Introducción
Se utilizan diferentes técnicas y herramientas manuales o automáticas en el pentesting. Teniendo en cuenta la aplicación web de destino en donde se realiza el escaneo.
Los investigadores de seguridad/pentesters siempre intentan encontrar la vulnerabilidad en el código fuente o en los puertos que son vulnerables. Investigadores de hacking ético en Delhi, India, del Instituto Internacional de Seguridad Cibernética, demostraron recientemente una vulnerabilidad crítica utilizando una herramienta muy básica llamada goscan, de la que hablaremos en las próximas secciones.
GOscan
Es un escáner de red que proporciona automatización sobre el escaneo de red. Esta herramienta se utiliza para encontrar puertos y servicios abiertos en el objetivo. Es compatible con todas las características principales de la enumeración.
Utiliza bases de datos SQLite mientras escanea. Según los investigadores de hacking ético del instituto internacional de seguridad cibernética, la herramienta Goscan se puede considerar en diferentes fases de pentesting.
- En el lado del atacante, Goscan ha sido probado en Kali Linux 2018.4 amd64. Y para objetivos se utiliza EN DVWA.
- Puedes descargar DVWA desde: http://www.dvwa.co.uk/DVWA-1.0.7.iso
- Abre DVWA-1.0.7.iso en vmware. Para abrir Vmware has clic en abrir. Ir a la ubicación donde ha descargado DVWA iso. Seleccionar la iso y abrir en Vmware.
- Has clic en Encender en la máquina virtual. Escribe ifconfig para saber la dirección IP, Abre el navegador escribiendo DVWA ip address.
- Por defecto el nombre de usuario de DVWA es: admin y la contraseña: password
- Y tu DVWA ya está configurada. Después de configurar objetivo, ahora configura goscan.
- Esta herramienta se basa en el entorno GO. Si GO no está instalado, Descarga y configura GO antes de usar GOSCAN.
- Para descargar GO escribe
wget https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz
1 2 3 4 5 6 7 8 9 10 11 |
root@kali:/home/iicybersecurity# wget https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz --2019-03-18 02:21:59-- https://dl.google.com/go/go1.12.1.linux-amd64.tar.gz Resolving dl.google.com (dl.google.com)… 172.217.167.14, 2404:6800:4002:80a::200e Connecting to dl.google.com (dl.google.com)|172.217.167.14|:443… connected. HTTP request sent, awaiting response… 200 OK Length: 127906702 (122M) [application/octet-stream] Saving to: ‘go1.12.1.linux-amd64.tar.gz’ go1.12.1.linux-amd64.tar.gz 100%[===========================================================>] 121.98M 1.89MB/s in 93s 2019-03-19 12:48:43 (1.31 MB/s) - ‘go1.12.1.linux-amd64.tar.gz’ saved [127906702/127906702] |
Descomprimiendo
- En la línea de comando debes escribir tar -xvzf go1.12.1.linux-amd64.tar.gz
- Ahora escribe cd go y cd bin
- Debes copiar el escribiendo go cp go /usr/local/bin/go
- Aquí escribe export GOROOT=/home/iicybersecurity/go/bin
- Escribe echo $GOROOT
1 2 3 4 |
root@kali:/home/iicybersecurity/Downloads# export GOROOT=/home/iicyberseurity/go/bin root@kali:/home/iicybersecurity/Downloads# echo $GOROOT /home/iicyebrsecurity/go/bin |
- Después de instalarlo escribe wget https://github.com/marcolancini/goscan/releases/download/v2.4/goscan_2.4_linux_amd64.zip
- Digita unzip goscan_2.4_linux_amd64.zip
- Escribe chmod u + x goscan
- Aquí tienes que escribir ./goscan
1 2 3 4 |
root@kali:/home/iicybersecurity/Downloads# ./goscan __ ____/_______ ___/_ ____/__ |__ | / / _ / __ _ __ \____ \_ / __ /| |_ |/ / / /_/ / / /_/ /___/ // /_ __ _ ___ | /| / \____/ \____//____/ \____/ /_/ |_/_/ |_/ goscan (v.2.4) Marco Lancini [@LanciniMarco] |
- Antes de ejecutar un escaneo, agrega la dirección IP de destino en la base de datos de goscan. Digita load target SINGLE 192.168.1.105
- También puedes agregar múltiples direcciones IP en la base de datos de goscan. Para ello es necesario escribir load target MULTIPLE /home/iicybersecurity/Downloads/Iplist.txt y selecciona el txt que contiene las direcciones IP.
