different capture filters to suit your requirements.

Combining tcpdump with Wireshark is a powerful combination, particularly when you wish to dig into full application layer sessions as the decoders can assemble the full stream. We recently did a major update to our Wireshark Tutorial.

Thanks for reading, check out the man page for more detail and if you have any comments or suggestions please drop me a note using the contact form. Happy Packet Analysis!

Know Your Attack Surface
From Discovery to Vulnerability Identification

The post Tcpdump Examples appeared first on HackerTarget.com.

]]>
Using Nmap on Windows https://hackertarget.com/using-nmap-on-windows/ Thu, 24 May 2018 10:29:37 +0000 http://hackertarget.com/?p=3199 Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use […]

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]>
Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use it on Windows.

By installing Nmap on your Windows based systems you have access to the worlds best port scanner for security testing and troubleshooting of network connectivity. In addition you have ncat available a full featured version of netcat a virtual swiss army knife for networks. I am a big fan of ncat and encourage any system administrator or techie to explore the options.

Installing Nmap for Windows

To install the Windows version of Nmap simply download the executable installer and click through the wizard. It is your standard Next | Next | Next | finish... all done. By default the Nmap installation directory will be added to the system path. With Nmap in your system path you are able to run nmap or ncat from any command window.

Screenshot of Nmap installation on Windows

It will run on all the more modern versions of Windows including Windows 7, 2008 and Windows 10. If you are running something older such as 2K or earlier you may run into problems, but if you are still on those platforms you already have problems...

If you would like to install from the zip file, there are a few additional configuration items you will have to be aware of and apply. These are all documented on the nmap installation page for Windows.

Nmap on the Windows Command Line

During a default installation of the Nmap Windows package the installation path will be added to the system path. So you are able to simply fire up a command prompt, and launch nmap. If you installed from the standalone zip file you will need to add the installation folder to the system path manually, through system properties.

As you can see the familiar Nmap command options appear after running the command. Access to the Nmap NSE scripts is available as are all the standard options.

Zenmap on Windows

Zenmap is an excellent GUI front-end to the Nmap core scanning engine. It has some pretty nifty features that are not available with the command line version, in particular the network topology map. This rivals commercial mapping tools that perform a similar function and is a nice feature.

It is also intuitive to browse through results from different hosts using Zenmap, there are options to save the results in standard Nmap format (.nmap) or as XML (.xml) for further processing. There does not appear to be the option to save in the standard Grep format (-oG).

Zenmap is available on Windows and Linux distributions, it can be a great introduction for those less familiar with the command line.

Testing SMB Security with Nmap NSE Scripts

Bundled with Nmap are addon scripts that perform all manner of functionality. Of note to those in a Windows environment are the 34 smb- scripts that are available. These allow enumeration of entities on Windows systems remotely using the Microsoft SMB protocol (port 445). Examples include smb-os-discovery, smb-enum-users and smb-brute.

There are also vulnerability detection scripts, for testing even the most recent high profile Windows vulnerabilities. Head over to the Nmap NSE scripts page for all the documentation and a list of the scripts.

smb-vuln-ms08-067 Test Microsoft Windows systems for the very popular remote code execution vulnerability known as MS08-067. For years this was the go to exploit when using Metasploit. Note this check is dangerous and it may crash systems.
smb-vuln-ms10-054 Detect whether target machines are vulnerable to ms10-054 the SMB remote memory corruption vulnerability.
smb-vuln-ms10-061 Attempts to discover whether systems are vulnerable to ms10-061 Printer Spooler vulnerability.
smb-vuln-ms17-010 Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability ms17-010. The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

Wrapping Up

Having access to both Nmap and ncat when on a Windows system is very convenient and lots of fun. There is an amazing number of tricks that can be done with ncat, whether you are troubleshooting, security testing or just need some network-fu during a penetration test.

There are now 588 Nmap NSE scripts, the capabilities that these provide is another bonus for having Nmap installed on your Windows workstation. Using the bundled scripts there are large number of short cuts and tests that can be conducted that might otherwise be difficult without additional software installed.

Thanks for reading, we also have a tutorial and cheat sheet for those wanting to discover more about this excellent tool.

Know Your Perimeter
Trusted tools. Hosted to save you time.

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]>
Wireshark Tutorial and Cheat Sheet https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/ Sat, 19 May 2018 23:54:42 +0000 http://hackertarget.com/?p=808 Examples to Understand the Power of Wireshark Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases: Troubleshooting Network Connectivity Visually understand packet loss Review TCP retransmission Graph high latency packet responses Examination of Application Layer Sessions (even when […]

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>

Master network analysis with our Wireshark Tutorial and Cheat Sheet. Find immediate value with this powerful open source tool. Once you have everything up and running, read through the tips and tricks to understand ways to troubleshoot problems, find security issues and impress your colleagues.

Even a basic understanding of Wireshark usage and filters can be a time saver when you are troubleshooting network or application layer issues on the wire (or WIFI).

Examples to Understand the Power of Wireshark

Wireshark can be useful for many different tasks, whether you are a network engineer, security professional or system administrator. Here are a few example use cases:

Troubleshooting Network Connectivity

  • Visually understand packet loss
  • Review TCP retransmission
  • Graph high latency packet responses

Examination of Application Layer Sessions (even when encrypted by SSL/TLS see below)

  • View full HTTP session, seeing all headers and data for both requests and responses
  • View Telnet sessions, see passwords, commands entered and responses
  • View SMTP or POP3 traffic, reading emails off the wire

Troubleshoot DHCP issues with packet level data

  • Examine DHCP client broadcast
  • DHCP offer with address and options
  • Client requests for offered address
  • Ack of server acknowledging the request

Extract files from HTTP sessions

  • Export objects from HTTP such as javascript, images, or even executables.

