Site Updates – HackerTarget.com

DNS Tools

jody-admin — Mon, 07 Dec 2020 05:55:14 +0000

DNS Enumeration

Searching for DNS records and DNS related information is an important part of reconnaissance for a penetration tester. Obtaining information on DNS servers and DNS records provides the Pen Tester/Red Team/Attacker with a deeper understanding of the organisations network.

With DNS, it is not a 'one tool fits all' situation. You will need to use a variety of tools to gather the information. Hacker Target has a number of DNS related tools that gather different information. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with a GeoIP lookup.

DNS Lookup

The DNS Lookup tool does not perform any scan of the Zone file or perform any searching for subdomains. This tool simply performs a DNS lookup using these record types A, AAAA, MX, NS, CNAME, TXT, PTR & SOA against the target domain. The results will only show successful responses to the DNS query type.

DNS Lookup using example.com

A : 93.184.216.34
AAAA : 2606:2800:220:1:248:1893:25c8:1946
MX : 0 .
NS : a.iana-servers.net.
NS : b.iana-servers.net.
TXT : "v=spf1 -all"
TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm"
SOA : ns.icann.org. noc.dns.icann.org. 2020111712 7200 3600 1209600 3600

Find Subdomains / Host Records and Reverse DNS / PTR record

In order to find host records for a domain (subdomains), we have DNS data sets that are compiled DNS data from various sources on the Internet. These searches are not performed live, as the DNS records are stored in our database.

Search for all known hosts of a domain in either the Host Search (A records) or the Reverse DNS search (PTR records). Alternatively, use the Reverse DNS Lookup tool to perform a live reverse DNS lookup on a range of IP addresses.

DNS Host Search:

example.com,93.184.216.34
www.example.com,93.184.216.34

Reverse DNS Search:

server1.example.com,103.16.140.120
server1.example.com,103.18.108.35
dns1.example.com,103.193.36.10
dns2.example.com,103.193.36.20
dns1.example.com,103.196.157.10
dns2.example.com,103.196.157.20
dns1.example.com,103.198.83.10
dns2.example.com,103.198.83.20
vps63.example.com,103.6.85.104

Zone Transfer

The Zone Transfer tool attempts to perform a zone transfer against the DNS servers for a particular domain. This uses the type AXFR in an attempt to get a copy of the zone. For 99% of servers this will fail as it is a security risk to have zone transfers enabled from the Internet.

Zone transfer results using example.com:

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @a.iana-servers.net example.com
; (2 servers found)
;; global options: +cmd
; Transfer failed.


; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @b.iana-servers.net example.com
; (2 servers found)
;; global options: +cmd
; Transfer failed.

Find Shared NS Servers

Find hosts sharing the same name servers. Can be used to identify all domains within an organisation allowing rapid expansion of the attack surface. In the example below, we see the discovery of related domains within the same organisation (different top level domains (tld) and root domains).

Using ns1.example.com

example.com
example.co.uk
examplenetwork.ca

Wrapping up

The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detailed information.

Below is a flowchart of the network discovery process. Notice its cyclic behaviour and the areas where these DNS tools will iteratively expand the attack surface.

Overview of the Network Discovery Process

The post DNS Tools appeared first on HackerTarget.com.

SPF Checked – a look at the Sender Policy Framework

the admin — Tue, 21 May 2013 12:55:20 +0000

Heard of SPF but not sure how to pass an SPF check? Lets get back to basics and have a quick look at the SPF DNS record that can make your email delivery more reliable and less likely to hit the spam folder.

An SPF record is a DNS TXT record that contains the IP addresses of the servers that are permitted to send email for a domain. My domain hackertarget.com wants to send email to people all around the world when they sign up for services. By setting the SPF record I have indicated that only my servers and Google servers are allowed to send email on my behalf.

Google mail servers are included in my SPF record as I use Google Apps for as an email client for support operations.

