Using Google for finding vulnerabilities
Lab 4a: Google for generic Database errors
site:example.com "Microsoft OLE DB Provider for SQL Server"
site:example.com "Microsoft JET Database Engine"
site:example.com "Type mismatch"
site:example.com "You have an error in your SQL syntax"
site:example.com "Invalid SQL statement or JDBC"
site:example.com "DorisDuke error"
site:example.com "OleDbException"
site:example.com "JasperException"
site:example.com "Fatal Error"
site:example.com "supplied argument is not a valid MySQL"
site:example.com "mysql_"
site:example.com ODBC site:example.com JDBC site:example.com ORA-00921 site:example.com ADODB
Lab 4b: Google for generic RFIs
site:example.com ".php" "file="
site:example.com ".php" "folder="
site:example.com ".php" "path="
site:example.com ".php" "style="
site:example.com ".php" "template="
site:example.com ".php" "PHP_PATH="
site:example.com ".php" "doc="
site:example.com ".php" "document="
site:example.com ".php" "document_root="
site:example.com ".php" "pg="
site:example.com ".php" "pdf="
site:example.com ".php: "page="
site:example.com ".php: "inc="
site:example.com ".php: "dir="
site:example.com ".php: "frame="
site:example.com ".php: "swf="
site:example.com ".php: "host="
Strategic Security, Inc. © http://strategicsec.com/
Lab 4c: Check for XSS at xxsed.com:
http://xssed.com/search?key=example.com
Strategic Security, Inc. © http://strategicsec.com/
Lab 5: 3rd Party Scanning and scanning via proxies
Lab 5a: Shodan
http://www.shodanhq.com/
Create an account and login. Must have an account to use filters.
net:129.188.8.0/24
Lab 5b: Proxyfinder.pl
Proxyfinder.pl is a perl script that will scrape “multiproxy” or “samair” to get you as many proxy’s as you specify. You can then use these proxy’s with Proxychains.
perl proxyfinder-0.3.pl multiproxy 10 results.txt
Strategic Security, Inc. © http://strategicsec.com/
This step takes some time, upwards of an hour. It has to go through every proxy and make sure that it is alive. Once its done, copy the contents of your results.txt file into your /etc/proxychains.conf. Make sure to copy and paste them in the appropriate section.
Lab 5c: Tor/Tor-resolve
We can even use tor-resolve to resolve host name information.
tor &
(this starts TOR - it should already be running on your VM)
Open up another tab to resolve the hostname tor-resolve strategicsec.com
Strategic Security, Inc. © http://strategicsec.com/
Lab 5d: Proxychains/Proxyresolv
Proxychains is in the repositories for many of the current linux distro’s.
Let’s see what we can do. Start tor, then run the following command:
proxyresolv <hostname>
Proxyresolv is used to resolve host names via a proxy or TOR.
Now let’s port scan a machine through proxychains
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 [ip address/ip range]
Strategic Security, Inc. © http://strategicsec.com/
We can even run Nikto through proxychains cd toolz/nikto-2.1.1/
proxychains perl nikto.pl -Cgidirs all -o google_nikto.txt -host
www.google.com
Lab 5e: Port scanning through PHP proxies
In previous labs we’ve seen the use of the SOCKS proxy. In this lab we will be looking at a trend that seems to be growing in popularity, PHP proxies. Sensepost has a tool called “glypeahead” that allows us
Strategic Security, Inc. © http://strategicsec.com/
Download the tool from: http://www.sensepost.com/research/glypeahead/
Once you’ve downloaded and unzipped the file you will be greeted with a directory containing 3 files and a directory. What we are really interested in is the config.php and the application itself.
The config.php file is where you will specify what site you would like to scan
It’s in this section that you can also specify what ports you want glypeahead to scan. At the bottom of the configuration file, you can also specify what proxies you would like glypeahead to use.
You can get a list of glype proxies from the following link: http://www.azproxies.com/proxy-lists/glype-web-proxies.html
Make sure that when you put in the proxies you end with index.php otherwise glypeahead will error out.
Strategic Security, Inc. © http://strategicsec.com/
Of course, you can always add more proxies. You do not have to limit yourself to only two. The same goes for the sites, you can always change the ports to whatever you want to scan for. I left them the same for simplicity. This is what you’ll get when everything works out fine.
GlypeAhead needs to be fed the config.php file
Strategic Security, Inc. © http://strategicsec.com/
Lab 6: Nessus through Tor
Register & Download Nessus
Register for a free account to download a copy of HomeFeed Nessus vulnerability scanner at http://www.nessus.org/products/nessus/nessus-download-agreement
Installing Nessus
This installation is performed on the Ubuntu x86 machine. Follow the instructions to install Nessus on other platforms
Initial Account Setup
Open a browser on your machine and go to https://localhost:8834
You will be asked to create an administrative account to manage Nessus. In this example, we will create an account “admin” with the password “password1”. Click “Next” and proceed with the rest of the setup process.
Strategic Security, Inc. © http://strategicsec.com/
After nessus has been installed, execute the following command to tunnel all incoming connections to the target address via Tor’s SOCKS server
socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:<target ip addres>:80,socksport=9050
Now run a Nessus scan against “localhost”
Finally, once it’s completed. Look over the report.
Strategic Security, Inc. © http://strategicsec.com/