Extract file from SMB sessions

  • Similar to the HTTP export option but able to extract files transferred over SMB, the ever present Microsoft File Sharing protocol.

Detect and Examination of Malware

  • Detect anomalous behaviour that could indicate malware
  • Search for unusual domains or IP address endpoints
  • Use IO graphs to discover regular connections (beacons) to command and control servers
  • Filter out the "normal" and find the unusual
  • Extract large DNS responses and other oddness which may indicate malware

Examination of Port Scans and Other Vulnerability Scan types

  • Understand what network traffic the vulnerability scanner is sending
  • Troubleshoot vulnerability checks to understand false positives and false negatives

These examples only scratch the surface of the possibilities. Continue reading through the tutorial and start getting more from this powerful tool.

Installation of Wireshark

Wireshark will run on a variety of operating systems and is not difficult to get up and running. We will touch on Ubuntu Linux, Centos and Windows.

Install on Ubuntu or Debian

#apt-get update
#apt-get install wireshark tshark

Install on Fedora or CentOS

#yum install wireshark-gnome

Install on Windows

Head over to the Wireshark Download page, grab the installation executable and run it to install. Pretty straight forward, you will also be installing a packet capture driver. This allows the network card to enter promiscuous mode.

Getting Started with Filters

After running an initial capture you will see the standard layout and the packet details that can be viewed through the interface.

Once you have captured a HTTP session, stop the capture and try playing with some basic filters and the Analyze | Follow | HTTP Stream options.

The filters are easy to read and self explanatory. You simply enter these expressions into the filter bar (or on the command line if using tshark). A primary benefit of the filters is to remove the noise (traffic you don't want to see). As can be seen here you can filter on MAC address, IP address, Subnet or protocol. The easiest filter is to simply type http into the filter bar, only HTTP (tcp port 80) traffic will now be shown.

IP Address Filter Examples

ip.addr == 192.168.0.5
!(ip.addr == 192.168.0.0/24)

Protocol Filter Examples

tcp
udp
tcp.port == 80 || udp.port == 80
http
not arp and not (udp.port == 53)

Try generating a filter combination that shows all non HTTP and HTTPS traffic leaving your local system that is not destined for the local network. This is a good way to find software (malware even) that is communicating with the Internet using unusual protocols.

Follow the White Rabbit Stream

Once you have a number of packets showing HTTP you can select one and then Analyze | Follow | HTTP Stream from the drop down menu. This will show you an assembled HTTP session. In this new window you can see the HTTP request from the browser and HTTP response from the web server. Goal! You are now winning at Wireshark. Continue reading our Wireshark Tutorial for more advanced tips.

Wireshark Follow Stream Example Screenshot

Resolve DNS in Wireshark

By default Wireshark won't resolve the network address that it is displaying in the console. Only showing IP addresses, by changing an option in the preferences you can enable the resolution of IP addresses to network names. This will just as it does when using tcpdump slow down the display of packets as the resolution has to take place. It is also important to understand that if you are doing a live capture the DNS requests from your Wireshark host will be additional traffic that you then might be capturing.

Edit | Preferences | Name Resolution | Enable Network Name Resolution

Tshark for the Command Line

If you haven't had a play with tshark, take a look at our tshark tutorial and filter examples. This program is often overlooked but is a great way to capture application layer sessions on a remote system. The advantage over tcpdump is the fact that you can capture and view application layer sessions on the fly, as the protocol decoders included in Wireshark are also available to tshark.

Build Firewall Rules

A quick way to generate command line firewall rules, this can save a few minutes Googling for different firewall syntax. Select a rule, and then head up to the Tools | Firewall ACL Rules. Different firewall products such as Cisco IOS (standard and extended), ipfilter, ipfw, iptables, pf and even Windows firewall using netsh.

Wireshark Firewall Rules generator screenshot

Wireshark GeoIP Mapping

As long as Wireshark has been compiled with GeoIP support and you have the Free Maxmind databases available you are able to resolve IP addresses to locations. Take a look at About | Wireshark to see what has been compiled with the version you are using. If you see GeoIP listed, make sure you have the GeoLite City, Country and ASNum databases in a directory on your system running Wireshark. Point to the location of the databases in Edit | Preferences | Name Resolution.

Test it by loading a capture and selecting Statsitcs | Endpoints | IPv4. The columns on the right should show the location and ASN information for the IP address.

Wireshark GeoIP example

Another function of the GeoIP feature is to filter traffic based on location using the ip.geoip display filter.

For example to exclude traffic from an ASN you could use this filter. ASN 63949 is the Linode block so the filter now displays only IP traffic not coming from this netblock.

ip and not ip.geoip.asnum == 63949

Of course you can apply the same filter to city and country based queries. Removing noise from your capture display and allowing you to focus in on the packets you care about.

Decrypt SSL/TLS sessions

One way of decrypting SSL/TLS sessions is using the Private Key from the server that is being connected to by the client. Using this key, you are able to decrypt the session and view the protocol under the SSL/TLS layer (for example a browser session you could see the plain text HTTP).

Now you are not always going to have access to the servers private key. In this case there is another option for easily viewing the browser SSL/TLS traffic from your local system. If Firefox or Chrome are loaded using a special environment variable, then the individual SSL/TLS session symmetric keys will be logged to a file that Wireshark can read. With the keys Wireshark can show you the session fully decrypted for the win!

1. Configure the Environment Variable

Linux / Mac

export SSLKEYLOGFILE=~/sslkeylogfile.log

Windows

Under advanced system settings, select Environment Variables and add the variable name (SSLKEYLOGFILE) with the variable value as the path to where you want the file saved.

2. Configure Wireshark

From the drop down menu select Edit | Preferences | Protocols | SSL | (Pre)-Master-Secret Log Filename -- Browse to the log file you placed in your environment variable.