- Debes escribir show targets para comprobar las direcciones IP agregadas.
1 2 3 4 5 |
[goscan] > load target SINGLE 192.168.1.9 [*] Imported target: 192.168.1.9 [goscan] > show targets +---------------+------------+ | ADDRESS | STEP | +---------------+------------+ | 192.168.1.105 | IMPORTED | +---------------+------------+ |
- Antes de encontrar cualquier servicio o puerto en las direcciones IP de destino. GOSCAN necesita hacer ping en la dirección IP agregada.
- Cada pentesting se inicializa con PING (Packet Internet Groper) es la utilidad más común que se utiliza para verificar la disponibilidad en Internet. Así que goscan también comprueba con ping. Para comprobar debes digitar sweep PING 192.168.1.105
1 2 3 4 5 6 7 8 |
[goscan] > sweep PING 192.168.1.105 [] Starting Ping Sweep [goscan] > [-] Created directory: /root/.goscan/192.168.1.105/sweep [-] Executing command: nmap -n -sn -PE -PP 192.168.1.105 -oA /root/.goscan/192.168.1.105/sweep/ping_192.168.1.105 [] [ping] Nmap work in progress on host: 192.168.1.105 [+] [ping] Nmap finished on host: 192.168.1.105 [+] [ping] Output has been saved at: /root/.goscan |
- Aquí debes escribir show targets para comprobar los objetivos disponibles.
1 2 3 |
[goscan] > show targets +------------------+----------+ | ADDRESS | STEP | +------------------+----------+ | 192.168.1.105 | SWEEPED | +------------------+----------+ |
Escaneo TCP
- Escribe portscan TCP-FULL 192.168.1.105
- portscan encontrará puertos abiertos del destino.
- goscan ofrece escaneo TCP y UDP. Hemos utilizado TCP-FULL scan en el que goscan usará los protocolos de red más comunes.
- Goscan buscará en este momento
- TCP-STANDARD: búsqueda de los mejores 200 TCP-SCAN
- TCP-PROD: escanea el protocolo T3 RMI (Invocación de método remoto) que se usa para transformar información entre weblogic y otros programas
- TCP-VULN SCAN: busca scripts nse enumerados en CVE e intenta encontrar vulnerabilidades en la dirección IP
- Luego tienes que escribir la dirección IP de destino 192.168.1.105
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[goscan] > portscan TCP-FULL 192.168.1.105 [] Starting full TCP port scan [goscan] > [-] Executing command: nmap -Pn -sT -sC -A -T4 -p- 192.168.1.105 -oA /root/.goscan/192.168.1.105/portscan/tcp_full_192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105 [] [tcp_full] Nmap work in progress on host: 192.168.1.105[+] [tcp_standard] Nmap finished on host: 192.168.1.105[+] [tcp_standard] Output has been saved at: /root/.goscan[+] [tcp_standard] Nmap finished on host: 192.168.1.105 [+] [tcp_standard] Output has been saved at: /root/.goscan |
Puertos
- Después de ejecutar la consulta anterior, se muestra cómo nmap utiliza diferentes consultas para buscar puertos abiertos. Después de que los escaneos se hayan completado digita, show ports para listar los puertos abiertos de la dirección IP.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[goscan] > show ports +----------------+----------+----------+---------------------------------------------+ | HOST | PORT | STATUS | SERVICE |+----------------+----------+----------+----------------------- ----------------------+ | 192.168.1.105 | 21/tcp | open | ftp [ProFTPD 1.3.2c] [Unix] | +----------------+----------+---------- +---------------------------------------------+ | 192.168.1.105 | 22/tcp | open | ssh [OpenSSH 5.3p1 Debian 3ubuntu4] [Linux] | +---------------- +----------+----------+---------------------------------------------+ | 192.168.1.105 | 80/tcp | open | http [Apache httpd 2.2.14] | +----------------+----------+---------- +---------------------------------------------+ | 192.168.1.105 | 443/tcp | open | http [Apache httpd 2.2.14] | +----------------+----------+---------- +---------------------------------------------+ | 192.168.1.105 | 3306/tcp | open | mysql [MySQL ] | +----------------+----------+----------+---------------------------------------------+ |
- Arriba se muestran los puertos abiertos del objetivo. Los anteriores son los puertos más comunes que se utilizan durante el escaneo.
