Skip to content

Instantly share code, notes, and snippets.

@dmknght

dmknght/parrotos_on_hackerhouse.md

Last active October 25, 2021 18:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dmknght/c240ed1d4733d4d2117bfe159597ccda to your computer and use it in GitHub Desktop.
Save dmknght/c240ed1d4733d4d2117bfe159597ccda to your computer and use it in GitHub Desktop.
Download ZIP
Note of using tools on ParrotOS with hackerHouse labs. This is the result of testing pentest tools quality
Raw
parrotos_on_hackerhouse.md

I. OSINT

1. recon-ng

  • [recon-ng][default] > workspaces create hackerhouse
  • Error: [*] No modules enabled/installed.

2. The harvester

$theHarvester -d parrotsec.org -b google

*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.0.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
******************************************************************* 


[*] Target: parrotsec.org 
 
	Searching 0 results.
	Searching 100 results.
	Searching 200 results.
	Searching 300 results.
	Searching 400 results.
	Searching 500 results.
[*] Searching Google. 

[*] No IPs found.

[*] Emails found: 2
----------------------
josegatica@parrotsec.org
palinuro@parrotsec.org

[*] Hosts found: 11
---------------------
archive.parrotsec.org:51.83.238.32, 51.79.178.45, 139.99.69.216
community.parrotsec.org:51.79.178.45, 139.99.69.216
community.parrotsec.org:139.99.69.216, 51.79.178.45
deb.parrotsec.org:139.99.69.216, 51.79.178.45
docs.parrotsec.org:139.99.69.216, 51.79.178.45
irc.parrotsec.org:51.79.178.45, 139.99.69.216
lists.parrotsec.org:51.79.178.45, 139.99.69.216
nest.parrotsec.org:51.79.178.45, 139.99.69.216
u003darchive.parrotsec.org:139.99.69.216, 51.79.178.45
www.parrotsec.org:139.99.69.216, 51.79.178.45
  • Metagoofil
  • goofileN Custom small projec written in Nim for ParrotOS which is merged of ideas of goofile and metagoofil
  • Maltego
  • LinkdedInt
  • shodan

II. DNS

  • nslookup
$nslookup        
> set querytype=SOA
> parrotsec.org
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
parrotsec.org
	origin = pola.ns.cloudflare.com
	mail addr = dns.cloudflare.com
	serial = 2038500112
	refresh = 10000
	retry = 2400
	expire = 604800
	minimum = 3600

Authoritative answers can be found from:
> set querytype=MX
> parrotsec.org
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
parrotsec.org	mail exchanger = 20 mailserver1.parrotsec.org.
parrotsec.org	mail exchanger = 10 mailserver2.parrotsec.org.
parrotsec.org	mail exchanger = 1 mail.parrotsec.org.

Authoritative answers can be found from:
  • dig
dig parrotsec.org ANY

; <<>> DiG 9.16.15-Debian <<>> parrotsec.org ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 41055
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;parrotsec.org.			IN	ANY

;; Query time: 47 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Oct 26 00:12:17 +07 2021
;; MSG SIZE  rcvd: 42

$dig @192.168.56.7 chaos authors.bind txt

; <<>> DiG 9.16.15-Debian <<>> @192.168.56.7 chaos authors.bind txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4671
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;authors.bind.			CH	TXT

;; ANSWER SECTION:
authors.bind.		0	CH	TXT	"Danny Mayer"
authors.bind.		0	CH	TXT	"Damien Neil"
authors.bind.		0	CH	TXT	"Matt Nelson"
authors.bind.		0	CH	TXT	"Jeremy C. Reed"
authors.bind.		0	CH	TXT	"Michael Sawyer"
authors.bind.		0	CH	TXT	"Brian Wellington"
authors.bind.		0	CH	TXT	"Mark Andrews"
authors.bind.		0	CH	TXT	"James Brister"
authors.bind.		0	CH	TXT	"Ben Cottrell"
authors.bind.		0	CH	TXT	"Michael Graff"
authors.bind.		0	CH	TXT	"Andreas Gustafsson"
authors.bind.		0	CH	TXT	"Bob Halley"
authors.bind.		0	CH	TXT	"Evan Hunt"
authors.bind.		0	CH	TXT	"JINMEI Tatuya"
authors.bind.		0	CH	TXT	"David Lawrence"

;; AUTHORITY SECTION:
authors.bind.		0	CH	NS	authors.bind.

