viernes, 29 de noviembre de 2019

Realice auditorías de seguridad en cualquier sitio web con Killshot

Posted on by Diego with No comments

Realice auditorías de seguridad en cualquier sitio web con Killshot

La herramienta KillShot puede rastrear una aplicación web objetivo y encontrar su tecnología web back-end, identificar sistemas de administración de contenido (CMS) utilizado, así como escanear puertos abiertos con servicios en ejecución. Con la ayuda de otras herramientas de hacking, como Whatweb, Dig, Fierce o Identifies CMS, Killshot puede escanear y recolectar información sobre cualquier sitio web. El uso de Killshot, así como del resto de herramientas antes mencionadas, forma parte de los temas del curso de hacking ético del Instituto Internacional de Seguridad Cibernética (IICS).




Instalación
  • Esta herramienta fue probada en Kali Linux 2018.2
  • Abra el terminal y escriba git clone https://github.com/bahaabdelwahed/killshot
  • Cuando se descargue, escriba cd killshot
  • Luego escriba ruby setup.rb (si la configuración muestra algún error, intente instalar las herramienta manualmente)
  • La solicitud de algunos permisos tomará un tiempo, presione siempre SÍ y continúe con la instalación. Para ejecutar la herramienta, escriba ruby killshot.rb
  • Luego escriba help
Uso
  • Estamos utilizando www.hackthissite.org como sitio web objetivo
  • Después de la opción help, elija el sitio e ingrese
root@kali:~/killshot# ruby Killshot.rb
 ██╗  ██╗██╗██╗     ██╗         ███████╗██╗  ██╗ ██████╗ ████████╗
 ██║ ██╔╝██║██║     ██║         ██╔════╝██║  ██║██╔═══██╗╚══██╔══╝
 █████╔╝ ██║██║     ██║         ███████╗███████║██║   ██║   ██║
 ██╔═██╗ ██║██║     ██║         ╚════██║██╔══██║██║   ██║   ██║
 ██║  ██╗██║███████╗███████╗    ███████║██║  ██║╚██████╔╝   ██║
 ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝    ╚══════╝╚═╝  ╚═╝ ╚═════╝    ╚═╝
                                <Track my Target>       Gather information                                                            About Targets
 track>>> : help
 [site] MAKE YOUR TARGET
 [help] show this MESSAGE
 [targ] Search targets
 [exit] exit the script
 [uptd] Update KillShot
 [anon] Run Anonymous Mode
 [info] About killShot
 track>>> :
  • Luego ingrese el sitio web que desea escanear. Estamos usando www.hackthissite.org
  • Escriba www.hackthissite.org y pulse enter