Start a capturing on your local system.

3. Restart Firefox or Chrome

After browsing to a HTTPS site. The log file should start to increase in size as it logs the symmetric session keys.

Take a look at the Wireshark session that was previously started. You should see something resembling the image below showing the decrypted sessions. You can see the decrypted packets in the tab in the bottom pane.

Wireshark Follow SSL Stream Screenshot

Another way to view the session is to use the analysis drop down and follow the stream. If the session has successfully been decrypted you will see the option for SSL under Stream.

Analysis | Follow | Stream | SSL

It goes without saying, but use caution when logging these keys and pcaps. Someone with access to the key log file and your pcap might very well find your passwords and authentication cookies within the pcap.

Another option for getting at the underlying HTTP traffic is using Burp Suite with its CA loaded in your browser. In this case the proxy decrypts the connection on the client side and then establishes a new SSL/TLS session to the server. There are many ways to man in the middle (mitm) yourself, these are two of the most straightforward.

Extract files from PCAP using Export (HTTP or SMB)

It is quite easy to extract files from a Wireshark capture using the export option.

File | Export Objects | HTTP

The new Window will show any files that were found. In this new Window you can save the individual files or save them all to a folder. A similar method can be used to extract files from SMB sessions. This is the Microsoft Server Message Block protocol that allows Windows File Sharing.

Screenshot showing the Wireshark export file object Window

Right Hand Status Bar

Quickly jump to packets based on the color of the main display. For example to find Red - Errors you can see the red line noted in the right hand side status bar and jump to that location with a click.

Wireshark Right Status Bar Screen shot

Sample PCAP's are readily available

If you are getting started with Wireshark and you are looking for interesting packet captures to explore. The Wireshark Samples page is a great place to start. Enough sample protocols to keep you busy for months and a number of worm / exploit samples for those digging into Network Security Monitoring.

Setting up your Environment

A handy tip is to remember that the default console is highly configurable. You can add or remove columns, even adding something as simple as a UTC time column. Which might be immediately useful if you are looking at historical pcaps.

The columns can be configured by going to Edit | Preferences | Appearance | Columns. In this area you can also change the layout, font and colors if you desire.

This video has good configuration tips for the environment. Including troubleshooting tips and configurations for identifying issues through TCP sequence numbers.

capinfos

A handy command line tool that comes packaged with Wireshark is the capinfos binary. This command will produce a summary of a pcap with statistics, start / finish times and other details. Simply run it as below or you can use the table option -T to produce tab separated output that can be imported into a spreadsheet or parsed on the command line.

test@ubuntu:~$ capinfos test.pcap
File name:           test.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: 262144 bytes
Number of packets:   341 k
File size:           449 MB
Data size:           444 MB
Capture duration:    3673.413779 seconds
First packet time:   2018-12-01 11:26:53.521929
Last packet time:    2018-12-01 12:28:06.935708
Data byte rate:      120 kBps
Data bit rate:       967 kbps
Average packet size: 1300.72 bytes
Average packet rate: 93 packets/s
SHA256:              989388128d676c329ccdbdec4ed221ab8ecffad81910a16f473ec2c2f54c5d6e
RIPEMD160:           0742b6bbc79735e57904008d6064cce7eb95abc9
SHA1:                d725b389bea044d6520470c8dab0de1598b01d89
Strict time order:   True
Number of interfaces in file: 1

Wrapping Up

This post was originally published in 2011, it has undergone a major and much needed refresh. If you have any comments, improvements or tips to add to the Cheat Sheet drop me a line on the Contact Page. Wireshark is one of those indispensable tools that many use but few actually master. The rabbit hole goes deep on this one.

Know Your Network
Hosted Nmap for external port scanning

The post Wireshark Tutorial and Cheat Sheet appeared first on HackerTarget.com.

]]>
Maltego Transforms https://hackertarget.com/maltego-transforms/ Fri, 30 Mar 2018 01:49:32 +0000 https://hackertarget.com/?p=10036 Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain. What is Maltego? Maltego is a cross platform application, for performing link analysis. […]

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.

What is Maltego?

Maltego is a cross platform application, for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout. A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis. It is possible to understand the relationship between infrastructure, services and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego, one runs on servers remotely the other can run locally on the system running Maltego. Of course as is the case with the Hacker Target Transforms while it runs locally the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform you will need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to our GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

  • GetHostNames.py - search against a domain and pull known subdomains
  • GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
  • GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server

Obviously this can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo

Have Fun

Maltego is a fun way to explore targets. Whether you are penetration testing, running down bug bounties, researching an organisations infrastructure or simply curious you can get a lot of value from even the community version of Maltego (CE) and our Free access to the API.

The post Maltego Transforms appeared first on HackerTarget.com.

]]>
Cowrie Honeypot on Ubuntu https://hackertarget.com/cowrie-honeypot-ubuntu/ Tue, 20 Mar 2018 00:28:21 +0000 https://hackertarget.com/?p=9891 Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber […]

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
Cowrie is the new fork of the Kippo Honeypot. It has been updated with new features and provides emulation that records the session of an attacker. With this session recording you are able to get a better understanding of the attackers tools, tactics and procedures (TTPs). A term that is increasing being used in Cyber Defence and Incident Response.

Our setup will be very close to a default installation of Cowrie. The hosts SSH daemon will run on a high port (22222), Cowrie will run on 2222 and port 22 (default SSH) will be redirected to 2222 using iptables. So the SSH bot or attacker will connect to port 22 be redirected to our honeypot on 2222. Confused? Take a look at the diagram.

 A warning before we proceed. Honeypots are designed to allow access to a system by an attacker. This could result in compromise of the host if the honeypot has vulnerabilities or is mis-configured. Understand what you are doing and be very careful if running a honeypot anywhere near production kit.

