Showing posts with label Information Gathering. Show all posts
Showing posts with label Information Gathering. Show all posts

Extract email address from given domain.

Yesterday i created simple script which extract email address from given Domain. We can gather email address from whois info; pgp key search ;domain name. With help of this script we can extract email address which are on the specified web page.In backtrack there is tool available which is uberharvester. It has many features ;  but for small website it takes too much time to extract information.But this script work fast for small website. Speed of script depends on loading time of website and number of web pages.

Script working in two mode.

(1)In first mode we have to supply sitemap of website, so script can crawl that webpage one by one & extract email address.
For example if your victim website is fakesite.com then go to http://xml-sitemaps.com/ & create sitemap & download it in text format and save it to same folder where script is located.

extract-email


extract-email


(2)Second mode is automatic ;you have to just supply Domain name ; script crawl domain & create sitemap for you & then extract email address from website.This mode is very slow compare to first.

extract-email
If you want to download script & want to use it .Go to following link .

Penetration Tester `s Script | Bash script to extract email address from domain 

It`s bash script ; if you will write script in python ; you can enhanced crawling process.I also add other simple script  with help of it you can send email to extracted address one by one.

Extract metadata from file in Backtrack

Metadata is stored in any document by authoring application which can be user-name ; comment ;creation date;modification date.Metadata is very important in computer Forensic ; well know hacker group Anonymous `s members are arrested due to metadata. Because they upload document without clearing metadata ; so by reading metadata we can find lots of juicy information.


Previous we saw how we can extract metadata using FOCA from website ; But we can also extract metadata from BACKTRACK using exiftool.

If you want to write your own python script then visit our new section of blog script .

Exiftool can extract metadata from images ;documents ,videos etc.Most of file format are supported in exiftool. EXIFTOOL can also write metadata into Documents. So before uploading document remove metadata from it

How to use?
(1)If you are not using backtrack than you can download from git. For ubuntu user type following command in terminal.
git clone https://github.com/pandastream/libimage-exiftool-perl-9.27.git exiftool
sudo apt-get install libarchive-zip-perl

(2)cd exiftool
(3)./exiftool /path of file.

Extract metadata from pdf file:-

./exiftool /path of pdf file

exiftool-metadata


Information Gathering Using FOCA

Last month I put some of tutorial on Information gathering which is first step of penetration testing  , & today we will go ahead in this series . As you know Backtrack has all tools for penetration testing , but this tool is not come with backtrack ; It`s very powerful  tool for information gathering and its name is FOCA (Fingerprinting Organizations with Collected Ar­chieves). It is windows based  tool ; you can install it in linux with help of wine. But i used it in windows  , you can find here “how to install foca inbacktrack?


What kind of data can be found? 

•Metadata:
–Information stored to give information about the document.
•For example: Creator, Organization, etc..
•Hidden information:
–Information internally stored by programs and not editable.
•For example: Template paths, Printers, db structure, etc…
•Lost data:
–Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
•For example: Links to internal servers, data hidden by format, etc…

Download:-

(1)Go to official website here.
(2)Enter your valid email address at end of page & you will receive email which contain Download link.
(3)Install Foca by running setup.

Sample Example of FOCA:-

(1)Open foca click on create new project.
(2)Enter project name & domain name & click on create.


(3)On right side you can see different file types which will be searching in given domain. Select which file type you want to search &  click on search.

(4)As you can see in above image ; it will find different files from domain using google & bing search engine.


(5)Then right click on file & download it &then again right click on file & extract metadata from file.

(6)On left side click on metadata summary ;there you can find different information which are extracted from document like username ;software; creation date ;modification date.
It can also find different DNS of related domain & server details.

(7)It can also find some juicy info ; known vulnerability; backup; directory listing ; sqli ; svn; GHDB and much more.

It`s just simple tutorial.So download it & enjoy it & gather some critical information. J

Open source Information Gathering tool-Maltgo

Maltego is an open source intelligence and forensics application. It allows you to mine and gather information, and represent the information in a meaningful way. The word "open source" in Maltego means that it gathers information from the open source resources; it does not mean that Maltego is open source software.

Maltego allows you to enumerate Internet infrastructure information, such as: 
Domain names
DNS names
Whois information
Network blocks
IP addresses

It can also be used to gather information about people, such as: 
Companies and organizations related to the person
E-mail address related to the person
Websites related to the person
Social networks related to the person
Phone numbers related to the person 
There are more than 70 transforms available in Maltego. The word "transform" refers to the information gathering phase done by Maltego. 
 
Maltego-example

Information Gathering using Public Resources


On the Internet, there are several public resources that can be used to collect
information regarding a target domain. The benefit of using these resources is that we don't generate network traffic to the target domain directly, so the target domain may not know about our activities. 

Following are the resources that can be use

(1)http://www.archive.org :-Contains an archive of websites. 

(2)http://www.domaintools.com:-Domain name intelligence. 

