Intruder Tools
Accounts and Hostnames
A valuable tool for social engineering and intelligence gathering is theHarvester , which will get email accounts, usernames, hostnames, and subdomains from different public sources, such as search engines, and PGP key servers. The sources supported are Google, Google profiles, Bing, PGP, LinkedIn, and Exalead. New features were added as of March 4, 2011, with the version 2.0 release, including time delays between requests, XML results export, searching a domain in all sources, and virtual host verification. To issue a search (see Figure 5), use:
./theHarvester.py -l 100 -b all -d target.com
You can redirect the output to a text file to read later. To utilize the Bing feature, you need an API key; otherwise, you will get an error by issuing the all option. Open up vi or your favorite editor and edit the file ~/theHarvester-ng/discovery/bingsearch.py , then look for the line that says: self.bingApi="" and enter your API number.
Metasploit can also search for email accounts using the gather option. This option in Metasploit is located in the auxiliary options. Just type the following at the msf > prompt:
msf > use gather/search_email_collector msf > set domain sempra.com msf > run
This function is useful within Metasploit, but it is not as powerful as using theHarvester. For instance, Metasploit’s use of the gather tool does not allow you to search for PGP accounts, although it will search for email in Google, Bing, and Yahoo.
Network Discovery with Paterva’s Maltego
Paterva’s Maltego is a general-purpose reconnaissance tool that runs on Windows, Linux, and Mac OS X. (This article focuses on the Linux version.) Maltego is available in two versions: a free community edition and a commercial version. The differences are that the community version has a maximum of 12 results per transform, runs slower, and won’t provide updates until the next major version.
Maltego is built on the concept of transforms, taking one piece of information and performing a lookup to determine another piece of information. For instance, a Maltego transform will perform a DNS lookup and find the IP address. You can then apply another transform to map the IP address to an organization’s name via a netblock lookup. Follow this with a whois lookup on the .org name to determine the public PGP key. Next, you can map that key to the names of people who have signed the key to get names of more people.
The issue that presents itself once you start this search is the vast amounts of information. It is difficult for the human brain to see obscure links between seemingly unrelated data. It is easy to see commonalities between pieces of information when displayed graphically. Maltego can graphically display the links between different kinds of data, such as people, organizations, domain names, IP addresses, and documents.
To create a new graph, use either the Ctrl+T keyboard command or click on the + button next to the application icon. Once the graph is available, you can add entities and run transforms to change those entities. The palette is available once you click the Manage tab and see it listed under Windows , which contains a default collection of entities (see Figure 6).
Select a node from the palette and drag it onto the graph; to edit the value, double click on the text. Left click on the node you want to select (you should see a rectangle appear around it in yellow), and you will see a list of transforms to run. All the transforms can be displayed and a selection made by clicking on a transform name. Transforms can also be grouped logically by the user into sets. At the top is the Maltego application button that provides access to additional functionality and resources. Maltego can easily load and save graphs that are saved with an .mtgx extension.
When you right-click on the entity and get a list of available transforms, you can choose any one of the associated transforms or apply all by choosing All transforms. This option will take some time to complete and generates a lot of traffic. The information pulled back from various public sources is displayed hierarchically, and you can view it in several ways. (see Figure 7).
Shodan is a search engine that lets you find specific computers (router, servers, etc.) using a variety of filters. The bulk of data is taken from banners , which are metadata the server sends back to the client. This is information about the server software, what options the service supports, and banner messages or anything else the client would like to know before interacting with the server. You can enter into your search input box the following: SCADA city:“San Diego” country:US and Shodan will return SCADA systems running in San Diego. This type of search can be very helpful in doing penetration tests for public utilities.
You will even find a Shodan add-on for Maltego, which requires Maltego version 3 or later and a Shodan API key. The Shodan add-on gives you six transforms: searchShodan , search-ExploitDB , searchMetasploit , get-Host-Profile , searchShodanDomain , and searchShodanNetblock (see Figure 8).