Information Gathering
www.1s2c-dojo.net
to
know the IP address above, first of all I do ping the website address
above, and the results
from
the image above we can see the ip address: 67,222,154,106, the
address is theaddress of the website
www.is2c-dojo.net
after
getting the ip address, then I use the tools in gathering existing
information on thebacktrack. Tool that I was Zenmap and this is the
result of scan
Starting Nmap 5.61TEST4 (
http://nmap.org ) at 2012-01-25 22:36 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 22:36
Scanning 67.222.154.106 [4 ports]
Completed Ping Scan at 22:36, 0.63s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 22:36
Completed Parallel DNS resolution of 1
host. at 22:36, 0.93s elapsed
Initiating SYN Stealth Scan at 22:36
Scanning gudeg.partnerit.us
(67.222.154.106) [1000 ports]
Discovered open port 21/tcp on
67.222.154.106
Discovered open port 995/tcp on
67.222.154.106
Discovered open port 110/tcp on
67.222.154.106
Discovered open port 53/tcp on
67.222.154.106
Discovered open port 80/tcp on
67.222.154.106
Discovered open port 143/tcp on
67.222.154.106
Discovered open port 993/tcp on
67.222.154.106
Discovered open port 443/tcp on
67.222.154.106
Discovered open port 465/tcp on
67.222.154.106
Completed SYN Stealth Scan at 22:37,
31.11s elapsed (1000 total ports)
Initiating Service scan at 22:37
Scanning 9 services on
gudeg.partnerit.us (67.222.154.106)
Completed Service scan at 22:37, 8.39s
elapsed (9 services on 1 host)
Initiating OS detection (try #1)
against gudeg.partnerit.us (67.222.154.106)
Retrying OS detection (try #2) against
gudeg.partnerit.us (67.222.154.106)
Initiating Traceroute at 22:37
Completed Traceroute at 22:37, 1.07s
elapsed
Initiating Parallel DNS resolution of 2
hosts. at 22:37
Completed Parallel DNS resolution of 2
hosts. at 22:37, 0.07s elapsed
NSE: Script scanning 67.222.154.106.
Initiating NSE at 22:37
Completed NSE at 22:39, 116.87s
elapsed
Nmap scan report for gudeg.partnerit.us
(67.222.154.106)
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
22/tcp closed ssh
53/tcp open domain Mikrotik
RouterOS named or OpenDNS Updater
80/tcp open http-proxy Squid
webproxy 2.7.STABLE3
| http-open-proxy: Potentially OPEN
proxy.
|_Methods supported: GET HEAD
110/tcp open pop3?
143/tcp open imap?
| imap-capabilities:
|_ ERROR: Failed to connect to server
443/tcp open https?
|_ssl-cert: TIMEOUT
465/tcp open smtps?
|_smtp-commands: Couldn't establish
connection on port 465
|_ssl-cert: TIMEOUT
587/tcp closed submission
993/tcp open imaps?
|_ssl-cert: TIMEOUT
995/tcp open pop3s?
|_ssl-cert: TIMEOUT
3000/tcp closed ppp
OS fingerprint not ideal because:
Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 52.38 ms 192.168.100.254
2 50.80 ms gudeg.partnerit.us
(67.222.154.106)
NSE: Script Post-scanning.
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed.
Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up)
scanned in 180.93 seconds
Raw packets sent: 2172
(101.432KB) | Rcvd: 49 (2.190KB)
in
the image above we can see that open houmach port, this could be
separately entered into the slit web.
As for other tools that I
use is, whatweb, and this is the result of information gathering:
From
the information above we can see some of the information include:
http://is2c-dojo.net [301] Title[301
Moved], RedirectLocation[http://www.is2c-dojo.net/], Country[UNITED
STATES][US], IP[216.239.36.21],
X-Cache[cache.platinum.net,cache.platinum.net:6538],
X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block],
UncommonHeaders[x-xss-protection,x-frame-options], HTTPServer[ghs]
http://www.is2c-dojo.net/ [200]
Title[IS2C Official's Site], PoweredBy[%5C74a], Frame, OpenID,
Country[UNITED STATES][US], IP[209.85.175.121],
X-Cache[cache.platinum.net,cache.platinum.net:6538], JQuery, Blogger,
MetaGenerator[blogger], X-XSS-Protection[1; mode=block],
UncommonHeaders[x-content-type-options,x-xss-protection],
HTTPServer[GSE]
Information Gathering with http://www.is2c-dojo.com/
langkah yang akan saya lakukan akan
hampir sama dengan yang diatas, pertama-tama untuk mengetahui IP
addreess saya melakukan ping ke alamat web tersebut, dan saya
mendapatkan IP address yang sama dengan IP address web sebelumnya
yaitu 67.222.154.106
Setelah mengetahui IP Address saya
melakukan scan dengan menggunakan Zenmap hasilnya sama dengan scan
http://www.is2c-dojo.com.