Lets take a look using the DNS lookup tool dig. On Windows you could use the nslookup tool, just remember to set the type to TXT.

dig -t txt hackertarget.com

; <<>> DiG 9.9.2-P1 <<>> -t txt hackertarget.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26126
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hackertarget.com.		IN	TXT

;; ANSWER SECTION:
hackertarget.com.	3593	IN	TXT	"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

;; Query time: 150 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 21 22:06:31 2013
;; MSG SIZE  rcvd: 289

Ok, there is a bunch of info in the output - we are focusing on the TXT record in the ANSWER section. Here's a quick tip for dig users, add +short to clean up that output.

dig +short -t txt hackertarget.com
"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip6:2a01:7e00::f03c:91ff:fe70:d437 ~all"

The TXT record shows that _spf.google.com and my IPv4 and IPv6 addresses are the only ones allowed to send email that originates from @hackertarget.com addresses. Having ~all on the end of the record indicates that email from other servers should still be accepted but it will be given a weighting that indicates it could be spoofed. The server accepting the email has to have SPF in place as part of its mail filtering. So the weighting could result in added points in a spam assassin server as an example.

If you use Gmail, check the headers of any email going into Gmail, you will notice Google is performing SPF checks on incoming email. It uses the SPF check as one part of its spam parsing algorithm.

What is the advantage of an SPF Check?

As I have mentioned SPF checks can be used as a factor in assessing spam. A spammer will send thousands of messages with a forged SMTP header pretending to be a legitimate email account. With a SPF check email from your domain and from your servers are marked as legitimate, while others are either blocked or flagged as possibly suspicious.

It is a similar case for spear phisherman who can send a forged email pretending to be someone in your organisation to another with the aim of getting them to click on a malicious link or document. An SPF check will reduce the likelihood of the email reaching the victims Inbox.

Things keep in mind when implementing SPF records

It is free to add it to your domain, simply add a TXT record to your DNS.

Having it is a good idea, your email will be more likely to be accepted by SPF enabled email servers and not put in the spam folder. Both Microsoft and Google are using SPF as part of email delivery for Outlook.com and Gmail respectively.

There is a gotcha when it comes to email forwarding, if you forward email from external parties to another mail service (such as Gmail), the original sender information stays intact but since your server that is forwarding the mail is not in the SPF record for that external mail then the destination server may give the forwarded message an SPF Fail.

IPv6 - don't forget to add it to your SPF record if you have it enabled. While we have IPv6 up on HackerTarget.com for the web site, I discovered that email to Gmail was also going out via IPv6. Hence the addition of our IPv6 address to the SPF TXT record

Get more information from the Send Policy Framework Wikipedia page.

The post SPF Checked – a look at the Sender Policy Framework appeared first on HackerTarget.com.

Nmap 6.00 added to online port scanning tool

the admin — Tue, 22 May 2012 22:36:33 +0000

We have completed testing and rolled out the latest Nmap release version 6, to our online port scanner service.

At this stage we have enabled Nmap 6 on the immediate port scan page, but are still testing it for scheduled port scanning. This will be upgraded once testing has completed.

Congratulations to the Nmap development team and Fyodor. The new release has a large number of great features and a new wave of NSE scripts.

289 new NSE scripts
New web scanning capabilities
Full IPv6 support,
A new tool named Nping for packet generation and response analysis
More capable Zenmap GUI and results viewer
Faster scans

Here at HackerTarget.com we are quite happy with the speed improvements, as this will mean our users get the results faster, with a reduced load on our servers.

The post Nmap 6.00 added to online port scanning tool appeared first on HackerTarget.com.

HTTP Header Security Analysis

the admin — Tue, 22 May 2012 12:43:21 +0000

In our analysis of the technology used by the worlds top websites, we queried the data on the usage of HTTP Header security controls.

This is a breakdown of the HTTP Header security features that have been developed by different organizations. These controls can utilize features in the web browser to protect the user from browser-based exploits. Unfortunately, it is clear from the results the application of these security controls is at best minimal and closer to non-existent in the top websites.

HTTP Only flag on the Set-Cookie header

Total Set-Cookie Headers: 682598
Cookies with HTTP Only Flag set: 88442

HTTPOnly is not a HTTP Header, but a property of the Set-Cookie header. It indicates to the browser this cookie should only be accessed over HTTP and not from client side scripts. This is mitigation against XSS Attacks, where the evil client-side javascript would attempt to steal a session cookie.

The browser must support the HTTPOnly flag for this mitigation to be effective.

Full details of the supported browsers and implementation of the HTTPOnly Cookie in dot NET, Tomcat, and PHP is all covered at the wikipedia page.

X-Frame-Options HTTP Header

Number of sites with X-Frame-Options Header: 9009

This header informs the browser if a web page is allowed to be framed in another web page or not. The main purpose of this protection is to prevent malicious sites from conducting a click-jacking attack against the user.