       .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
    `9XXXXXXXXXXXP' `9XX'   Hide    `98v8P'  Hack   `XXP' `9XXXXXXXXXXXP'
        ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX
{0} Spider
 {1} Web technologie
 {2} WebApp Vul Scanner
 {3} Port Scanner
 {4} CMS Scanner
 {5} Fuzzers
 {6} Cms Exploit Scanner
 {7} Backdoor Generation
 {8} Linux Log Clear
 {9} Find MX/NS
 info>>> :
  • Ahora mostrará múltiples opciones, puedes usar cualquiera de ellas
  • Aquí estamos utilizando 0 spider
info>>> : 0
  ip For www.hackthissite.org :: "137.74.187.104"
 Links And Paths  ::
 Related domains and Parameters ::
 https://www.hackthissite.org
 irc://irc.hackthissite.org:+7000/
 https://www.hackthissite.org/forums
 https://www.cafepress.com/htsstore
 https://hts.io
 https://twitter.com/hackthissite
 /
 https://www.hackthissite.org/TNG355Q5B85cL3PDeI88H0dLCRYaA776flCTc4MX0u136lQ4hP94cZSnOFheqEU9zT8k6WDlcG17HglFDUi0Tg7kH42bzckCR4Q2ZQ
 https://www.hackthissite.org/advertise/
 /user/login
 /register
 /user/resetpass
 https://www.hackthissite.org/donate/
 /missions/basic/
 /missions/realistic/
 /missions/application/
 /missions/programming/
 /missions/phonephreaking/
 /missions/javascript/
 /missions/forensic/
 /missions/playit/extbasic/0/
 /missions/playit/stego/0/
 irc://irc.hackthissite.org/htb
 /blogs
 /news
 /pages/articles/article.php
 /lectures
 /pages/programs/programs.php
 http://mirror.hackthissite.org/hackthiszine/
  • Esta salida mostrará las páginas rastreadas del dominio objetivo. También mostró el inicio de sesión del usuario y el registro de las páginas del objetivo
  • Y luego estamos usando la opción (1) web technologie, esta opción escaneará el sitio web utilizando WhatWeb Information, Dig y también intentará la transferencia de zona y la fuerza bruta, el resultado de la ruta de rastreo y la detección de cortafuegos e IDS
info>>> : 1
  [+]Basic WhatWeb Information  ::
  terminated with exception (report_on_exception is true):
 Traceback (most recent call last):
         2542: from /usr/bin/whatweb:981:in block (2 levels) in <main>'         2541: from /usr/bin/whatweb:981:inloop'
         2540: from /usr/bin/whatweb:988:in block (3 levels) in <main>'         2539: from /usr/share/whatweb/lib/target.rb:96:inopen'
         2538: from /usr/share/whatweb/lib/target.rb:188:in open_url'         2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:inrequest'
         2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:in start'         2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:indo_start'
          … 2530 levels…
            4: from /usr/lib/ruby/2.5.0/resolv.rb:524:in block in fetch_resource'            3: from /usr/lib/ruby/2.5.0/resolv.rb:769:insender'
            2: from /usr/lib/ruby/2.5.0/resolv.rb:629:in allocate_request_id'            1: from /usr/lib/ruby/2.5.0/resolv.rb:629:insynchronize'
 /usr/lib/ruby/2.5.0/resolv.rb:630:in block in allocate_request_id': stack level too deep (SystemStackError) Traceback (most recent call last):         2542: from /usr/bin/whatweb:981:inblock (2 levels) in 
'
.-------------------------SNIP---------------------------------------------
         2541: from /usr/bin/whatweb:981:in loop'         2540: from /usr/bin/whatweb:988:inblock (3 levels) in '
         2539: from /usr/share/whatweb/lib/target.rb:96:in open'         2538: from /usr/share/whatweb/lib/target.rb:188:inopen_url'
         2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:in request'         2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:instart'
         2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:in do_start'          ... 2530 levels...            4: from /usr/lib/ruby/2.5.0/resolv.rb:524:inblock in fetch_resource'
            3: from /usr/lib/ruby/2.5.0/resolv.rb:769:in sender'            2: from /usr/lib/ruby/2.5.0/resolv.rb:629:inallocate_request_id'
            1: from /usr/lib/ruby/2.5.0/resolv.rb:629:in synchronize' /usr/lib/ruby/2.5.0/resolv.rb:630:inblock in allocate_request_id': stack level too deep (SystemStackError)
  [+]Host Result ::
 www.hackthissite.org has address 137.74.187.100
 www.hackthissite.org has address 137.74.187.103
 www.hackthissite.org has address 137.74.187.104
 www.hackthissite.org has address 137.74.187.102
 www.hackthissite.org has address 137.74.187.101
 www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:102
 www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:103
 www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:101
 www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:104
 www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:100
  [+]Dig Result About Dns::
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7021 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;8.8.8.8.                       IN      A ;; AUTHORITY SECTION: .                       6767    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2019050800 1800 900 604800 86400 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5506
