Reconnaissance

Reconnaissance

Penetration Testing Reconnaissance

We want to begin a pen test by reviewing the target’s website. We may actually use a tool called HTT rack to make a page-by-page copy of the website. HTT rack is a free program that creates an identical, off-line copy of the target website. The copied website will include all the pages, links, pictures, and code from the original website; however, it will reside on your local computer. Using a website copying tool like HTT rack allows us to explore and thoroughly mine the website “off-line” without having to spend additional time traipsing around on the company’s web server.

To install HTTrack open the console and type:

sudo apt-get install httrack

Once it is installed, begin HTTrack by typing httrack in the console:

Next, name your project whatever you want. Select a path where you want to save the off-line copy. I just left it as default (/home/websites). Just hit enter to leave it as such. Then enter the site you want to copy.(Please do not copy my site… Thanks!).

Pick an action you want. If you want to copy the site, press 1 then enter. HTTrack has a few options for you to pick from including a proxy to help cover your tracks. I am just using the basics for demonstration. I recommend you use a proxy when doing a real pen test.

After HTTrack finishes, you will have a complete off-line copy of the target site which you can review for information.

The Harvester

The Harvester is a simple Python script written by Christian Martorella at Edge Security. This tool allows us to quickly catalog both e-mail addresses and subdomains that are directly related to the target system.

The Harvester can be used to search Google, and Bing for e-mails, hosts, and subdomains. It can also search LinkedIn for user names.Often times you will find an email address, which could double as a login or user-name.

To use the Harvester first type in your console:

root@bt:~# cd /pentest/enumeration/theharvester

root@bt:~# ./theHarvester.py -d backtracktutorials.com -l 10 -b google.com

–d is used to specify the target domain.

A lowercase –l (that’s ‘L’ not a ’1′) is used to limit the number of results returned to us. In this case, the tool was instructed to return only 10 results. The –b is used to specify what public repository we want to search. We can choose among Google, Bing, PGP, or LinkedIn.

I scanned my own domain and didn’t find anything… yet!

Medusa

Exploitation

Medusa

Medusa is a log-in brute forcer that attempts to gain access to remote services by guessing at the user password. Medusa is capable of attacking a large number of remote services including FTP, HTTP, MySQL, Telnet, VNC, Web Form, and more. In order to use Medusa, you need several pieces of information including the target IP address, a username or username list that you are attempting to log in as, a password or dictionary file containing multiple passwords to use when logging in, and the name of the service you are attempting to authenticate with.

Medusa comes installed on Backtrack 5. However, if you are using a different version of backtrack without Medusa type:

apt-get update
apt-get install medusa

When using online password crackers, the potential for success can be greatly
increased if you combine this attack with information gathered from reconnaissance and scanning. An example of this is when you find usernames, passwords, and email addresses. Programs like Medusa will take a username and password list and keep guessing until it uses all the passwords. Be aware that some remote access systems employ a password throttling technique that can limit the number of unsuccessful log-ins you are allowed. Your IP address can be blocked or the username can be locked out if you enter too many incorrect guesses.

Backtrack includes a few word lists that you can use for your brute forcing adventures. You can find one list at:

/pentest/passwords/wordlists/

In order to execute the brute-force attack, you open a terminal and type the following:

medusa –h target_ip –u username –P path_to_password_dictionary –M service_to_attack

“-h” is used to specify the IP address of the target host. The “-u” is used for a single username that Medusa will use to attempt log-ins. “-P” is used to specify an entire list containing multiple passwords. The “-P” needs to be followed by the actual location or path to the dictionary file. The “-M” switch is used to specify which service we want to attack.

Here I launch an attack against my own ssh server.

More to come!