tarting Nmap 5.61TEST4 (
http://nmap.org ) at 2012-01-25 22:36 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 22:36
Scanning 67.222.154.106 [4 ports]
Completed Ping Scan at 22:36, 0.63s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 22:36
Completed Parallel DNS resolution of 1
host. at 22:36, 0.93s elapsed
Initiating SYN Stealth Scan at 22:36
Scanning gudeg.partnerit.us
(67.222.154.106) [1000 ports]
Discovered open port 21/tcp on
67.222.154.106
Discovered open port 995/tcp on
67.222.154.106
Discovered open port 110/tcp on
67.222.154.106
Discovered open port 53/tcp on
67.222.154.106
Discovered open port 80/tcp on
67.222.154.106
Discovered open port 143/tcp on
67.222.154.106
Discovered open port 993/tcp on
67.222.154.106
Discovered open port 443/tcp on
67.222.154.106
Discovered open port 465/tcp on
67.222.154.106
Completed SYN Stealth Scan at 22:37,
31.11s elapsed (1000 total ports)
Initiating Service scan at 22:37
Scanning 9 services on
gudeg.partnerit.us (67.222.154.106)
Completed Service scan at 22:37, 8.39s
elapsed (9 services on 1 host)
Initiating OS detection (try #1)
against gudeg.partnerit.us (67.222.154.106)
Retrying OS detection (try #2) against
gudeg.partnerit.us (67.222.154.106)
Initiating Traceroute at 22:37
Completed Traceroute at 22:37, 1.07s
elapsed
Initiating Parallel DNS resolution of 2
hosts. at 22:37
Completed Parallel DNS resolution of 2
hosts. at 22:37, 0.07s elapsed
NSE: Script scanning 67.222.154.106.
Initiating NSE at 22:37
Completed NSE at 22:39, 116.87s
elapsed
Nmap scan report for gudeg.partnerit.us
(67.222.154.106)
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
22/tcp closed ssh
53/tcp open domain Mikrotik
RouterOS named or OpenDNS Updater
80/tcp open http-proxy Squid
webproxy 2.7.STABLE3
| http-open-proxy: Potentially OPEN
proxy.
|_Methods supported: GET HEAD
110/tcp open pop3?
143/tcp open imap?
| imap-capabilities:
|_ ERROR: Failed to connect to server
443/tcp open https?
|_ssl-cert: TIMEOUT
465/tcp open smtps?
|_smtp-commands: Couldn't establish
connection on port 465
|_ssl-cert: TIMEOUT
587/tcp closed submission
993/tcp open imaps?
|_ssl-cert: TIMEOUT
995/tcp open pop3s?
|_ssl-cert: TIMEOUT
3000/tcp closed ppp
OS fingerprint not ideal because:
Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 52.38 ms 192.168.100.254
2 50.80 ms gudeg.partnerit.us
(67.222.154.106)
NSE: Script Post-scanning.
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed.
Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up)
scanned in 180.93 seconds
Raw packets sent: 2172
(101.432KB) | Rcvd: 49 (2.190KB)
To
find the IP of the web above my addrees ping address web, and IP
addresses that I get is 74.81.66.104
after the ping I started to do a scan using Zenmap and this is my results.
after the ping I started to do a scan using Zenmap and this is my results.
Starting Nmap 5.61TEST4 (
http://nmap.org ) at 2012-01-25 23:23 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 23:23
Scanning 74.81.66.104 [4 ports]
Completed Ping Scan at 23:23, 1.60s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 23:23
Completed Parallel DNS resolution of 1
host. at 23:23, 3.16s elapsed
Initiating SYN Stealth Scan at 23:23
Scanning server28.web-hosting.com
(74.81.66.104) [1000 ports]
Discovered open port 443/tcp on
74.81.66.104
Discovered open port 80/tcp on
74.81.66.104
Discovered open port 53/tcp on
74.81.66.104
Discovered open port 993/tcp on
74.81.66.104
Discovered open port 21/tcp on
74.81.66.104
Discovered open port 143/tcp on
74.81.66.104
Discovered open port 110/tcp on
74.81.66.104
Discovered open port 995/tcp on
74.81.66.104
SYN Stealth Scan Timing: About 34.20%
done; ETC: 23:25 (0:01:00 remaining)
Completed SYN Stealth Scan at 23:24,
69.00s elapsed (1000 total ports)
Initiating Service scan at 23:24
Scanning 8 services on
server28.web-hosting.com (74.81.66.104)
Completed Service scan at 23:24, 9.53s
elapsed (8 services on 1 host)
Initiating OS detection (try #1)
against server28.web-hosting.com (74.81.66.104)
Retrying OS detection (try #2) against
server28.web-hosting.com (74.81.66.104)
Initiating Traceroute at 23:25
Completed Traceroute at 23:25, 0.13s
elapsed
Initiating Parallel DNS resolution of 2
hosts. at 23:25
Completed Parallel DNS resolution of 2
hosts. at 23:25, 0.12s elapsed
NSE: Script scanning 74.81.66.104.