(3)http://serversniff.net:-Free "Swiss Army Knife" for networking,
serverchecks, and routing 

(4)http://centralops.net:-Free online network utilities: domain, e-mail,
browser, ping, traceroute, Whois, and so on. 

(5)http://www.robtex.com:- Allows you to search for domain and network
information. 

(6)http://www.pipl.com:-Allows you to search people on the Internet by first
and last name, city, state, and country. 

(7)http://yoname.com :-Allows you to search for people across social
networking sites and blogs. 

(8)http://wink.com:-Free search engine to find people by name, phone
number, e-mail, website, photo, and so on. 

(9)http://www.isearch.com:- Free search engine to find people by name, phone
number, and e-mail address. 

(10)http://www.tineye.com:- TinEye is a reverse image search engine. We can use
TinEye to find out where the image came from, how it is being used, if modified versions of the image exist, or to find higher resolution versions. 

(11)http://www.sec.gov/edgar.shtml :- To search for information regarding public listed companies in Securities and Exchange Commission.

Use NMAP as a Information gathering tool

Usually we use NMAP as a port scanner to find open port of web-server, But with help of this Tool we can also gather Information about victim using NMAP script. In this tutorial we use NMAP to gather information.

(1) Use NMAP to determine I.P. Address of victim:- NMAP include two scripts in his database.
nmap --script ip-geolocation-* host-name
nmap-as-information-gather

As we can see that it show co-ordinate & location of our target.

(2)Use NMAP as Whois Tool:- Following Command is used to find whois information about victim
nmap --script whois host-name
nmap-as-information-gather



(3)Use NMAP for Email Harvesting:- There are two script for email harvesting.

  • Http-google-email
  • http-email-harvesting
nmap-as-information-gather


Http-email-harvesting is official repository in nmap . But if you want to use Google webs & Google Group to find Email then you should Download Http-google-email from here.

Use Following command to find email Address
nmap -p80 --script http-email-harvest host-name


(4)Use NMAP as Brute Force DNS:- DNS recor contain useful information about website. There are many tools available for this purpose , But you can also use nmap for simple DNS Brute Force Attack.

Use Following command
nmap -p80 --script dns-brute host-name

nmap-as-information-gather

(5)Discovering Additional Host-name:- we can find additional host which has same I.p. Address using simple nmap script. It can help us to find web-application which hosted on same I.p. Address.
Download this nse script from here.
nmap-as-information-gather

You can aslo use following script code
nmap --script http-robtex-reverse-ip --script-args http-robtex-reverse-ip.host='ip'

Pentbox installation & use:-


PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems.Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works.

Main Features:-
- Cryptography tools
  • Base64 Encoder & Decoder
  • Multi-Digest (MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160)
  • Hash Password Cracker (MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160)
  • Secure Password Generator


- Network tools
  • Net DoS Tester
  • TCP port scanner
  • Honeypot
  • Fuzzer
  • DNS and host gathering
  • MAC address geolocation (samy.pl)


- Web
  • HTTP directory bruteforce
  • HTTP common files bruteforce


How to install pentbox?

As mention earlier this framework is compatible in any system where ruby works.
So you have to install ruby in your system to use this tool.

svn co https://pentbox.svn.sourceforge.net/svnroot/pentbox/trunk/ pentbox

cd pentbox

svn update

./pentbox.rb


pentbox-1

Cryptography tool:-
web application penetration tests we often discover encoded Base64 strings. Such strings can contain important information that’s why we need to have a decoder in our tool repository.

If in some situation we obtain password in hash form , then pentbox has inbuilt module that can crack hash into plain text , it can also encrypt plain text in hash form. Supported hash are MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160.

pentbox-2

Network tools:-
Available modules are Net DoS Tester TCP port scanner ,Honeypot,Fuzzer,DNS and host gathering,MAC address geolocation . For tcp port scan you should use NMAP , because it `s best tool for port scanning.
I like DNS and host gathering modules. It `s very fast & responsive.

pentbox-3

Web tools:-
This section contain two tools for information gathering.
HTTP directory brute-force (You can find directory of website)
HTTP common files brute-force .

How to install & use Recon-ng?


Recon-ng is a true framework whose interface is modeled after the very popular and powerful Metasploit Framework. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.


-->
Recon-ng is not intended to compete with any existing framework, as it was designed exclusively for web-based reconnaissance. recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.

How to install Recon-ng ?
cd recon-ng
./recon-ng.py

Discovering Contact with help of Recon-ng?
type help in the framework in order to see a list with all the available commands.

Recon-ng-1


-->
We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules.
Recon-ng-2

-->
Here is a module called contacts_jigsaw. Jigsaw is a website similar to Linkedin that contains a large database of business contacts. So let’s say that we want to discover the contacts of a company that exists on jigsaw. We will load the module with the command load contacts_jigsaw and we will set the domain of our preference.
Recon-ng-3
-->
Discover additional Domain of same company?
we can try to use the Google module to discover additional domains of the same company. In this example I am using netcraft modules.

Recon-ng-4

-->
Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file.
Recon-ng-5


-->
This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework.