http://www.milw0rm.com/papers/76Information Gathering is usually the first done when Penetration testing.
It is indeed a very important part in Penetration testing, and no Penetration tester or Internet security enthusiast can be left with out the knowledge of not knowing how to successfully gather information on a target.
This white paper goes through the steps and tools you can use in order to successfully gather information on a target web server.
Source Code To DNS Brute:
Code: Select all
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib, "ws2_32")
//dns_brute.c
//Coded By Aelphaeis Mangarae
//IRC: irc.efnet.org #d-u
//Email: adm1n1strat10n [AT] hotmail [DOT] com
//Xbox Live Gamer Tag: Aelphaeis
//Website: www.SecurZone.Org
/*Greetz To
htek, HackJoeSite, FRSilent, Read101, tomchu, nic`, BSoD, r0rkty, Nitrous,
SyS64738, Trash-80, morning_wood, Astharot, Fauley, Furax, PsAuX, SecurityWireless,
SysSpider, Siegfried, fritz, darkt3ch, Predator/ill skillz, Alchemist, BioHunter,
Digerati, digital-flow, butthead, spiderlance, FishNET, W--, nrs, IBMWarpst, Nixus,
varu, z16bitseg, PTP, felosi, Mega~biTe, wicked/aera, Palmeiro, Kadafiu, sNKenjoi,
tgo, melkor, mu-tiger, royal, Wex, ksv, GoTiT4FrE, CKD, Dr4g, Coldfisher, snx,
skiddieleet, ProwL, drygol, kon, Iadnah, EwenG, belgther, sarkar112,
str0ke and Kenny & Blake from GSO.
*/
typedef struct tagIPINFO
{
u_char Ttl; // Time To Live
u_char Tos; // Type Of Service
u_char IPFlags; // IP flags
u_char OptSize; // Size of options data
u_char FAR *Options; // Options data buffer
}IPINFO, *PIPINFO;
typedef struct tagICMPECHO
{
u_long Source; // Source address
u_long Status; // IP status
u_long RTTime; // Round trip time in milliseconds
u_short DataSize; // Reply data size
u_short Reserved; // Unknown
void FAR *pData; // Reply data buffer
IPINFO ipInfo; // Reply options
}ICMPECHO, *PICMPECHO;
// ICMP.DLL Export Function Pointers
HANDLE (WINAPI *pIcmpCreateFile)(VOID);
BOOL (WINAPI *pIcmpCloseHandle)(HANDLE);
DWORD (WINAPI *pIcmpSendEcho)
(HANDLE,DWORD,LPVOID,WORD,PIPINFO,LPVOID,DWORD,DWORD);
int main(int argc, char *argv[])
{
//Checks if enough arguments as passed
if (argc != 3)
{
printf("DNS Brute - Coded by Aelphaeis Mangarae\n");
printf("IRC: irc.efnet.org #d-u\n");
printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n");
printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n");
printf("Xbox Live Gamer Tag: Aelphaeis\n");
printf("Website: www.SecurZone.Org\n");
fprintf(stderr,"\nError: Incorrect Number Of Arguments Passed.\n");
fprintf(stderr, "Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n");
return 0;
}
WSADATA wsaData; // WSADATA
ICMPECHO icmpEcho; // ICMP Echo reply buffer
HANDLE hndlIcmp; // LoadLibrary() handle to ICMP.DLL
HANDLE hndlFile; // Handle for IcmpCreateFile()
LPHOSTENT pHost; // Pointer to host entry structure
struct in_addr iaDest; // Internet address structure
DWORD *dwAddress; // IP Address
IPINFO ipInfo; // IP Options structure
int nRet; // General use return code
DWORD dwRet; // DWORD return code
int x;
// Dynamically load the ICMP.DLL
hndlIcmp = LoadLibrary("ICMP.DLL");
if (hndlIcmp == NULL)
{
fprintf(stderr,"\nCould not load ICMP.DLL\n");
return 0;
}
// Retrieve ICMP function pointers
pIcmpCreateFile = (HANDLE (WINAPI *)(void))
GetProcAddress(hndlIcmp,"IcmpCreateFile");
pIcmpCloseHandle = (BOOL (WINAPI *)(HANDLE))
GetProcAddress(hndlIcmp,"IcmpCloseHandle");
pIcmpSendEcho = (DWORD (WINAPI *)
(HANDLE,DWORD,LPVOID,WORD,PIPINFO,LPVOID,DWORD,DWORD))
GetProcAddress(hndlIcmp,"IcmpSendEcho");
// Check all the function pointers
if (pIcmpCreateFile == NULL ||
pIcmpCloseHandle == NULL ||
pIcmpSendEcho == NULL)
{
fprintf(stderr,"\nError getting ICMP proc address\n");
FreeLibrary(hndlIcmp);
return 0;
}
FILE *inputDNS;
int count = 0;
char buffer[32];
char *domain;
char *path;
char *n;
printf("DNS Brute - Coded by Aelphaeis Mangarae\n");
printf("IRC: irc.efnet.org #d-u\n");
printf("Email: adm1n1strat10n [AT] hotmail [DOT] com\n");
printf("MSN Messenger: adm1n1strat10n [AT] hotmail [DOT] com\n");
printf("Xbox Live Gamer Tag: Aelphaeis\n");
printf("Usage Example: dns_brute.exe domain.com C:\\subdomains.txt\n");
//Checks to see if the length of the domain is no more than 32 characters.