- Goscan también guarda la salida al crear un directorio de direcciones IP escaneadas. Para acceder al directorio debes hacerlo escribiendo cd /root/.goscan
- Ahora digita cd 192.168.1.105
- Finalmente debes escribir ls & cat tcp_full_192.168.1.105.nmap
Salida
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
root@kali:~/.goscan/192.168.1.105/portscan# ls tcp_full_192.168.1.105.nmap root@kali:~/.goscan/192.168.1.105/portscan# cat tcp_full_192.168.1.105.nmap Nmap 7.70 scan initiated Tue Mar 26 03:33:34 2019 as: nmap -Pn -sT -sC -A -T4 -p- -oA /root/.goscan/192.168.1.105/portscan/tcp_full_192.168.1.105 192.168.1.105 Nmap scan report for dvwa (192.168.1.105) Host is up (0.0011s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.2c 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-robots.txt: 1 disallowed entry |/ |_http-server-header: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 | http-title: Damn Vulnerable Web App (DVWA) - Login |_Requested resource was login.php 443/tcp open ssl/http Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) | http-cookie-flags: | /: | PHPSESSID: | httponly flag not set | http-robots.txt: 1 disallowed entry |/ |_http-server-header: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 | http-title: Damn Vulnerable Web App (DVWA) - Login |_Requested resource was login.php | ssl-cert: Subject: commonName=localhost/organizationName=Apache Friends/stateOrProvinceName=Berlin/countryName=DE | Not valid before: 2004-10-01T09:10:30 |_Not valid after: 2010-09-30T09:10:30 |_ssl-date: 2019-03-26T07:34:27+00:00; +34s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_IDEA_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:33:5D:C2 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.17 - 2.6.36 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 33s, deviation: 0s, median: 33s TRACEROUTE HOP RTT ADDRESS 1 1.10 ms dvwa (192.168.1.105) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Tue Mar 26 03:33:54 2019 -- 1 IP address (1 host up) scanned in 20.07 seconds |
Resultado
- La salida anterior muestra un análisis detallado del escaneo de nmap que se puede utilizar en otras actividades de hacking.
ESCANEO UDP:
- Debes Escribir portscan UDP-STANDARD 192.168.1.105
- UDP-STANDARD busca los puertos comunes de nmap e intenta encontrar servicios abiertos/cerrados.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[goscan] > portscan UDP-STANDARD 192.168.1.105 [] Starting UDP port scan (common ports) [goscan] > [-] Executing command: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520, 1434,1900,5353 192.168.1.105 -oA /root/.goscan/192.168.1.105/portscan/udp_standard_192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 [] [udp_standard] Nmap work in progress on host: 192.168.1.105 |
- Después de ejecutar la consulta anterior, se muestra cómo nmap utiliza diferentes consultas para buscar puertos abiertos. Después de que los escaneos se hayan completado, es necesario escribir show ports para listar los puertos abiertos de la dirección IP.
