Category: Footprinting

Posted on by

Google Hacking for beginners – Part 1

Hello, aspiring Ethical Hackers. In our previous blogpost on Footprinting, you learnt that hackers gather information about their targets using search engines. In this blogpost you will learn about Google Hacking or Google Dorking. Who doesn’t know what Google is. Just for this article’s sake, let me define what it is. Google is the most popular Search Engine that provides answers for anything we want, almost anything. Just a click away.

Google is already an awesome search engine but to make the search engine more precise it has some advanced operators. In other words, searching with some special operators allows Google to provide exact information we want. These are known as Google Dorks. The basic syntax of a Google Dork is,

Operator : term to search or URL

Ex: intitle:hackercool

Some of the important Google operators are.

  • intitle
  • allintitle
  • inurl
  • related
  • allintext
  • cache
  • define
  • allinurl
  • intext
  • site

Let’s learn about each of them in detail.

1. intitle

This query will return all the webpages which have term “hackercool” in the title of the webpage.

2. allintitle

Same as “intitle” but will show pages containing all the multiple keywords specified.

3. inurl

The “inurl” query returns all the webpages containing the specified keywords in their URL.

4. allinurl

Same as “inurl” but can be used to search for multiple keywords in the URL.

5. define

The “define” query can be used to search for a definition of any keyword you specify.  For example, let’s search for the definition of hackercoolmagazine.

6. related

The “related” dork of Google is used to search for a website similar to the site you specify.

For example, in the above image, we search for sites related to Facebook and Google has returned similar networking sites like Twitter, Pinterest, LinkedIN. Note that this google dorks only takes websites as keywords.

7. cache

The cache query returns the latest cached version of the website Google has stored. This dork too needs website as keyword.

8. intext

The “intext” query returns all the webpages having like specified “text” in their content.

9. allintext

The “allintext” query is same as “intext” but can be used to search webpages having multiple keywords in their content.

10. site

The “site” query is useful in limiting your search to a particular website.

Read Part 2 of Google Hacking.

Posted on by

Whois Footprinting for beginners

Hello aspiring Ethical Hackers. In this blogpost you will learn about Whois Footprinting. In our previous blogpost, you were given an introduction to Footprinting and types of Footprinting. Whois Footprinting is one type of footprinting. In my opinion, Whois footprinting is the first method of footprinting that should be used while starting information gathering.

What is Whois?

Whois is actually a protocol running on port 43. When you or any organization register a domain (eg: hackercoolmagazine.com), a record is created. This record is known as Whois record and is created by an organization called Internet Corporation for Assigned Names and Numbers (ICANN) which regulates domain name registration and ownership. Whois records are maintained by Regional Internet Registries (RIR’s). At present, there are five RTR’s allocated to particular regions.

  1. American Registry for Internet Numbers (ARIN)
  2. African Network Information Center (AFRINIC)
  3. Asia Pacific Network Information Center (APNIC)
  4. Reseaux IP Europeens Network Coordination Centre (RIPE)
  5. Latin American and Caribbean Network Information Center (LACNIC)

What information does Whois reveal?

Whois Lookup reveals information like the owner of the domain, contact details of domain owners, IP address network range used by the organization, domain name server and when a domain has been created and the date of its expiry.

How does it help in Pentesting?

Any business or organization has a website nowadays for which they have to register a domain (person or entity who registers a domain is known as a registrant, while a company registering the domain is known as registrar). So performing Whois Lookup can give anyone information about the domain which can be further used in footprinting.

Types of Whois Lookup

There are two types of Whois Lookup: Thin Whois and Thick Whois.

  1. Thin Whois: Thin Whois Lookup gives only the name of the whois server of the registrar of the domain.   
  2. Thick Whois: Thick Whois Lookup reveals complete information from all the registries for a particular domain.

Kali Linux has a default tool for whois lookup named “whois”. This is how to use it.

Given below are some other Whois Lookup tools.