//We wouldn't want a Buffer Overflow would we?
//And yes I know your thinking "Who the hell is going to exploit dns brute?"
if (strlen(argv[1]) > 32)
{
printf("Error: Domain passed is longer than 32 characters\n");
exit(-1);
}
domain = argv[1];
path = argv[2];
//Opens file for reading
inputDNS = fopen(path, "r");
if ( inputDNS == NULL)
{
printf("Error Opening File.\n");
}
//Reads from file
//This is also a piece of secure code.
//The app doesn't read in anymore than the size of the buffer per line.
while (fgets(buffer, sizeof(buffer), inputDNS) )
{
here:;
++count;
//Used to make sure fgets doesn't input a new line character
if ((n = strchr(buffer, '\n')) != NULL)
{
*n = '\0';
}
//Joins the two strings together
strncat(buffer, domain, strlen(domain));
printf("%s", buffer);
printf("\n");
// Init WinSock
nRet = WSAStartup(0x0101, &wsaData );
if (nRet)
{
fprintf(stderr,"\nWSAStartup() error: %d\n", nRet);
WSACleanup();
FreeLibrary(hndlIcmp);
return 0;
}
// Check WinSock version
if (0x0101 != wsaData.wVersion)
{
fprintf(stderr,"\nWinSock version 1.1 not supported\n");
WSACleanup();
FreeLibrary(hndlIcmp);
return 0;
}
// Lookup destination
// Use inet_addr() to determine if we're dealing with a name
// or an address
iaDest.s_addr = inet_addr(buffer);
if (iaDest.s_addr == INADDR_NONE)
pHost = gethostbyname(buffer);
else
pHost = gethostbyaddr((const char *)&iaDest,
sizeof(struct in_addr), AF_INET);
if (pHost == NULL)
{
fprintf(stderr, "\n%s not found\n", argv[1]);
goto here;
//We jump back up to where we were before
//if the host we tried doesn't exist.
}
// Tell the user what we're doing
printf("\nPinging %s [%s]", pHost->h_name,
inet_ntoa((*(LPIN_ADDR)pHost->h_addr_list[0])));
// Copy the IP address
dwAddress = (DWORD *)(*pHost->h_addr_list);
// Get an ICMP echo request handle
hndlFile = pIcmpCreateFile();
for (x = 0; x < 4; x++)
{
// Set some reasonable default values
ipInfo.Ttl = 255;
ipInfo.Tos = 0;
ipInfo.IPFlags = 0;
ipInfo.OptSize = 0;
ipInfo.Options = NULL;
//icmpEcho.ipInfo.Ttl = 256;
// Reqest an ICMP echo
dwRet = pIcmpSendEcho(
hndlFile, // Handle from IcmpCreateFile()
*dwAddress, // Destination IP address
NULL, // Pointer to buffer to send
0, // Size of buffer in bytes
&ipInfo, // Request options
&icmpEcho, // Reply buffer
sizeof(struct tagICMPECHO),
5000); // Time to wait in milliseconds
// Print the results
iaDest.s_addr = icmpEcho.Source;
printf("\nReply from %s Time=%ldms TTL=%d",
inet_ntoa(iaDest),
icmpEcho.RTTime,
icmpEcho.ipInfo.Ttl);
if (icmpEcho.Status)
{
printf("\nError: icmpEcho.Status=%ld",
icmpEcho.Status);
break;
}
}
printf("\n");
// Close the echo request file handle
pIcmpCloseHandle(hndlFile);
FreeLibrary(hndlIcmp);
WSACleanup();
}
return 0;
}