Learn Information Gathering By Example

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.

Learn Information Gathering By Example

Postby Aelphaeis_Mangarae » Wed Aug 02, 2006 3:55 am

Information Gathering is usually the first done when Penetration testing.
It is indeed a very important part in Penetration testing, and no Penetration tester or Internet security enthusiast can be left with out the knowledge of not knowing how to successfully gather information on a target.
This white paper goes through the steps and tools you can use in order to successfully gather information on a target web server.
http://www.milw0rm.com/papers/76

Source Code To DNS Brute:
Code: Select all
#include <stdio.h> #include <stdlib.h> #include <windows.h> #include <winsock.h> #pragma comment(lib, "ws2_32") //dns_brute.c //Coded By Aelphaeis Mangarae //IRC: irc.efnet.org #d-u //Email: adm1n1strat10n [AT] hotmail [DOT] com //Xbox Live Gamer Tag: Aelphaeis //Website: www.SecurZone.Org /*Greetz To htek, HackJoeSite, FRSilent, Read101, tomchu, nic`, BSoD, r0rkty, Nitrous, SyS64738, Trash-80, morning_wood, Astharot, Fauley, Furax, PsAuX, SecurityWireless, SysSpider, Siegfried, fritz, darkt3ch, Predator/ill skillz, Alchemist, BioHunter, Digerati, digital-flow, butthead, spiderlance, FishNET, W--, nrs, IBMWarpst, Nixus, varu, z16bitseg, PTP, felosi, Mega~biTe, wicked/aera, Palmeiro, Kadafiu, sNKenjoi, tgo, melkor, mu-tiger, royal, Wex, ksv, GoTiT4FrE, CKD, Dr4g, Coldfisher, snx, skiddieleet, ProwL, drygol, kon, Iadnah, EwenG, belgther, sarkar112, str0ke and Kenny & Blake from GSO. */ typedef struct tagIPINFO { u_char Ttl; // Time To Live u_char Tos; // Type Of Service u_char IPFlags; // IP flags u_char OptSize; // Size of options data u_char FAR *Options; // Options data buffer }IPINFO, *PIPINFO; typedef struct tagICMPECHO { u_long Source; // Source address u_long Status; // IP status u_long RTTime; // Round trip time in milliseconds u_short DataSize; // Reply data size u_short Reserved; // Unknown void FAR *pData; // Reply data buffer IPINFO ipInfo; // Reply options }ICMPECHO, *PICMPECHO; // ICMP.DLL Export Function Pointers HANDLE (WINAPI *pIcmpCreateFile)(VOID); BOOL (WINAPI *pIcmpCloseHandle)(HANDLE); DWORD (WINAPI *pIcmpSendEcho) (HANDLE,DWORD,LPVOID,WORD,PIPINFO,LPVOID,DWORD,DWORD); int main(int argc, char *argv[]) { //Checks if enough arguments as passed if (argc != 3) { printf("DNS Brute - Coded by Aelphaeis Mangarae\n"); printf("IRC: irc.efnet.org #d-u\n"); printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n"); printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n"); printf("Xbox Live Gamer Tag: Aelphaeis\n"); printf("Website: www.SecurZone.Org\n"); fprintf(stderr,"\nError: Incorrect Number Of Arguments Passed.\n"); fprintf(stderr, "Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n"); return 0; } WSADATA wsaData; // WSADATA ICMPECHO icmpEcho; // ICMP Echo reply buffer HANDLE hndlIcmp; // LoadLibrary() handle to ICMP.DLL HANDLE hndlFile; // Handle for IcmpCreateFile() LPHOSTENT pHost; // Pointer to host entry structure struct in_addr iaDest; // Internet address structure DWORD *dwAddress; // IP Address IPINFO ipInfo; // IP Options structure int nRet; // General use return code DWORD dwRet; // DWORD return code int x; // Dynamically load the ICMP.DLL hndlIcmp = LoadLibrary("ICMP.DLL"); if (hndlIcmp == NULL) { fprintf(stderr,"\nCould not load ICMP.DLL\n"); return 0; } // Retrieve ICMP function pointers pIcmpCreateFile = (HANDLE (WINAPI *)(void)) GetProcAddress(hndlIcmp,"IcmpCreateFile"); pIcmpCloseHandle = (BOOL (WINAPI *)(HANDLE)) GetProcAddress(hndlIcmp,"IcmpCloseHandle"); pIcmpSendEcho = (DWORD (WINAPI *) (HANDLE,DWORD,LPVOID,WORD,PIPINFO,LPVOID,DWORD,DWORD)) GetProcAddress(hndlIcmp,"IcmpSendEcho"); // Check all the function pointers if (pIcmpCreateFile == NULL || pIcmpCloseHandle == NULL || pIcmpSendEcho == NULL) { fprintf(stderr,"\nError getting ICMP proc address\n"); FreeLibrary(hndlIcmp); return 0; } FILE *inputDNS; int count = 0; char buffer[32]; char *domain; char *path; char *n; printf("DNS Brute - Coded by Aelphaeis Mangarae\n"); printf("IRC: irc.efnet.org #d-u\n"); printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n"); printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n"); printf("Xbox Live Gamer Tag: Aelphaeis\n"); printf("Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n"); //Checks to see if the length of the domain is no more than 32 characters. //We wouldn't want a Buffer Overflow would we? //And yes I know your thinking "Who the hell is going to exploit dns brute?" if (strlen(argv[1]) > 32) { printf("Error: Domain passed is longer than 32 characters\n"); exit(-1); } domain = argv[1]; path = argv[2]; //Opens file for reading inputDNS = fopen(path, "r"); if ( inputDNS == NULL) { printf("Error Opening File.\n"); } //Reads from file //This is also a piece of secure code. //The app doesn't read in anymore than the size of the buffer per line. while (fgets(buffer, sizeof(buffer), inputDNS) ) { here:; ++count; //Used to make sure fgets doesn't input a new line character if ((n = strchr(buffer, '\n')) != NULL) { *n = '\0'; } //Joins the two strings together strncat(buffer, domain, strlen(domain)); printf("%s", buffer); printf("\n"); // Init WinSock nRet = WSAStartup(0x0101, &wsaData ); if (nRet) { fprintf(stderr,"\nWSAStartup() error: %d\n", nRet); WSACleanup(); FreeLibrary(hndlIcmp); return 0; } // Check WinSock version if (0x0101 != wsaData.wVersion) { fprintf(stderr,"\nWinSock version 1.1 not supported\n"); WSACleanup(); FreeLibrary(hndlIcmp); return 0; } // Lookup destination // Use inet_addr() to determine if we're dealing with a name // or an address iaDest.s_addr = inet_addr(buffer); if (iaDest.s_addr == INADDR_NONE) pHost = gethostbyname(buffer); else pHost = gethostbyaddr((const char *)&iaDest, sizeof(struct in_addr), AF_INET); if (pHost == NULL) { fprintf(stderr, "\n%s not found\n", argv[1]); goto here; //We jump back up to where we were before //if the host we tried doesn't exist. } // Tell the user what we're doing printf("\nPinging %s [%s]", pHost->h_name, inet_ntoa((*(LPIN_ADDR)pHost->h_addr_list[0]))); // Copy the IP address dwAddress = (DWORD *)(*pHost->h_addr_list); // Get an ICMP echo request handle hndlFile = pIcmpCreateFile(); for (x = 0; x < 4; x++) { // Set some reasonable default values ipInfo.Ttl = 255; ipInfo.Tos = 0; ipInfo.IPFlags = 0; ipInfo.OptSize = 0; ipInfo.Options = NULL; //icmpEcho.ipInfo.Ttl = 256; // Reqest an ICMP echo dwRet = pIcmpSendEcho( hndlFile, // Handle from IcmpCreateFile() *dwAddress, // Destination IP address NULL, // Pointer to buffer to send 0, // Size of buffer in bytes &ipInfo, // Request options &icmpEcho, // Reply buffer sizeof(struct tagICMPECHO), 5000); // Time to wait in milliseconds // Print the results iaDest.s_addr = icmpEcho.Source; printf("\nReply from %s Time=%ldms TTL=%d", inet_ntoa(iaDest), icmpEcho.RTTime, icmpEcho.ipInfo.Ttl); if (icmpEcho.Status) { printf("\nError: icmpEcho.Status=%ld", icmpEcho.Status); break; } } printf("\n"); // Close the echo request file handle pIcmpCloseHandle(hndlFile); FreeLibrary(hndlIcmp); WSACleanup(); } return 0; }
User avatar
Aelphaeis_Mangarae
n00b
 
Posts: 12
Joined: Wed Jul 06, 2005 9:12 am
Yahoo Messenger: aelphaeis_mangarae88@yahoo.com

Return to ā€œ%sā€ Security Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

cron