Change Default SSH Port

Before installing cowrie and our dependencies lets move SSH to port 22222.

 root@cowrie:~# vi /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22222

root@cowrie1:~# systemctl restart ssh
root@cowrie1:~# systemctl status ssh
? ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-03-19 23:21:05 UTC; 5s ago
 Main PID: 9242 (sshd)
    Tasks: 1
   Memory: 1.3M
      CPU: 5ms
   CGroup: /system.slice/ssh.service
           ??9242 /usr/sbin/sshd -D

Mar 19 23:21:05 cowrie1 systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 19 23:21:05 cowrie1 systemd[1]: Starting OpenBSD Secure Shell server...
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on 0.0.0.0 port 22222.
Mar 19 23:21:05 cowrie1 sshd[9242]: Server listening on :: port 22222.
Mar 19 23:21:05 cowrie1 systemd[1]: Started OpenBSD Secure Shell server.

root@cowrie1:~# netstat -nap | grep 2222
tcp        0      0 0.0.0.0:22222            0.0.0.0:*               LISTEN      9242/sshd
tcp6       0      0 :::22222                 :::*                    LISTEN      9242/sshd

We can see SSH is now listening on port 22222 from both the systemctl status as well as the netstat output.

Installation of Cowrie Honeypot on Ubuntu

Firstly we will run apt udpate as we are on a brand new Digital Ocean VPS. Then we will install dependencies and create a Cowrie user. Running a Honeypot as root would be a bad idea.

 root@cowrie:~# apt update
root@cowrie:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@cowrie:~# adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1000) ...
Adding new user `cowrie' (1000) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@cowrie1:~# su - cowrie
cowrie@cowrie1:~$

Ok, now lets grab the code for Cowrie using git.

cowrie@cowrie1:~$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 9340, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9340 (delta 3), reused 2 (delta 0), pack-reused 9330
Receiving objects: 100% (9340/9340), 7.43 MiB | 2.32 MiB/s, done.
Resolving deltas: 100% (6415/6415), done.
Checking connectivity... done.
cowrie@cowrie1:~$

Now we will create a virtual environment for Python and Cowrie to run from:

cowrie@cowrie1:~$ cd cowrie
cowrie@cowrie:~/cowrie$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
cowrie@cowrie1:~$

Next step is to activate the Python virtual environment and install the python packages that Cowrie needs to run.

cowrie@cowrie1:~/cowrie$ source cowrie-env/bin/activate                                                                             
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade pip                                                                     
Requirement already up-to-date: pip in ./cowrie-env/lib/python2.7/site-packages                                                     
(cowrie-env) cowrie@cowrie1:~/cowrie$ pip install --upgrade -r requirements.txt                                                     
Collecting twisted>=17.1.0 (from -r requirements.txt (line 1))                                                                      
  Downloading Twisted-17.9.0.tar.bz2 (3.0MB)                                                                                        
    100% |????????????????????????????????| 3.0MB 403kB/s                                                                           
Collecting cryptography>=0.9.1 (from -r requirements.txt (line 2))                                                                  
  Downloading cryptography-2.2-cp27-cp27mu-manylinux1_x86_64.whl (2.2MB)                                                            
    100% |????????????????????????????????| 2.2MB 544kB/s                                                                           
Collecting configparser (from -r requirements.txt (line 3))                                                                         
  Downloading configparser-3.5.0.tar.gz                                                                                             
Collecting pyopenssl (from -r requirements.txt (line 4))                                                                            
  Downloading pyOpenSSL-17.5.0-py2.py3-none-any.whl (53kB)                                                                          
    100% |????????????????????????????????| 61kB 9.8MB/s                                                                            
Collecting pyparsing (from -r requirements.txt (line 5))                                                                            
  Downloading pyparsing-2.2.0-py2.py3-none-any.whl (56kB)                                                                           
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting packaging (from -r requirements.txt (line 6))                                                                            
  Downloading packaging-17.1-py2.py3-none-any.whl                                                                                   
Collecting appdirs>=1.4.0 (from -r requirements.txt (line 7))                                                                       
  Downloading appdirs-1.4.3-py2.py3-none-any.whl                                                                                    
Collecting pyasn1_modules (from -r requirements.txt (line 8))                                                                       
  Downloading pyasn1_modules-0.2.1-py2.py3-none-any.whl (60kB)                                                                      
    100% |????????????????????????????????| 61kB 9.7MB/s                                                                            
Collecting attrs (from -r requirements.txt (line 9))
  Downloading attrs-17.4.0-py2.py3-none-any.whl
Collecting service_identity (from -r requirements.txt (line 10))
  Downloading service_identity-17.0.0-py2.py3-none-any.whl
Collecting python-dateutil (from -r requirements.txt (line 11))
  Downloading python_dateutil-2.7.0-py2.py3-none-any.whl (207kB)
    100% |????????????????????????????????| 215kB 5.4MB/s
Collecting tftpy (from -r requirements.txt (line 12))
  Downloading tftpy-0.6.2.tar.gz
Collecting zope.interface>=3.6.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading zope.interface-4.4.3-cp27-cp27mu-manylinux1_x86_64.whl (170kB)
    100% |????????????????????????????????| 174kB 4.1MB/s
Collecting constantly>=15.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading constantly-15.1.0-py2.py3-none-any.whl
Collecting incremental>=16.10.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading incremental-17.5.0-py2.py3-none-any.whl
Collecting Automat>=0.3.0 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading Automat-0.6.0-py2.py3-none-any.whl
Collecting hyperlink>=17.1.1 (from twisted>=17.1.0->-r requirements.txt (line 1))
  Downloading hyperlink-18.0.0-py2.py3-none-any.whl
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading cffi-1.11.5-cp27-cp27mu-manylinux1_x86_64.whl (407kB)
    100% |????????????????????????????????| 409kB 3.0MB/s
Collecting enum34; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
    100% |????????????????????????????????| 102kB 9.7MB/s
Collecting idna>=2.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading idna-2.6-py2.py3-none-any.whl (56kB)
    100% |????????????????????????????????| 61kB 9.5MB/s
Collecting six>=1.4.1 (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading six-1.11.0-py2.py3-none-any.whl
Collecting ipaddress; python_version < "3" (from cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading ipaddress-1.0.19.tar.gz
Collecting pyasn1<0.5.0,>=0.4.1 (from pyasn1_modules->-r requirements.txt (line 8))
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |????????????????????????????????| 71kB 9.4MB/s
Requirement already up-to-date: setuptools in ./cowrie-env/lib/python2.7/site-packages (from zope.interface>=3.6.0->twisted>=17.1.0->-r requirements.txt (line 1))
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography>=0.9.1->-r requirements.txt (line 2))
  Downloading pycparser-2.18.tar.gz (245kB)
    100% |????????????????????????????????| 256kB 4.5MB/s
Building wheels for collected packages: twisted, configparser, tftpy, ipaddress, pycparser
  Running setup.py bdist_wheel for twisted ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/91/c7/95/0bb4d45bc4ed91375013e9b5f211ac3ebf4138d8858f84abbc
  Running setup.py bdist_wheel for configparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/1c/bd/b4/277af3f6c40645661b4cd1c21df26aca0f2e1e9714a1d4cda8
  Running setup.py bdist_wheel for tftpy ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/b6/6b/9a/4536837177d943f2aede676c74488f1dd6f2c3c7ef80f8c094
  Running setup.py bdist_wheel for ipaddress ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/d7/6b/69/666188e8101897abb2e115d408d139a372bdf6bfa7abb5aef5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /home/cowrie/.cache/pip/wheels/95/14/9a/5e7b9024459d2a6600aaa64e0ba485325aff7a9ac7489db1b6
Successfully built twisted configparser tftpy ipaddress pycparser
Installing collected packages: zope.interface, constantly, incremental, attrs, six, Automat, idna, hyperlink, twisted, pycparser, cffi, enum34, asn1crypto, ipaddress, cryptography, configparser, pyopenssl, pyparsing, packaging, appdirs, pyasn1, pyasn1-modules, service-identity, python-dateutil, tftpy
Successfully installed Automat-0.6.0 appdirs-1.4.3 asn1crypto-0.24.0 attrs-17.4.0 cffi-1.11.5 configparser-3.5.0 constantly-15.1.0 cryptography-2.2 enum34-1.1.6 hyperlink-18.0.0 idna-2.6 incremental-17.5.0 ipaddress-1.0.19 packaging-17.1 pyasn1-0.4.2 pyasn1-modules-0.2.1 pycparser-2.18 pyopenssl-17.5.0 pyparsing-2.2.0 python-dateutil-2.7.0 service-identity-17.0.0 six-1.11.0 tftpy-0.6.2 twisted-17.9.0 zope.interface-4.4.3