There are two parameters available to the X-Frame-Option. These are;

SAMEORIGIN: Allows a page to be framed if it is within a page within the same domain.

DENY: is a more restrictive parameter. This parameter simply prevents the page from being framed.

X-XSS-Protection

Number of sites with X-XSS-Protection enabled: 25423

This header is only utilized by Internet Explorer 8 and will turn on the built in cross site scripting protection. The reason for this is that IE 8 was shipped with the cross site scripting protection turned off by default as they feared that some web sites may break if it was turned on.

To turn the protection on the server sends the header as this:

X-XSS-Protection "1; mode=block".

X-Content-Security-Policy

Number of sites with this enabled: 36

This is a policy that informs the browser how content can interact with your website. The policy includes content such as videos and javascript.

For example specifying "allow 'self';". Specifying this will prevent the page allowing the execution of javascript from third party sources. All javascript will have to be sourced from the same domain. This helps prevent cross site scripting attacks as it raises the bar and makes an attacker have to run the code from our domain name rather than any third party web site.

If specific third party resources are required, settings are available to whitelist specific domains and file types.

In conclusion

Mozilla has provided a lot of detail on this security feature. Furthermore, there are a lot of good reasons to use the X-Content-Security-Policy header. Unfortunately, it seems most web / system administrators are not aware of it or just do not care....

These stats have been quickly pulled together from the data we have been processing. Some like the x-content-security-policy total of 36 seem a bit off, but I have double checked and re-ran the query. No guarantee to accuracy is provided, but its pretty close.

The post HTTP Header Security Analysis appeared first on HackerTarget.com.

WPScan added to WordPress Security Scan

the admin — Tue, 15 May 2012 09:53:27 +0000

For all you wordpress lovers we have added wpscan to our existing WordPress Security Scan. WPScan is a handy wordpress focused vulnerability scanner developed by Ryan Dewhurst (ethicalhack3r.co.uk).

The scan uses techniques that include brute forcing the plugins directory of a wordpress installation to find installed plugins. This is an accurate way to find plugins and can even pinpoint plugins that are disabled within the site but still installed in the wp-content/plugins directory and possibly a security risk.

Features of the active WPScan component include:

Username discovery; with usernames an attacker can then start brute forcing account passwords
Enhanced version enumeration, from both the meta generator tag and client side files
Vulnerability identification, comparing current version with known vulnerabilities
Timbthumb file discovery - this is a vulnerability affecting hundreds of thousands of WordPress sites
Plugin enumeration (over 2000 plugins tested)
Plugin vulnerability identification (from plugin name)
Test for directory indexing on any discovered plugins

Due to the aggressive nature of the plugin and username discovery techniques we have decided to make the WPScan component of our online scanner available only to members.

If you would like to run WPScan from your own installation there are excellent getting started guides on the google-code site and in the README file. Getting it installed and running on Ubuntu or Back-track does not take much effort; so fire up your Linux distro and start testing.

Did you known that wordpress runs more than 11% of the worlds top web sites.

The post WPScan added to WordPress Security Scan appeared first on HackerTarget.com.

Security Scan Restrictions and Updates

the admin — Sun, 08 Apr 2012 12:28:28 +0000

After performing over a quarter of a million free security scans, HackerTarget.com has decided to remove access to some of the free security scanning options. This will be a disappointment for some users but in the long run it will mean added functionality and improvements to our overall service.

The primary reason for the change is that even with multiple layers of restrictions in place, a very small percentage of users continued to attempt to abuse the systems.

While the occurrences of abuse was very low, the ongoing maintenance required when playing a game of whack a mole was taking time away from further development and improvements to the services on offer. Blacklists were continually being updated with free email provider domains, Tor IP addresses, and other anonymous services.

Security Scans that are now restricted include the Nikto Web Site Scanner, the SQL Injection Scan and the OpenVas Vulnerability Scan. These are scans that are quite noisy and can result in Intrusion Detection Systems Alerts and large numbers of log file entries.

All non-intrusive security scans and information gathering tools will continue to be available for Free as will be the most popular on-line Nmap scan.

Membership will provide access to all current scans and some new tools that are under development. The requirement to pay for membership adds an additional layer of identification before any intrusive scans can be initiated.