  1. Whois Lookup (https://www.whois.com)
  2. ICANN Whois (https://whois.icann.org)
  3. MxToolBox (https://www.whois.com/whois/)
  4. Domain Tools (https://whois.domaintools.com)
  5. Who.is (https://who.is/)
Posted on by

Footprinting guide for beginners

Hello aspiring Ethical Hackers. In this blogpost you will learn about Footprinting or Reconnaissance. It is the first step of Ethical hacking. Although boring a bit, it is one of the most important stages of Ethical Hacking. This is because this stage lays the road to success or failure of the hack as it gives much needed information about the target system or organization.

Objectives Of Footprinting

In Reconnaissance, you gather as much information about the target organization that is useful in gaining access or to learn about the security posture of your organization depending on which color HAT you want to wear. Reconnaissance allows pen testers to reduce the area they need to focus, identify vulnerabilities and finally know about the security posture of the company.

What information does Reconnaissance reveal?

The following information can be collected from the Reconnaissance stage.

  1. Target organization’s network information including domains and sub-domains used by the organization.
  2. Blocks of IP addresses used by the organization that are accessible from outside. etc.
  3. Information about operating systems used by the web server OS, location of the Web server and in some cases user credentials.
  4. Information about the organization like the details of their employees, which include their names, addresses, Phone number, Personal email addresses etc

Types Of Footprinting

types of footprinting

There are two types of footprinting: Passive and Active.

1. Passive Footprinting:

In passive reconnaissance, information about the target organization is collected without actively without engaging with or any interaction with the target organization. This type of foot printing is very difficult as all the information needs to be collected from publicly available resources with search engines, job sites, social media, documents available in public domain etc. On the plus side, this type of foot printing allows pen testers to stay a bit confidential as it raises less suspicions on the target side.

2. Active Footprinting:

In Active reconnaissance, the attackers engage or interact with the target organization. This is simpler than passive reconnaissance as pen testers gets information directly from the target. On the flip side, the security guys at the target organization may already know your intent as it raises suspicions. Information will be collected about the target organization by scanning and enumerating target directly.

Techniques of Footprinting

The various techniques of Reconnaissance include,

Reconnaissance through Search Engines
Reconnaissance through Web Services
Website Footprinting
Email Footprinting
WhoIs Footprinting
DNS Footprinting
Network Reconnaissance
Metadata
Competitive Intelligence
Social Engineering Reconnaissance

Posted on by

Joomla enumeration with Metasploit

Hello, aspiring ethical hackers. In this article, you will learn how to perform Joomla enumeration with Metasploit. Although its share is less than WordPress in CMS usage, Joomla is still one of the top 5 used CMS. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Metasploit has some modules which can be used to enumerate a website using Joomla.

Version Detection

The first Metasploit module you will learn about is the version detection module of Joomla. Prior to starting Metasploit, we open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. We collect some.

Next, we start Metasploit and load the joomla_version auxiliary module given below. Type command “show options” to see the required options for this module.

We need to set two options for this module to do its job: RHOSTS (which are target IP addresses) and Targeturi. Set Targeturi as shown below. Coming to “RHOSTS” option, we copy and paste the IP addresses we got in our Shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

Check whether all options are set correctly by typing command “show options“.

All the options are set. Next, it’s time to run our exploit. Type command “run” and you will get the results as shown below.

As readers can see, the versions of Joomla running on the target machines are displayed.

Plugin Enumeration

Once we know the version of Joomla running on the target website, the next important information to find out is about the extensions installed on the target Joomla. Metasploit has a module for that too. Since the Joomla extensions or components are similar to WordPress plugins, this module is called as Joomla Plugin enumeration module. Load the module as shown below.

Just like the earlier module, this module too can be used to scan multiple targets at once. Set the IP addresses of targets as shown below with space between each IP address.

Next, execute the module.

joomla enumeration

As readers can see, all the plugins installed on the target Joomla site are displayed. But how does this module scan for plugins?  The list of plugins this module scans are in file  “usr/share/metasploit-framework/data/wordlists/joomla.txt”.  

If the plugin you want to scan for is not in this list, you can just add it manually by opening this file with any text editor.

Don’t forget to save changes after making them. I once again execute the module after applying changes and the result is shown below.

Webpage Enumeration

Metasploit also has a module for enumerating webpages on the Joomla target. This module can be useful in viewing pages of a Joomla website that can give further information about the website. Load the module as shown below.  Type command “show options” to see the options we need to set.