Ok, thats the initial setup out of the way. Now we need to configure the Cowrie daemon and get started.

cp cowrie.cfg.dist cowrie.cfg

This creates a config file that we can edit and it won't be overwritten by updates.

Editing the configuration file we will make a few changes from the defaults. Firstly I will change the hostname seen by a successul login by an attacker, keep it generic and non obvious. Use vim or your favorite text editor to make these changes.

# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = testserver5

The second change I will make is to enable telnet. SSH is enabled by default.

# Enable Telnet support, disabled by default
enabled = true

As you can see in the configuration there are many options and things to play with, from logging and alerting to fake addresses and file downloads.

Finally we are ready to start the daemon.

cowrie@cowrie:~/cowrie$ bin/cowrie start                                             
Using default Python virtual environment "/home/cowrie/cowrie/cowrie-env"             
Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...

cowrie@cowrie:~/cowrie$ netstat -an                  
Active Internet connections (servers and established)                                 
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2223            0.0.0.0:*               LISTEN

From the netstat we can see the SSH and Telnet daemons of our honeypot listening on 2222 and 2223 respectively.

Last step is to redirect traffic to 22 and 23 to the high ports 2222 and 2223 using iptables.

root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222                                          
root@cowrie:~# iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223   

Now it is just a waiting game. However, due to the amount of SSH scanning that takes place on the Internet you will not have to wait long.

cowrie@cowrie:~/cowrie$ tail -f log/cowrie.log

Within 5 minutes I could see SSH connections logging in and running commands within my Honeypot.

The post Cowrie Honeypot on Ubuntu appeared first on HackerTarget.com.

]]>
OSSEC Introduction and Installation Guide https://hackertarget.com/ossec-introduction-and-installation-guide/ Sat, 17 Mar 2018 08:20:53 +0000 http://hackertarget.com/?p=355 OSSEC is a Host Based Intrusion Detection and Prevention system. Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place […]

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
OSSEC is a Host Based Intrusion Detection and Prevention system.

Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place on a server.

The latest version of OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort.

OSSEC provides a number of functions:
  • Real time log monitoring
  • File integrity checking - detects changes to files and system paths
  • Rootkit detection
  • Changes to the system / running services (netstat) / disk space / password file changes
  • Real time blocking of detected attacks through firewall rule modification
  • Execute arbitrary commands based on specific events

At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

Full installation instructions are available here http://www.ossec.net/docs/manual/installation/install-source.html

While the following information is for an older version, nothing has changed in the process of the latest version. Download the tar archive from the ossec site and get started.