Salida
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
[goscan] > show ports +----------------+----------+--------------- +---------------------------------------+ | HOST | PORT | STATUS | SERVICE | +----------------+---------- +---------------+---------------------------------------+ | 192.168.1.105 | 19/udp | open|filtered | chargen +---------------- +----------+---------------+---------------------------------------+ | 192.168.1.105 | 53/udp | closed | domain +----------------+----------+ ---------------+---------------------------------------+ | 192.168.1.105 | 69/udp | closed | tftp +---------------- +----------+---------------+---------------------------------------+ | 192.168.1.105 | 79/udp | open|filtered | finger +----------------+ ----------+---------------+---------------------------------------+ | 192.168.1.105 | 111/udp | closed | rpcbind +----------------+ ----------+---------------+---------------------------------------+ | 192.168.1.105 | 123/udp | open|filtered | ntp +----------------+ ----------+---------------+---------------------------------------+ | 192.168.1.105 | 135/udp | closed | msrpc +----------------+---------- +---------------+---------------------------------------+ | 192.168.1.105 | 137/udp | closed | netbios-ns +----------------+----------+--------------- +---------------------------------------+ | 192.168.1.105 | 138/udp | closed | netbios-dgm +----------------+----------+--------------- +---------------------------------------+ | 192.168.1.105 | 161/udp | closed | snmp +----------------+----------+---------------+--------------------------- ------------+ | 192.168.1.105 | 177/udp | closed | xdmcp +---------------- +----------+---------------+---------------------------------------+ | 192.168.1.105 | 445/udp | closed | microsoft-ds +----------------+---------- +---------------+---------------------------------------+ | 192.168.1.105 | 500/udp | closed | isakmp +----------------+----------+--------------- +---------------------------------------+ | 192.168.1.105 | 514/udp | open|filtered | syslog +----------------+---------- +---------------+---------------------------------------+ | 192.168.1.105 | 520/udp | closed | route +----------------+----------+--------------- +---------------------------------------+ | 192.168.1.105 | 1434/udp | open|filtered | ms-sql-m +----------------+----------+--------------- +---------------------------------------+ | 192.168.1.105 | 1900/udp | open|filtered | upnp +----------------+----------+--------------- +----------------------------------------+ | 192.168.1.105 | 5353/udp | closed | zeroconf +----------------+----------+---------------+------------------------------- ---------+ |
Resultado
- Arriba se muestran los puertos abiertos del objetivo. Los anteriores son los puertos más comunes que se utilizan durante el escaneo.
- Goscan también guarda la salida al crear un directorio de direcciones IP escaneadas. Para acceder al directorio solo debes digitar cd /root/.goscan
- Posteriormente escribe cd 192.168.1.105
- Para luego escribir ls & cat udp_full_192.168.1.105.nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
root@kali:~/.goscan/192.168.1.105/portscan# cat udp_standard_192.168.1.105.nmap Nmap 7.70 scan initiated Tue Mar 26 04:05:25 2019 as: nmap -Pn -sU -sC -A -T4 -p19,53,69,79,111,123,135,137,138,161,177,445,500,514,520,1434,1900,5353 -oA /root/.goscan/192.168.1.105/portscan/udp_standard_192.168.1.105 192.168.1.105 Nmap scan report for dvwa (192.168.1.105) Host is up (0.00089s latency). PORT STATE SERVICE VERSION 19/udp open|filtered chargen 53/udp closed domain 69/udp closed tftp 79/udp open|filtered finger 111/udp closed rpcbind 123/udp open|filtered ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 177/udp closed xdmcp 445/udp closed microsoft-ds 500/udp closed isakmp 514/udp open|filtered syslog 520/udp closed route 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 5353/udp closed zeroconf MAC Address: 00:0C:29:33:5D:C2 (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.89 ms dvwa (192.168.1.105) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Tue Mar 26 04:06:41 2019 -- 1 IP address (1 host up) scanned in 75.85 seconds |
Resultado