Initiating NSE at 23:25
Completed NSE at 23:27, 159.48s
elapsed
Nmap scan report for
server28.web-hosting.com (74.81.66.104)
Host is up (0.59s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
53/tcp open domain Mikrotik
RouterOS named or OpenDNS Updater
80/tcp open http-proxy Squid
webproxy 2.7.STABLE3
| http-open-proxy: Potentially OPEN
proxy.
|_Methods supported: GET HEAD
110/tcp open pop3?
143/tcp open imap?
| imap-capabilities:
|_ ERROR: Failed to connect to server
443/tcp open https?
|_ssl-cert: TIMEOUT
587/tcp closed submission
993/tcp open imaps?
|_ssl-cert: TIMEOUT
995/tcp open pop3s?
|_ssl-cert: TIMEOUT
OS fingerprint not ideal because:
Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 129.80 ms 192.168.100.254
2 128.49 ms server28.web-hosting.com
(74.81.66.104)
NSE: Script Post-scanning.
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed.
Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up)
scanned in 267.11 seconds
Raw packets sent: 3193
(146.296KB) | Rcvd: 86 (4.683KB)
After
doing a scan with Zenmap, I then do a scan with whatweb and I got:
root@bt:/pentest/enumeration/web/whatweb#
./whatweb -v spentera.com
http://spentera.com/ [301]
http://spentera.com [301]
RedirectLocation[http://www.spentera.com/],
x-pingback[http://www.spentera.com/xmlrpc.php], Country[UNITED
STATES][US], PHP[5.3.8], IP[74.81.66.104], Cookies[PHPSESSID],
Apache, X-Powered-By[PHP/5.3.8], UncommonHeaders[x-pingback],
HTTPServer[Apache]
URL : http://spentera.com
Status : 301
Apache
---------------------------------------------------------------------
Description: The Apache HTTP
Server Project is an effort to develop and
maintain an
open-source HTTP server for modern operating
systems including
UNIX and Windows NT. The goal of this
project is to
provide a secure, efficient and extensible
server that
provides HTTP services in sync with the current
HTTP standards. -
homepage: http://httpd.apache.org/
Cookies
--------------------------------------------------------------------
Description: Display the names
of cookies in the HTTP headers. The
values are not
returned to save on space.
String : PHPSESSID
Country
--------------------------------------------------------------------
Description: GeoIP IP2Country
lookup. To refresh DB, replace
IpToCountry.csv
and remove country-ips.dat. GeoIP database
from
http://software77.net/geo-ip/. Local IPv4 addresses
are represented as
ZZ according to an ISO convention.
Lookup code
developed by Matthias Wachter for rubyquiz.com
and used with
permission.
String : UNITED STATES
Module : US
HTTPServer
-----------------------------------------------------------------
Description: HTTP server header
string. This plugin also attempts to
identify the
operating system from the server header.
String : Apache (from
server string)
IP
-------------------------------------------------------------------------
Description: IP address of the
target, if available.
String : 74.81.66.104
PHP
------------------------------------------------------------------------
Description: PHP is a
widely-used general-purpose scripting language
that is especially
suited for Web development and can be
embedded into
HTML. This plugin identifies PHP errors,
modules and
versions and extracts the local file path and
username if
present. - Homepage: http://www.php.net/
Version : 5.3.8
RedirectLocation
-----------------------------------------------------------
Description: HTTP Server string
location. used with http-status 301 and
302
String :
http://www.spentera.com/ (from location)
UncommonHeaders
------------------------------------------------------------
Description: Uncommon HTTP
server headers. The blacklist includes all
the standard
headers and many non standard but common ones.
Interesting but
fairly common headers should have their own
plugins, eg.
x-powered-by, server and x-aspnet-version.
Info about headers
can be found at www.http-stats.com
String : x-pingback (from
headers)
X-Powered-By
---------------------------------------------------------------
Description: X-Powered-By HTTP
header
String : PHP/5.3.8 (from
x-powered-by string)
x-pingback
-----------------------------------------------------------------
Description: A pingback is one
of three types of linkbacks, methods for
Web authors to
request notification when somebody links to
one of their
documents. This enables authors to keep track
of who is linking
to, or referring to their articles. Some
weblog software,
such as Movable Type, Serendipity,
WordPress and
Telligent Community, support automatic
pingbacks
No comments:
Post a Comment