 Updated March 2018 to include the latest version of OSSEC. Our original OSSEC installation guide was released in 2009. It is still a favourite open source security tool, that does what it is supposed do really well.

A quick guide to installing on Ubuntu follows:

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

tar zxvf 2.9.3.tar.gz
cd ossec-hids-2.9.3
sudo ./install.sh


1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select 'local'.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

   - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]:
  - What's your e-mail address?   -- enter your email address here

 - We found your SMTP server as: example.test.com.
  - Do you want to use it? (y/n) [y]: n

  - What's your SMTP server ip/host? enter your preffered smtp server here

 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   (this is for file integrity checking, alerts you to changes to
files on your system)

  - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
  (this checks for rootkits on a regular basis)

  - Running rootcheck (rootkit detection).

 3.4- Active response allows you to execute a specific
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.
      More information at:
      http://www.ossec.net/en/manual.html#active-response

  - Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select [y] yes for Active response you are adding Intrusion Prevention capability, this is a good thing but keep in mind it is a good idea to white list your own IP's as you don't want active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a
vulnerability scan against your IP - as ossec would detect this as an attack. So your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
               /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
               /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at contact@ossec.net or using our public maillist at
   ossec-list@ossec.net
   ( http://www.ossec.net/main/support/ ).

   More information can be found at http://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

That's it your done. Just start it up with:

       /var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts (assuming your smtp is configured correctly). Agent starting up, new user logged in and that sort of thing.

So for 15 minutes work you now have real time security monitoring of your server, if you would like to test active response try our online vulnerability scans and test your hosts defence.

If you active response enabled vulnerability scanners will likely get blocked and the scan will not be completed. To run a full scan against your system with active response enabled try adding the scanning host to the OSSEC white-list (preferred) or disable ossec for the duration of the scan (not recommended), make sure you re-enable your protection after the scan completes.

The post OSSEC Introduction and Installation Guide appeared first on HackerTarget.com.

]]>
DataSploit Tutorial https://hackertarget.com/datasploit-tutorial/ Sat, 17 Feb 2018 06:01:27 +0000 https://hackertarget.com/?p=9491 DataSploit Installation Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process. Ensure you have git and pip installed. test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit test@ubuntu:~/$ cd datasploit test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS test@ubuntu:~/datasploit/$ mv sample-config.py config.py test@ubuntu:~/datasploit/$ python datasploit.py -h True usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f […]

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>

What is DataSploit?

DataSploit is an open source intelligence collection tool. It is a simple way to dump data for a domain or other piece of metadata.

Running DataSploit from the command line you simply enter an input to search on or you can choose to import search data from a text file.

A tutorial for getting started with DataSploit

DataSploit Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process.

Ensure you have git and pip installed.

test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit
test@ubuntu:~/$ cd datasploit
test@ubuntu:~/datasploit/$ pip install -r REQUIREMENTS
test@ubuntu:~/datasploit/$ mv sample-config.py config.py
test@ubuntu:~/datasploit/$ python datasploit.py -h
True
usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f FILE_TARGET] [-a] [-q]
                     [-o OUTPUT]

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info

optional arguments:
  -h, --help            show this help message and exit
  -i SINGLE_TARGET, --input SINGLE_TARGET
                        Provide Input
  -f FILE_TARGET, --file FILE_TARGET
                        Provide Input
  -a, --active          Run Active Scan attacks
  -q, --quiet           Run scans in automated manner accepting default
                        answers
  -o OUTPUT, --output OUTPUT
                        Provide Destination Directory

              Connect at Social Media: @datasploit
                

Similar to recon-ng you will need to configure API keys to get the full value from this tool. As different Internet resources are searched, the API key will allow you get additional and more detailed data.

To add the API keys you need to add them to config.py file.

DataSploit as Python Module

A nice feature of this tool is the ability to load it as a Python module for use in your own Python tools. pip install datasploit will get you started then head over to the Help Pages for more information.

Using DataSploit

From the command line you can simply run the tool with an single target parameter to find information on a single domain.

Rather than selecting with modules to use this tool simply has a go at whatever modules are available and configured.

~/datasploit$ python datasploit.py -i microsoft.com
True

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info


Target: microsoft.com
Looks like a DOMAIN, running domainOsint...

[-] Skipping Googlepdf because it is marked as disabled.
[-] Skipping Zoomeye because it is marked as disabled.
---> Finding subdomains, will be back soon with list. 

 [+] Extracting subdomains from DNS Dumpster

 [+] Extracting subdomains Netcraft

 [+] Extracting subdomains from Certificate Transparency Reports

As you can see there is a sub domain search module for our own project DNSDumpster.

With a configured Shodan API key, we can dump subdomains for the target domain and these will then be searched for open ports and other scan data through the Shodan API.

** results snipped **
---> Wapplyzing web page of base domain:

Hitting HTTP and HTTPS:
[+] Third party libraries in Use for HTTP:
  Apache
  Google Analytics
  Google AdSense
  CentOS
[+] Third party libraries in Use for HTTPS:
  Apache
  Google Analytics
  Google AdSense
  CentOS

-----------------------------


---> Searching in Shodan:

IP: 77.xx.44.55
Hosts: [u'test.microsoft.com']
Domain: [u'test.microsoft.com']
Port: 80
Content-Type: text/html; charset=UTF-8
Location: {u'city': u'Fremont', u'region_code': u'CA', u'area_code': 510, u'longitude': -121.9829, u'country_code3': u'USA', u'country_name': u'United States', u'postal_code': u'94536', u'dma_code': 807, u'country_code': u'US', u'latitude': 37.56700000000001}

** results snipped **

While I have snipped most of the results above there are a couple of Interesting things to keep in mind.

In particular the fact that the Wapplyzing module has pulled some data on HTML/Javascript libraries of the main domain. These results have been gathered by querying the domain from your current Internet connection.