- La salida anterior muestra un análisis detallado del escaneo de nmap que se puede utilizar en otras actividades de hacking.
- La salida anterior también se puede encontrar dentro del directorio de salida de goscan. Como se muestra arriba, se puede acceder desde cd
/root/.goscan/192.168.105 - Escribe show hosts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[goscan] > show hosts +----------------+--------+--------------------------------------------- +------+------------------------------------------------------------------+ | ADDRESS | STATUS | OS | INFO | PORTS |+----------------+--------+--------------------------------------------- +------+------------------------------------------------------------------+ | 192.168.1.105 | up | Linux 2.6.17 - 2.6.36 | | * 21/tcp open : ftp [ProFTPD 1.3.2c] | | | | | | * 22/tcp open : ssh [OpenSSH 5.3p1 Debian 3ubuntu4] | | | | | | * 80/tcp open : http [Apache httpd 2.2.14] | | | | | | * 443/tcp open : http [Apache httpd 2.2.14] | | | | | | * 3306/tcp open : mysql [MySQL ] | | | | | | * 19/udp open|filtered: chargen | | | | | | * 53/udp closed : domain | | | | | | * 69/udp closed : tftp | | | | | | * 79/udp open|filtered: finger | | | | | | * 111/udp closed : rpcbind | | | | | | * 123/udp open|filtered: ntp | | | | | | * 135/udp closed : msrpc | | | | | | * 137/udp closed : netbios-ns | | | | | | * 138/udp closed : netbios-dgm | | | | | | * 161/udp closed : snmp | | | | | | * 177/udp closed : xdmcp | | | | | | * 445/udp closed : microsoft-ds | | | | | | * 500/udp closed : isakmp | | | | | | * 514/udp open|filtered: syslog | | | | | | * 520/udp closed : route | | | | | | * 1434/udp open|filtered: ms-sql-m | | | | | | * 1900/udp open|filtered: upnp | | | | | | * 5353/udp closed : zeroconf | | | | | | | +----------------+-------- +---------------------------------------------+------+------------------------------------- -----------------------------+ | 162.241.216.11 | up | DD-WRT v23 (Linux 2.4.36) | | * 21/tcp open : ftp [Pure-FTPd ] | | | | | | * 22/tcp open : ssh [OpenSSH 5.3] | | | | | | * 25/tcp open : tcpwrapped | | | | | | * 26/tcp open : smtp [Exim smtpd 4.91] | | | | | | * 53/tcp open : domain [ISC BIND 9.8.2rc1] | | | | | | * 80/tcp open : http [nginx 1.14.1] | | | | | | * 110/tcp open : pop3 [Dovecot pop3d ] | | | | | | * 139/tcp filtered: netbios-ssn | | | | | | * 143/tcp open : imap [Dovecot imapd ] | | | | | | * 443/tcp open : http [nginx 1.14.1] | | | | | | * 445/tcp filtered: microsoft-ds | | | | | | * 465/tcp open : tcpwrapped | | | | | | * 587/tcp open : smtp [Exim smtpd 4.91] | | | | | | * 993/tcp open : imap [Dovecot imapd ] | | | | | | * 995/tcp open : pop3 [Dovecot pop3d ] | | | | | | * 1720/tcp filtered: h323q931 | | | | | | * 3306/tcp open : mysql [MySQL 5.6.41-84.1] | | | | | | * 5060/tcp filtered: sip | | | | | | * 5432/tcp open : postgresql [PostgreSQL DB ] | | | | | | * 8080/tcp open : http [nginx 1.14.1] | | | | | | * 8443/tcp open : http [nginx 1.14.1] | | | | | | | +----------------+--------+---------------------------------------------+------ +------------------------------------------------------------------+ |
- La consulta anterior muestra los hosts que se escanean y también muestra los puertos que se encuentran utilizando el escáner nmap. Estas pruebas se pueden utilizar para hackear dispositivos IoT.
Enumerar:
- Estas consultas intentarán enumerar los servicios detectados para el objetivo.
- Escribe enumerate ALL DRY 192.168.1.105
- ALL escaneará automáticamente los servicios abiertos.
- FINGER: Este comando intenta encontrar información sobre los usuarios de computadoras.
- HTTP (Protocolo de transporte de hipertexto): este es el protocolo más común utilizado en toda la red. Este protocolo se utiliza para comunicarse con navegadores web y servidores web.
- FTP (Protocolo de transferencia de archivos): este protocolo se utiliza para transferir archivos entre el cliente y los servidores.
- SMB (bloque de mensajes de servicio): características de Windows que permiten compartir archivos de forma remota a través de la misma red.
- RDP (Protocolo de escritorio remoto): este protocolo se utiliza para transmitir pantallas de la plataforma basada en Windows.
- Dry solo mostrará los comandos y no enumerará el uso de esos comandos.