 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
 ;www.hackthissite.org.          IN      A
 ;; ANSWER SECTION:
 www.hackthissite.org.   2440    IN      A       137.74.187.100
 www.hackthissite.org.   2440    IN      A       137.74.187.103
 www.hackthissite.org.   2440    IN      A       137.74.187.104
 www.hackthissite.org.   2440    IN      A       137.74.187.102
 www.hackthissite.org.   2440    IN      A       137.74.187.101
  [+]Trying zone transfer and Brute force ::
 Option w is ambiguous (wide, wordlist)
 Trying zone transfer first…
 Unsuccessful in zone transfer (it was worth a shot)
 Okay, trying the good old fashioned way… brute force
 Checking for wildcard DNS…
 Nope. Good.
 Now performing 2280 test(s)…
 Subnets found (may want to probe here using nmap or unicornscan):
 Done with Fierce scan: http://ha.ckers.org/fierce/
 Found 0 entries.
 Have a nice day.
  • Esta salida mostrará la información básica de un sitio web. Su escaneo detectó aplicaciones, servidores web y otras tecnologías. También escanea los encabezados HTTP del servidor web y el origen HTML de un destino.
  • Resultado del host: muestra la dirección IP del host del sitio web y también analiza IPv4 o IPv6 de un sitio web.
  • También escanea el Firewall y el IDS en el destino (No se detectó WAF por la detección genérica) significa NO WAF (Firewall de aplicación web).La herramienta Dig se usa para consultar servidores de nombres DNS, para obtener información como direcciones de host, servidor de correo, servidores de nombres e información relacionada. También se encuentran los registros A del objetivo
NOTA: PARA OBTENER TODAS LAS OPCIONES NO NECESITA DESPLAZARSE, SÓLO ESCRIBA BANNER Y SE MOSTRARÁN TODAS LAS OPCIONES
  • Y ahora usaremos la opción {3} Port Scanner, este escaneará puertos de destino completos utilizando dos herramientas: nmap y unicorn scan
Escaneo con Nmap
  • Elija cualquiera de ellos
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>0
  • Escriba 0
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>0
 [2] Nmap Os Scan
 [3] Nmap TCP Scan
 [4] Nmap UDB Scan
 [5] Nmap All scan
 [6] Nmap Http Option Scan
 [7] Nmap Live target In Network
 Scanner >>
  • Mostrará todas las opciones de Nmap
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>0
 [2] Nmap Os Scan
 [3] Nmap TCP Scan
 [4] Nmap UDB Scan
 [5] Nmap All scan
 [6] Nmap Http Option Scan
 [7] Nmap Live target In Network
 Scanner >>5
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-09 05:59 EDT
 Nmap scan report for www.acunetix.com (54.208.84.166)
 Host is up (0.24s latency).
 rDNS record for 54.208.84.166: ec2-54-208-84-166.compute-1.amazonaws.com
 Not shown: 998 filtered ports
 PORT    STATE SERVICE  VERSION
 80/tcp  open  http     nginx
 |http-server-header: acunetix.com |_http-title: Did not follow redirect to https://acunetix.com/ 443/tcp open  ssl/http nginx | http-robots.txt: 3 disallowed entries |/dontVisitMe/ /blog/worldsecuritynews/* /
 |_http-server-header: acunetix.com
 |_http-title: 400 The plain HTTP request was sent to HTTPS port
 | ssl-cert: Subject: commonName=.acunetix.com/organizationName=Acunetix Ltd/stateOrProvinceName=ST. JULIANS/countryName=MT | Subject Alternative Name: DNS:.acunetix.com, DNS:acunetix.com
 | Not valid before: 2018-10-24T00:00:00
 |_Not valid after:  2020-11-18T12:00:00
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
 Device type: media device|specialized|general purpose
 Running: Crestron embedded, Wago Kontakttechnik embedded, Linux 2.4.X
 OS CPE: cpe:/h:crestron:mpc-m5 cpe:/h:wago_kontakttechnik:750-852 cpe:/o:linux:linux_kernel:2.4.26
 OS details: Crestron MPC-M5 AV controller or Wago Kontakttechnik 750-852 PLC, Linux 2.4.26 (Slackware 10.0.0)
 TRACEROUTE (using port 80/tcp)
 HOP RTT     ADDRESS
 1   …
 2   4.06 ms 115.97.136.1
 3   … 30
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 58.15 seconds
  • Nmap TCP Scan muestra los puertos abiertos y cerrados de TCP. Este es uno de los temas más relevantes del curso de hacking ético del IICS
Escaneo de Unicorn
  • Ahora analizaremos la herramienta Unicorn. Debe seguir todos los pasos para obtener la opción de escaneo de puertos y luego seleccionar 1
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>1
 [8] Services OS
 [9] TCP SYN Scan on a whole network
 [01] UDP scan on the whole network
 Scanner >>
  • Se mostrarán los tipos de escaneados disponibles
  • Deje que seleccione [9] TCP SYN Scan en una red completa y le pedirá una dirección IP 192.168.1.1 del enrutador
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>1
 [8] Services OS
 [9] TCP SYN Scan on a whole network
 [01] UDP scan on the whole network
 Scanner >>9
 Your Router Ip : 192.168.1.1
  • Deje que el escaneo continúe
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