Active vs Passive vs Semi-Passive

Definitions can vary but I generally categorize these types of reconnasance as follows:

Active involves active probes against the target, including such things as Port Scanning. That is sending traffic to the target that is not "normal". Normal being a browser viewing a legitimate web page.

Passive indicates no packets are sent to the target network. All data collection is done through third party sites. These of course may then perform the query on your behalf depending on the service.

Semi-Passive is the category I would place this tool in. That being it does send traffic to the target but it is a standard web browser request as seen in the wappalyzer results.

The key takeaway here is that if you are doing OSINT research for incident response and wish to keep your local IP address from target web server logs you should use a VPS or other layer of anonymity.

Conclusion

DataSploit is a fast and easy tool that can gather a range of data very quickly with minimal configuration.

Go and grab the latest version and start testing. A good place to start testing is various bug bounty programs. By selecting a range of bug bounty programs you will be able to test the tool against a number of varied targets and you may even stumble upon an item of interest.

If you have any suggestions for improvement or have any questions related to this DataSploit Tutorial please get in contact.

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>
Recon-NG Tutorial https://hackertarget.com/recon-ng-tutorial/ Fri, 16 Feb 2018 23:22:28 +0000 https://hackertarget.com/?p=9480 The interactive console provides a number of helpful features such as command completion and contextual help. Recon-ng Installation Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng. For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make […]

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>
In this recon-ng tutorial you will discover open source intelligence and easily pivot to new results. Find targets and move to discovering vulnerabilities.

What is Recon-ng?

Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.

OSINT with our Recon-NG Tutorial
The interactive console provides a number of helpful features such as command completion and contextual help.

Recon-ng Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali is a simple matter of apt-get install recon-ng.

For those wanting to the very latest code on Ubuntu the process is nearly as simple. Make sure you have git and pip installed.

test@ubuntu:~/$ git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS
test@ubuntu:~/recon-ng/$ ./recon-ng

You should now be up and running, with the Recon-NG console loaded.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
        Sponsored by...           /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                      [recon-ng v4.9.3, Tim Tomes (@LaNMaSteR53)]                       

[75] Recon modules
[8]  Reporting modules
[2]  Import modules
[2]  Exploitation modules
[2]  Discovery modules

[recon-ng][default] > 

Above the splash screen you will get a screen of red errors, these are simply warnings that the API keys for those services are not populated. Many of the modules within recon-ng use web services that require an API key for full access to the data. On the recon-ng wiki is a quick run down of the keys are where to get them. This will save you time fussing about on each of the sites looking for the API signup page.

Using recon-ng

From the console it is easy to get help and get started with your recon.

Getting help is obvious, then help is available different options by typing help -option-.

Firstly lets use the hackertarget module to gather some subdomains. This uses the hackertarget.com API and hostname search.

To use a module the syntax is use recon/$category/$module as seen below.

[recon-ng][default] > use recon/domains-hosts/hackertarget
[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[recon-ng][default][hackertarget] > set SOURCE teslamotors.com
SOURCE => teslamotors.com

I am using teslamotors.com as an exmaple domain because they have a published bug bounty program and Tesla's are cool. Simply type run to execute the module.

[recon-ng][default][hackertarget] > run

---------------
TESLAMOTORS.COM
---------------
[*] [host] email1.teslamotors.com (192.28.144.15)
[*] [host] originwww45.teslamotors.com (205.234.27.211)
[*] [host] storetest5.teslamotors.com (209.11.133.41)
[*] [host] lync.teslamotors.com (209.11.133.11)
[*] [host] epc.teslamotors.com (209.11.133.110)
[*] [host] upload.teslamotors.com (205.234.27.250)
[*] [host] evprd.teslamotors.com (205.234.27.199)
[*] [host] mta.e.teslamotors.com (68.232.192.245)
[*] [host] service.teslamotors.com (209.11.133.37)
[*] [host] extconfluence.teslamotors.com (209.11.133.50)
[*] [host] leaseappde.teslamotors.com (64.125.183.134)
[*] [host] rav4garage.teslamotors.com (209.11.133.16)
[*] [host] energystorage.teslamotors.com (209.10.208.24)
[*] [host] quickbase.teslamotors.com (205.234.27.246)
[*] [host] seg.teslamotors.com (209.10.208.32)
[*] [host] myteslastg.teslamotors.com (209.11.133.54)
[*] [host] cn.auth.teslamotors.com (211.147.80.202)
[*] [host] us.auth.teslamotors.com (209.10.208.27)
[*] [host] extconfl.teslamotors.com (209.11.133.50)
[*] [host] xmail.teslamotors.com (209.11.133.61)
[*] [host] externalssl.teslamotors.com (209.11.133.19)
[*] [host] storagesim.teslamotors.com (209.10.208.39)
[*] [host] japan.teslamotors.com (204.74.99.100)
[*] [host] xmailcn.teslamotors.com (211.147.80.203)
[*] [host] cnorigin.teslamotors.com (211.147.80.201)
[*] [host] wwworigin.teslamotors.com (209.11.133.106)
[*] [host] vpn.teslamotors.com (205.234.27.218)
[*] [host] sdlcvpn.teslamotors.com (209.10.208.55)
[*] [host] hkvpn.teslamotors.com (14.136.104.118)
[*] [host] cnvpn.teslamotors.com (211.147.88.104)
[*] [host] euvpn.teslamotors.com (149.14.82.93)
[*] [host] shop.teslamotors.com (205.234.27.221)
[*] [host] sftp.teslamotors.com (205.234.27.226)
[*] [host] externalsmtp.teslamotors.com (205.234.27.238)
[*] [host] supercharger.teslamotors.com (209.11.133.36)
[*] [host] ipaddocs.teslamotors.com (205.234.27.252)
[*] [host] extissues.teslamotors.com (209.11.133.35)
[*] [host] adfs.teslamotors.com (205.234.27.243)
[*] [host] mobileapps.teslamotors.com (205.234.27.196)
[*] [host] suppliers.teslamotors.com (209.10.208.37)
[*] [host] wechat.teslamotors.com (211.147.80.205)
[*] [host] myteslawduat.teslamotors.com (209.11.133.43)
[*] [host] wwwuat.teslamotors.com (205.234.27.225)
[*] [host] trt.teslamotors.com (209.10.208.20)
[*] [host] origintest.teslamotors.com (205.234.27.221)
[*] [host] wsext.teslamotors.com (209.11.133.49)
[*] [host] fleetview.teslamotors.com (209.10.208.31)
[*] [host] toolbox.teslamotors.com (209.11.133.107)
[*] [host] mobility.teslamotors.com (209.10.208.14)
[*] [host] eumobility.teslamotors.com (82.199.92.7)
[*] [host] wsproxy.teslamotors.com (205.234.27.212)
[*] [host] smswsproxy.teslamotors.com (205.234.27.197)