We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Execute the exploit. We will get the result as shown below.

As readers can see, this module enumerated the webpages of our target. That is how we can perform Joomla enumeration with Metasploit. Read how to perform WordPress enumeration with Metasploit.

Posted on by

Banner grabbing for beginners

Hello, aspiring ethical hackers. In this blogpost, you will learn about banner grabbing. Banner grabbing plays a very important role in ethical hacking for penetration testers and hackers alike. To understand what is banner grabbing, you need to understand what is a banner first.

What is a Banner?

A banner is the information displayed by software or service running on a specific port. This information involves the type of software running, version of the software running etc. This information is displayed by default by every software running for marketing purposes.

What is Banner grabbing?

Banner grabbing as its name implies, is grabbing this banner. A banner when displayed to a common user may provide information to the user. In the same way, by grabbing this banner, hackers and penetration testers can get information about the software running on it and the version of the software running. This allows them to search or research for any vulnerabilities in the software.

Types of Banner grabbing

Banner grabbing can be performed in two ways: Active & passive.

  1. Active banner grabbing: In active banner grabbing, a hacker or penetration tester interacts with the software & target services to grab the banner.
  2. Passive banner grabbing: In passive banner grabbing, a hacker or penetration tester doesn’t interact with the target service while grabbing the banner. This can be done by packet sniffing on the network traffic of the network.

Although banner grabbing can be performed on almost all services running on all ports, the most common services that are used for banner grabbing are,

FTP-Port 21
SSH-Port 23
SMTP-Port 22
HTTP-Port 80

Tools used for Banner grabbing:

  1. Telnet, wget, curl etc

Apache:

Imagine I have set up a website named www.shunya.com on an Apache server. A hacker can easily find Information about the web server in different ways. For example, a hacker can visit the website and and try to open a webpage which is not existent on my server, like below.

banner grabbing

In the above example, hacker tried to open page named “admin.php” which was not available on my server and in turn the server responded with a type of web server, the target OS and the scripting language. This is giving out too much information.

The traditional and popular way of fingerprinting is through telnet. A hacker opens command line or terminal. and types the command “telnet www.shunya.com 80″. When the screen goes black, type “HEAD / HTTP/1.0″ and this will give the server information.

There are also many fingerprinting tools available. I am gonna show you only one, Id serve. Let’s see how to banner grab using Id serve.

Now what are the preventive measures we can take in Apache server to disable or atleast prevent fingerprinting to some extent. Apache web server has a configuration file called “httpd.conf” where we can make changes to fight fingerprinting. Go to httpd.conf and change the value of the option “Server Signature  to off”. This will not display any information about server when an nonexistent page has been accessed.

In the httpd.conf file, changing the value of “Server Tokens” from “Full” to “Prod” will only show the minimum server information as shown below.

This still discloses that our web server is Apache but it doesn’t show the version. In Kautilya’s words this is delaying the march of enemy. Here are the options we set.

IIS 8:

Now imagine we changed our www.shunya.com website from Apache server to the latest version of Microsoft web server, IIS 8. To prevent error pages form revealing any information in IIS server, we can set custom error pages.  Now let’s use IDserve tool to fingerprint the IIS 8 server.

It shows the server version. Now how can we prevent this. Microsoft provides a tool named UrlScan freely available for download which can be used easily to process HTTP requests. Download this tool and install it. ( See how to configure Urlscan for IIS 7.5 and IIS 8 ). Then go to the configuration file of UrlScan, “UrlScan.ini” located at “C:WindowsSystem32inetservUrlscan” by default and change the value of “RemoveServerHeader’ from “0″ to “1″.

This will not reveal the server version information as shown below.

We can further mislead the attacker by setting our server name to some other value different than our original one. This can be done by setting the value of “RemoveServerHeader” to “0 “and changing the value of “AlternateServerName” to the value we want to specify ( in our example Nginx ).

So when the attacker tries to fingerprint our website, he will be misleaded.

Note: Taking this preventive measures will not stop a determined hacker to find out our server information.

That’s all in webserver banner grabbing and countermeasures.