 / / | | | | / _ _  / / ` | ' | '_  / _  '|
   / _  || | || () |) | (| (| | | | | | | |  / |  //    ,|// ,|| ||| ||__|_|
 [0] Nmap Scan
 [1] Unicorn Scan
 Scanner >>1
 [8] Services OS
 [9] TCP SYN Scan on a whole network
 [01] UDP scan on the whole network
 Scanner >>9
 Your Router Ip : 192.168.1.1
 adding 192.168.1.0/24 mode TCPscan' ports7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
 using interface(s) eth0
----------------------------------SNIP-------------------------------------
 scaning 2.56e+02 total hosts with 8.65e+04 total packets, should take a little longer than 4 Minutes, 55 Seconds
 connected 192.168.1.12:34682 -> 192.168.1.10:139
 TCP open 192.168.1.10:139  ttl 128
 connected 192.168.1.12:19928 -> 192.168.1.5:139
 TCP open 192.168.1.5:139  ttl 128
 connected 192.168.1.12:57128 -> 192.168.1.3:139
 TCP open 192.168.1.3:139  ttl 128
 connected 192.168.1.12:40890 -> 192.168.1.4:139
 TCP open 192.168.1.4:139  ttl 128
 connected 192.168.1.12:63984 -> 192.168.1.3:3389
 TCP open 192.168.1.3:3389  ttl 128
 connected 192.168.1.12:4474 -> 192.168.1.1:23
 TCP open 192.168.1.1:23  ttl 64
 connected 192.168.1.12:19804 -> 192.168.1.5:445
 TCP open 192.168.1.5:445  ttl 128
 connected 192.168.1.12:17218 -> 192.168.1.10:445
 TCP open 192.168.1.10:445  ttl 128
 connected 192.168.1.12:16075 -> 192.168.1.4:445
 TCP open 192.168.1.4:445  ttl 128
 connected 192.168.1.12:35635 -> 192.168.1.3:445
 TCP open 192.168.1.3:445  ttl 128
 connected 192.168.1.12:59512 -> 192.168.1.1:53
 TCP open 192.168.1.1:53  ttl 64
 connected 192.168.1.12:17273 -> 192.168.1.1:80
 TCP open 192.168.1.1:80  ttl 64
 connected 192.168.1.12:17994 -> 192.168.1.3:554
 TCP open 192.168.1.3:554  ttl 128
 connected 192.168.1.12:10098 -> 192.168.1.4:554
 TCP open 192.168.1.4:554  ttl 128
 connected 192.168.1.12:5254 -> 192.168.1.10:135
 TCP open 192.168.1.10:135  ttl 128
 connected 192.168.1.12:10011 -> 192.168.1.3:135
 TCP open 192.168.1.3:135  ttl 128
 connected 192.168.1.12:19956 -> 192.168.1.4:135
 TCP open 192.168.1.4:135  ttl 128
 connected 192.168.1.12:21180 -> 192.168.1.5:135
 TCP open 192.168.1.5:135  ttl 128
 connected 192.168.1.12:14926 -> 192.168.1.1:443
 TCP open 192.168.1.1:443  ttl 64
 connected 192.168.1.12:17101 -> 192.168.1.10:443
 TCP open 192.168.1.10:443  ttl 128
 connected 192.168.1.12:6074 -> 192.168.1.3:443
 TCP open 192.168.1.3:443  ttl 128
 connected 192.168.1.12:51922 -> 192.168.1.4:443
 TCP open 192.168.1.4:443  ttl 128
 connected 192.168.1.12:13164 -> 192.168.1.6:22
 TCP open 192.168.1.6:22  ttl 64
 sender statistics 177.8 pps with 86528 packets sent total
 listener statistics 2894 packets recieved 0 packets droped and 0 interface drops
 TCP open                  telnet[   23]         from 192.168.1.1  ttl 64
 TCP open                  domain[   53]         from 192.168.1.1  ttl 64
 TCP open                    http[   80]         from 192.168.1.1  ttl 64
 TCP open                   https[  443]         from 192.168.1.1  ttl 64
 TCP open                   epmap[  135]         from 192.168.1.3  ttl 128
 TCP open             netbios-ssn[  139]         from 192.168.1.3  ttl 128
 TCP open                   https[  443]         from 192.168.1.3  ttl 128
 TCP open            microsoft-ds[  445]         from 192.168.1.3  ttl 128
 TCP open                    rtsp[  554]         from 192.168.1.3  ttl 128
 TCP open           ms-wbt-server[ 3389]         from 192.168.1.3  ttl 128
 TCP open                   epmap[  135]         from 192.168.1.4  ttl 128
 TCP open             netbios-ssn[  139]         from 192.168.1.4  ttl 128
 TCP open                   https[  443]         from 192.168.1.4  ttl 128
 TCP open            microsoft-ds[  445]         from 192.168.1.4  ttl 128
 TCP open                    rtsp[  554]         from 192.168.1.4  ttl 128
 TCP open                   epmap[  135]         from 192.168.1.5  ttl 128
 TCP open             netbios-ssn[  139]         from 192.168.1.5  ttl 128
 TCP open            microsoft-ds[  445]         from 192.168.1.5  ttl 128
 TCP open                     ssh[   22]         from 192.168.1.6  ttl 64
 TCP open                   epmap[  135]         from 192.168.1.10  ttl 128
 TCP open             netbios-ssn[  139]         from 192.168.1.10  ttl 128
 TCP open                   https[  443]         from 192.168.1.10  ttl 128
 TCP open            microsoft-ds[  445]         from 192.168.1.10  ttl 128
  • Se escanearán todos los puertos TCP abiertos en el objetivo
connected 192.168.1.12:34682 -> 192.168.1.10:139
 TCP open 192.168.1.10:139  ttl 128
  • También escanean los puertos TCP abiertos y muestra los servicios con puertos
  • Estadísticas del remitente 177.8 pps con 86528 paquetes enviados en total
  • Para escanear utiliza su tarjeta de red local como se muestra a continuación
using interface(s) eth0

0 comentarios:

Publicar un comentario

Suscribirse a: Comentarios de la entrada (Atom)