Scribd
Upload
176 views33 pages

Pentesting Project PDF

This document discusses techniques for performing DNS enumeration and information gathering on a target website. It describes tools like Dig, Host, DNSenum, Nmap, DNS Recon and Fierce that can be used to detect DNS records, hostnames, IP addresses and more. Whois lookups and the ARIN registry are also covered as methods to collect additional DNS information. Finally, the document shows how to use Wireshark, VEGA and TCP dump to analyze network packets and inspect protocols like HTTP, TCP and UDP to potentially discover credentials or vulnerabilities.

Uploaded by

sohaib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
176 views33 pages

Pentesting Project PDF

This document discusses techniques for performing DNS enumeration and information gathering on a target website. It describes tools like Dig, Host, DNSenum, Nmap, DNS Recon and Fierce that can be used to detect DNS records, hostnames, IP addresses and more. Whois lookups and the ARIN registry are also covered as methods to collect additional DNS information. Finally, the document shows how to use Wireshark, VEGA and TCP dump to analyze network packets and inspect protocols like HTTP, TCP and UDP to potentially discover credentials or vulnerabilities.

Uploaded by

sohaib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Web Penetration Test

https://hack.me/

CAPITAL UNIVERSITY OF SCIENCE AND TECHNOLOGY

2020
Report by: Muhammad Sohaib Imtiaz
Contents
DNS ENUMERATION....................................................................................................... 2
INTRODUCTION ............................................................................................................. 2
WHAT’S DNS ENUMERATION? .................................................................................... 2
IMPACT .................................................................................................................... 3
LET’S EXPLORE THE BEST WAYS TO PERFORM A DNS ENUMERATION. ................................. 3
1. DIG ...................................................................................................................... 3
2. HOST ................................................................................................................... 3
3. DNSENUM ............................................................................................................ 4
4. NMAP ................................................................................................................... 6
5. DNS RECON ......................................................................................................... 7
6. FIERCE ................................................................................................................. 7
DNS INFO COLLECTION ................................................................................................. 8
1. WHOIS ................................................................................................................. 8
2. ARIN REGISTRY .................................................................................................... 8
3. NET DISCOVERS ................................................................................................... 13
4. ZENMAP .............................................................................................................. 14
USING WIRESHARK ...................................................................................................... 15
USING THE VEGA WEB SCANNER TO FIND VULNERABILITIES ............................................. 23
USING TCP DUMP........................................................................................................ 29
Web Penetration Test | 1/9/2020

1
Web Penetration Test
DNS Enumeration

Introduction

DNS servers are the heart and soul of the Internet. Without them we couldn’t resolve hostnames
and domain names into IP addresses.

However, DNS is also one of the most frequently attacked protocols, where
different types of DNS attacks are spread from home users to small, mid and
large companies.

That’s why, in the information gathering process, the most common practice is to
create a full inventory of all internet-connected devices and domain names from
the company you’re investigating.

We all know that DNS servers are basically computers connected to the Internet,
and that helps us to resolve hostnames into IP addresses. They’re in charge of
managing and processing DNS requests from clients that need to fetch fresh
domain name information, along with DNS records.

That’s where the weak link shows up, thanks to the way the DNS was built. It’s a
bit vulnerable, which allows us to perform DNS enumeration (also known as DNS
recon) easily.

Network Penetration Test | 7/1/2008


What’s DNS enumeration?

DNS enumeration is one of the most popular reconnaissance tasks there is for
building a profile of your target.

In plain English, it’s the act of detecting and enumerating all possible DNS
records from a domain name. This includes hostnames, DNS record names,
DNS record types, TTLs, IP addresses, and a bit more, depending on how much
information you’re looking for.

2
With effective DNS enumeration, you can clone DNS zones manually, using
scripts or by exploiting DNS zone transfer vulnerabilities, known
as AXFR (Asynchronous Transfer Full Range) Transfer. This latter type of DNS
transfer takes place when an attacker detects a misconfigured DNS server that is
actually responding to AXFR requests.

Impact

Once DNS enumeration is completed, unauthenticated users may use this


information to observe internal network records, grabbing useful DNS information
that provides the attacker access to a full DNS map. This allows him to explore
the attack surface area of any company, so he can later scan it, collect data, and
while he’s at it exploit it if there’s an open opportunity.

Let’s explore the best ways to perform a DNS enumeration .

1. Dig
Web Penetration Test | 1/9/2020

2. Host

3
3. DNSenum
Network Penetration Test | 7/1/2008

4
Web Penetration Test | 1/9/2020

5
4. Nmap

Network Penetration Test | 7/1/2008

6
Web Penetration Test | 1/9/2020

7
6. Fierce
5. DNS Recon
DNS Info collection

1. Whois

Network Penetration Test | 7/1/2008

2. ARIN registry

8
Web Penetration Test | 1/9/2020

9
Network Penetration Test | 7/1/2008

10
Web Penetration Test | 1/9/2020

11
Network Penetration Test | 7/1/2008

12
Web Penetration Test | 1/9/2020

13
3. Net discovers
4. ZenMap

Network Penetration Test | 7/1/2008

14
Web Penetration Test | 1/9/2020

Using Wireshark
Capture packets related to TCP protocol and identify the Three-way hand shake
sequences.

15
Network Penetration Test | 7/1/2008

16
Web Penetration Test | 1/9/2020

17
Capture packets of http protocol.

Network Penetration Test | 7/1/2008

18
Capture packets of UDP protocol.
Web Penetration Test | 1/9/2020

19
Network Penetration Test | 7/1/2008

Capture packets of ARP requests and reply.

20
Web Penetration Test | 1/9/2020

Try to find user name and password in plain text format for a website using simple
HTTP protocol by using its login form

21
Network Penetration Test | 7/1/2008

22
Using the VEGA web scanner to find vulnerabilities
Web Penetration Test | 1/9/2020

23
Network Penetration Test | 7/1/2008

24
Web Penetration Test | 1/9/2020

25
Network Penetration Test | 7/1/2008

26
Web Penetration Test | 1/9/2020

27
Network Penetration Test | 7/1/2008

28
Web Penetration Test | 1/9/2020

Using TCP dump


Capture packets related to TCP protocol and identify the Three-way hand shake
sequences.

29
Capture packets of http protocol.

Network Penetration Test | 7/1/2008

30
Capture packets of UDP protocol.

Capture packets of ARP requests and reply.


Web Penetration Test | 1/9/2020

31
Try to find user name and password in plain text format for a website using simple
HTTP protocol by using its login form. Find the name and passwords in plain text form
in packet dump.

Network Penetration Test | 7/1/2008

32

You might also like