Salida
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
[goscan] > enumerate ALL DRY 192.168.1.105 [] Starting service enumeration [goscan] > [] Starting Enumeration: 192.168.1.105:21 (ftp) [-] To be run: nmap -sV -Pn --script=ftp-anon,ftp-bounce,ftp-libopie, ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -p21 192.168.1.105 -oA /root/.goscan/192.168.1.105/FTP/192.168.1.105_ftp_nmap_21 [-] Created directory: /root/.goscan/192.168.1.105/FTP [-] [DRY RUN] ftp-user-enum.pl -U /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -t 192.168.1.105 > /root/.goscan/192.168.1.105/FTP/192.168.1.105_ftp_user-enum [-] [DRY RUN] hydra -L /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt -f -o /root/.goscan/192.168.1.105/FTP/192.168.1.105_ftp_hydra -u 192.168.1.105 -s 21 ftp [] Starting Enumeration: 192.168.1.105:80 (http) [-] To be run: nmap -sV -Pn --script=http-vhosts,http-userdir-enum,http-apache-negotiation, http-backup-finder,http-config-backup,http-default-accounts, http-methods,http-method-tamper,http-passwd,http-sitemap-generator, http-auth-finder,http-auth,http-fileupload-exploiter,http-put, http-sql-injection,http-stored-xss,http-xssed, http-php-version,http-unsafe-output-escaping,http-phpmyadmin-dir-traversal, http-ntlm-info,http-phpself-xss,http-open-redirect,http-iis-webdav-vuln, http-form-fuzzer,http-vuln-cve2009-3960,http-vuln-cve2010-0738, http-vuln-cve2010-2861,http-vuln-cve2011-3368,http-vuln-cve2012-1823, http-vuln-cve2013-0156,http-robots.txt,http-wordpress-brute, http-wordpress-enum --script-args http-put.url='/uploads/rootme.php', http-put.file='/root/www/php-reverse.php',basepath='/' -p80 192.168.1.105 -oA /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_80_nmap [-] [DRY RUN] nikto -host 192.168.1.105 -p 80 > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_ http_80_nikto [-] [DRY RUN] dirb http://192.168.1.105:80 -o /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_80_dirb -S -r [-] [ DRY RUN] sqlmap -u http://192.168.1.105:80 --crawl=1 > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_80_sqlmap [-] [DRY RUN] fimap -u "http://192.168.1.105:80" > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_80_fimap [] Starting Enumeration: 192.168.1.105:443 (http) [-] To be run: nmap -sV -Pn --script=http-vhosts, http-userdir-enum,http-apache-negotiation, http-backup-finder,http-config-backup, http-default-accounts,http-methods,http-method-tamper, http-passwd,http-sitemap-generator,http-auth-finder, http-auth,http-fileupload-exploiter,http-put, http-sql-injection,http-stored-xss,http-xssed, http-php-version,http-unsafe-output-escaping, http-phpmyadmin-dir-traversal,http-ntlm-info, http-phpself-xss,http-open-redirect,http-iis-webdav-vuln, http-form-fuzzer,http-vuln-cve2009-3960,http-vuln-cve2010-0738, http-vuln-cve2010-2861,http-vuln-cve2011-3368,http-vuln-cve2012-1823, http-vuln-cve2013-0156,http-robots.txt,http-wordpress-brute, http-wordpress-enum --script-args http-put.url='/uploads/rootme.php', http-put.file='/root/www/php-reverse.php',basepath='/' -p443 192.168.1.105 -oA /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_443_nmap [-] [DRY RUN] nikto -host 192.168.1.105 -p 443 > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_443_nikto [-] [DRY RUN] dirb http://192.168.1.105:443 -o /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_443_dirb -S -r [-] [DRY RUN] sqlmap -u http://192.168.1.105:443 --crawl=1 > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_443_sqlmap [-] [DRY RUN] fimap -u "http://192.168.1.105:443" > /root/.goscan/192.168.1.105/HTTP/192.168.1.105_http_443_fimap [] Starting Enumeration: 192.168.1.105:3306 (mysql) [-] To be run: nmap -sV -Pn --script=mysql-brute, mysql-databases,mysql-empty-password,mysql-enum,mysql-info, mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p3306 192.168.1.105 -oA /root/.goscan/192.168.1.105/SQL/192.168.1.105_sql_mysql_nmap_3306 [] Starting Enumeration: 192.168.1.105:22 (ssh) [-] Created directory: /root/.goscan/192.168.1.105/SSH [-] [DRY RUN] hydra -L /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt -f -o /root/.goscan/192.168.1.105/SSH/192.168.1.105_ssh_hydra -u 192.168.1.105 -s 22 ssh [+] [ALL] Enumeration finished on host: 192.168.1.105 [+] [ALL] Output has been saved at: /root/.goscan |
- La consulta anterior muestra que el comando se puede ejecutar en las direcciones IP de destino. La salida anterior muestra que nikto , sqlmap, hydra y fimap se pueden usar para enumerar el objetivo.
- Un análisis más detallado de la herramienta muestra que goscan consume tiempo y utiliza peajes de código abierto en el backend.