Kali进行web渗透笔记(三)

Reconnaissance and Profiling the Web Server

include the following tasks:

IP adddress,subdomains,whois records,Dns servers,search engines

using google,bing,yahoo,and shodan,archive.org

social networking sites:Facebook,Flick,Instagram,Twitter,Maltego

Determining the physical location of the target using Geo IP database,satelite images from Google Maps and Bing Maps

Spidering the web application and creating sitemaps:Burp Suite,HTTP Track,and ZAP

whois

Identifying hosts using DNS

Zone transfer using dig:

Brute force DNS records using Nmap:it makes use of the dictionary files

vhosts-defaults.lst

snd

vhosts-full.lst

,which contain a large list of common hostnames :

nmap --scirpt dns-brute --script-args dns-brute.domain=pentesting-lab.com

The Recon-ng tool-a framework for information gathering:**Recon-ng**uses many different sources to gather data:google,Twitter,and Shodan.

Scanning Phase:

Port scanning

Operating system fingerprinting

Web server version identification

Underlying infrastruture analysis

Application identification

Nmap:

-packet-trace(or Different options for port scan)

packet-trace

Evading firewalls and IPS using Nmap

ACK scan(-sA)

Hardcoded source port in firewall rules(–source-port)

Custom packet size(–data-length)

Custom MTU(–mtu)

MAC address spoofing(–spoof-mac )

Spotting a firewall using back checksum option in Nmap:

--badsum

Identifying the operating system using Nmap:

-o -v

(second opinion using a tool such as Amap)

Profiling the server

Application version fingerprinting

The Nmap version scan:

-sV -A

The

--version-trace

option will make Nmap print out debugging information about the version scanning and the underlying tests that run.

The Amap version scan:invoke Amap using the

-bqv

options,which only report the open ports,print the response received in ASCII,and print some detailed informaiton related to it.

Fingerprinting the web application framework:

The HTTP header

The Whatweb scanner

BlindElephant:conducting a penetration test of a contest management system.

Identifying virtual hosts:When interacting and crafing an attack for the website,it becomes important to identify the type of hosting.If the IP address hosting multiple websites,then you have to include the correct host header value in your attacks or you won’t get the desired results. This could also affect the other websites hosted on that Ip address.Directly attacking with the IP address will have undesirable results and will also affect the scope of the penetration test.

Dns tools such as dig and nslookup can be used to identify domains returning similar IP addersses.

www.my-ip-neighbors.com

The virtual host lookup module in Recon-ng

Identifying load balancers

Cookie-based load balancer

Few other ways to identify a device such as a load balancer are listed as follows:

Analyzing SSL differences

Redicting to a different URL

DNS records for load balancers

Load balancer detector(lbd in Kali Linux)

Web application firewall(WAF) to thwart attacks:Wafw00f in Kali Linux is able to detect whether any WAF device exists in the pa
4000
th.

Scanning web servers for vulnerabilities and misconfigurations.

Identifying HTTP methods using Nmap (DELETE,PUT,TRACE should be disabled on the web server.),

--script=http-methods.nse

by default,the script probes the target with a user agent as Mozilla and also **reveals that the packet was generated by the Nmap scripting engine.**And can change the user-agent with the

http.useragent

script argument and hide any Nmap informaiton from being leaked:

nmap --script=http-methods.nse --script-args http.useragent="Scan Done by Penetration testing team" 192.168.1.8

firstly,have to identify what methods are supported by the web server.Using Netcat to open a connection to the web server and query the web server with the

OPTIONS

method.

Testing web servers using auxiliary modules in Metasploit:

Dir_listing:determine whether target directory browsing enables on it

Dir_scanner

Enum_wayback:

Files_dir:use to scan the server for data leakage vulnerabilities by locating backups of configuration files and source code files.

http_login

robots_txt

webdav_scanner:this module can be used to find out if WebDav is enabled on the server,which basically turns the web server into a file server.

Automating scanning using the WMAP web scanner plugin in metasploit:

define a site:

wmap_site -a <site name/IP address>

identify the site ID:

wmap_site -l

add the weebsite as target:

wmap_target -d 0

look at the modules which tool is going to run

wmap_run -t

start scan

wmap_run -e

Once the test is complete,you can check out the vulnerabilities found using the

vulns

command

Vulnerability scanning and graphical reports-the skipfish web application scanner.

Spidering web applicaitons

The burp spider