-------
SUMMARY
-------
[*] 52 total (52 new) hosts found.

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. Allowing you to query open ports on your discovered hosts without sending any packets to the target systems.

keys add shodan_api < insert shodan api key here > 

Recon-ng Modules

Typing show modules will display a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

[recon-ng][default] > show modules

  Discovery
  ---------
    discovery/info_disclosure/cache_snoop
    discovery/info_disclosure/interesting_files

  Exploitation
  ------------
    exploitation/injection/command_injector
    exploitation/injection/xpath_bruter

  Import
  ------
    import/csv_file
    import/list

  Recon
  -----
    recon/companies-contacts/bing_linkedin_cache
    recon/companies-contacts/jigsaw/point_usage
    recon/companies-contacts/jigsaw/purchase_contact
    recon/companies-contacts/jigsaw/search_contacts
    recon/companies-multi/github_miner
    recon/companies-multi/whois_miner
    recon/contacts-contacts/mailtester
    recon/contacts-contacts/mangle
    recon/contacts-contacts/unmangle
    recon/contacts-credentials/hibp_breach
    recon/contacts-credentials/hibp_paste
    recon/contacts-domains/migrate_contacts
    recon/contacts-profiles/fullcontact
    recon/credentials-credentials/adobe
    recon/credentials-credentials/bozocrack
    recon/credentials-credentials/hashes_org
    recon/domains-contacts/metacrawler
    recon/domains-contacts/pgp_search
    recon/domains-contacts/whois_pocs
    recon/domains-credentials/pwnedlist/account_creds
    recon/domains-credentials/pwnedlist/api_usage
    recon/domains-credentials/pwnedlist/domain_creds
    recon/domains-credentials/pwnedlist/domain_ispwned
    recon/domains-credentials/pwnedlist/leak_lookup
    recon/domains-credentials/pwnedlist/leaks_dump
    recon/domains-domains/brute_suffix
    recon/domains-hosts/bing_domain_api
    recon/domains-hosts/bing_domain_web
    recon/domains-hosts/brute_hosts
    recon/domains-hosts/builtwith
    recon/domains-hosts/certificate_transparency
    recon/domains-hosts/google_site_api
    recon/domains-hosts/google_site_web
    recon/domains-hosts/hackertarget
    recon/domains-hosts/mx_spf_ip
    recon/domains-hosts/netcraft
    recon/domains-hosts/shodan_hostname
    recon/domains-hosts/ssl_san
    recon/domains-hosts/threatcrowd
    recon/domains-vulnerabilities/ghdb
    recon/domains-vulnerabilities/punkspider
    recon/domains-vulnerabilities/xssed
    recon/domains-vulnerabilities/xssposed
    recon/hosts-domains/migrate_hosts
    recon/hosts-hosts/bing_ip
    recon/hosts-hosts/freegeoip
    recon/hosts-hosts/ipinfodb
    recon/hosts-hosts/resolve
    recon/hosts-hosts/reverse_resolve
    recon/hosts-hosts/ssltools
    recon/hosts-locations/migrate_hosts
    recon/hosts-ports/shodan_ip
    recon/locations-locations/geocode
    recon/locations-locations/reverse_geocode
    recon/locations-pushpins/flickr
    recon/locations-pushpins/picasa
    recon/locations-pushpins/shodan
    recon/locations-pushpins/twitter
    recon/locations-pushpins/youtube
    recon/netblocks-companies/whois_orgs
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012
    recon/netblocks-ports/censysio
    recon/ports-hosts/migrate_ports
    recon/profiles-contacts/dev_diver
    recon/profiles-contacts/github_users
    recon/profiles-profiles/namechk
    recon/profiles-profiles/profiler
    recon/profiles-profiles/twitter_mentioned
    recon/profiles-profiles/twitter_mentions
    recon/profiles-repositories/github_repos
    recon/repositories-profiles/github_commits
    recon/repositories-vulnerabilities/gists_search
    recon/repositories-vulnerabilities/github_dorks

  Reporting
  ---------
    reporting/csv
    reporting/html
    reporting/json
    reporting/list
    reporting/proxifier
    reporting/pushpin
    reporting/xlsx
    reporting/xml

Conclusion

Recon-ng is a powerful tool that can be further explored by looking through the list of modules above. The help within the console is very clear and with a bit of playing around it wont take long to become an expert.

Once you start to become more familiar with the layout of the tool you will discover options such as workspaces that allow you to segment based on organization or network.

The rise of bug bounties allows you to play with new tools and simple go explore organizations Internet facing footprint. Have fun. Don't break the rules.

The post Recon-NG Tutorial appeared first on HackerTarget.com.

]]>