Information technology professionals who use our services will find the low cost and enhanced service offerings a most welcome addition.

Stay in touch with twitter or our new mailing list for these exciting new developments.

Regards,

Peter
Director and Lead Analyst

The post Security Scan Restrictions and Updates appeared first on HackerTarget.com.

IPv6 added to online port scanner

the admin — Sat, 03 Mar 2012 11:39:25 +0000

Our online nmap port scanner is now IPv6 capable. Nmap has had the ability to scan IPv6 ip addresses for some time now and recently Linode also added IPv6 to its VPS offerings. These additions mean we can now provide on-line port scanning of both IPv4 and IPv6 addresses or Host names that have an appropriate AAAA DNS record.

It is important to understand what ports are open and listening on your perimeter network or hosted Internet servers. With the updated tool you can now quickly determine what ports are listening on both your IPv4 based address and your IPv6 address. As people move towards IPv6 (will 2012 be the year of IPv6?), it is necessary to ensure that network protection devices and software are configured and capable of protecting both IPv4 and IPv6 traffic.

An AAAA DNS record has been added to our main site, an easy check with IP Tools), you will be able to see that we are serving pages to both IPv4 and IPv6 addresses.

If 2012 is going to be year of IPv6 we are ready to go.

The post IPv6 added to online port scanner appeared first on HackerTarget.com.

Top 100K Sites WordPress Usage Infographic

the admin — Mon, 22 Aug 2011 13:08:12 +0000

WordPress.org have a post up detailing the "state of the word".

Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa).

WordPress Usage in the Top 100K Infographic

The post Top 100K Sites WordPress Usage Infographic appeared first on HackerTarget.com.

Secure WordPress

the admin — Thu, 26 May 2011 00:18:49 +0000

Operating a secure WordPress installation requires work to stay on top of things, after all with WordPress being so popular the security is constantly being tested.

WordPress Security Scan is a Hacker Target tool. It can be used to test the security of your wordpress installation from an external perspective. No plugin installation is required, the systems will do an external passive analysis of your WordPress installation and highlight wordpress security issues, along with recommendations to improve the security of your installation.

WordPress is the most popular web publishing platform. When looking at the Top 1 Million sites it is well ahead of other big players such as the Google owned Blogger and open source frameworks such as Joomla and Drupal. In March of 2011, HackerTarget.com produced a report on the popularity of technologies in the Alexa Top 1 Million Sites.

Tips for securing your WordPress CMS

Back It Up - Be ready to lose it all at anytime. If you have an up to date backup restoring is much easier
Keep WordPress System up to date
Keep all Plugins up to date
Beware of untrusted Themes
Rename admin account to a non-generic name
Use strong passwords ( a dictionary word with a number after it is not a strong password! )
Keep your password safe! Do not re-use it on other sites.
Ensure you have up to date AV on your Windows Machine. Malware collects passwords.
The underlying server must be well managed and in a secure state
VPS or Dedicated server? Set up server monitoring (ossec.net is a good start)

There are a multitude of guides to securing your WordPress installation, in the mean time why not test your sites security now with our easy to use online scanner.

The post Secure WordPress appeared first on HackerTarget.com.

sqlmap 0.9 added to online security scans

the admin — Wed, 20 Apr 2011 09:22:39 +0000

Latest update to the site tools is the addition of the new SqlMap 0.9 release to the Online SQL Injection scanner.

This is a tool that takes SQL Injection to the next level and beyond. While our online scan tests for Sql Injection in HTTP GET requests, this is only the beginning. This tool can exploit sql injection to give the tester an full operating system access either via an inserted shell or by external command execution. Does not matter if you are on Windows or Linux it can do both.

All the details are on the main site. Or here is a quick list of improvements:

Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
Full support for five SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query and stacked queries.
Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
Support to enumerate database users, users' password hashes, users' privileges, users' roles, databases, tables and columns.
Automatic recognition of password hashes format and support to crack them with a dictionary-based attack.
Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
Support for database process' user privilege escalation via Metasploit's getsystem command which inclhttp://testphp.vulnweb.com/artists.php?artist=2ude, among others, the kitrap0d technique ( MS10-015).

Have a look at the help file on the Online SQL Injection scanner for a sample run against the Acunetix Test Site.

The post sqlmap 0.9 added to online security scans appeared first on HackerTarget.com.