;; Query time: 3 msec
;; SERVER: 192.168.56.7#53(192.168.56.7)
;; WHEN: Tue Oct 26 00:15:59 +07 2021
;; MSG SIZE  rcvd: 441

$dig @192.168.56.7 axfr nsa.gov

; <<>> DiG 9.16.15-Debian <<>> @192.168.56.7 axfr nsa.gov
; (1 server found)
;; global options: +cmd
nsa.gov.		3600	IN	SOA	ns1.nsa.gov. root.nsa.gov. 2007010401 3600 600 86400 600
nsa.gov.		3600	IN	NS	ns1.nsa.gov.
nsa.gov.		3600	IN	NS	ns2.nsa.gov.
nsa.gov.		3600	IN	MX	10 mail1.nsa.gov.
nsa.gov.		3600	IN	MX	20 mail2.nsa.gov.
fedora.nsa.gov.		3600	IN	TXT	"The black sparrow password"
fedora.nsa.gov.		3600	IN	AAAA	fd7f:bad6:99f2::1337
fedora.nsa.gov.		3600	IN	A	10.1.0.80
firewall.nsa.gov.	3600	IN	A	10.1.0.105
fw.nsa.gov.		3600	IN	A	10.1.0.102
mail1.nsa.gov.		3600	IN	TXT	"v=spf1 a mx ip4:10.1.0.25 ~all"
mail1.nsa.gov.		3600	IN	A	10.1.0.25
mail2.nsa.gov.		3600	IN	TXT	"v=spf1 a mx ip4:10.1.0.26 ~all"
mail2.nsa.gov.		3600	IN	A	10.1.0.26
ns1.nsa.gov.		3600	IN	A	10.1.0.50
ns2.nsa.gov.		3600	IN	A	10.1.0.51
prism.nsa.gov.		3600	IN	A	172.16.40.1
prism6.nsa.gov.		3600	IN	AAAA	::1
sigint.nsa.gov.		3600	IN	A	10.1.0.101
snowden.nsa.gov.	3600	IN	A	172.16.40.1
vpn.nsa.gov.		3600	IN	A	10.1.0.103
web.nsa.gov.		3600	IN	CNAME	fedora.nsa.gov.
webmail.nsa.gov.	3600	IN	A	10.1.0.104
www.nsa.gov.		3600	IN	CNAME	fedora.nsa.gov.
xkeyscore.nsa.gov.	3600	IN	TXT	"knock twice to enter"
xkeyscore.nsa.gov.	3600	IN	A	10.1.0.100
nsa.gov.		3600	IN	SOA	ns1.nsa.gov. root.nsa.gov. 2007010401 3600 600 86400 600
;; Query time: 0 msec
;; SERVER: 192.168.56.7#53(192.168.56.7)
;; WHEN: Tue Oct 26 00:16:35 +07 2021
;; XFR size: 27 records (messages 1, bytes 709)
  • fierce
fierce --dns-servers 192.168.56.7 --domain nsa.gov
NS: ns1.nsa.gov. ns2.nsa.gov.
SOA: ns1.nsa.gov. (10.1.0.50)
  • dnsrecon
$dnsrecon -d nsa.gov -n 192.168.56.7
[*] Performing General Enumeration of Domain: nsa.gov
[*] DNSSEC is configured for nsa.gov
[*] DNSKEYs:
[*] 	None ZSK RSASHA1NSEC3SHA1 03010001a388d849849780d306207a85 02159c28a004f60fb376bccf88d99f21 b300c0922b33e7372bca1e6bdf6f5c2d 3bbc0ce02b6effcf4a47269a23a121b6 c8af7bb60dc82916c962436d6d52969f 00494ece4e3513dca2354009c0676e4b e413ce2b1e7017ce4dfed731974234cd 811652b1267ce987c91a24d28bdf7ea0 4780aac7
[*] 	None ZSK RSASHA1NSEC3SHA1 03010001c0c3d369835f895767f0138e 356864464ab267c30a80b99352ee2c84 ea813ba333eff414485c2c3225e831e3 3bd9e737aa0bb47359b24f49f9939b9f 87fa63e38cb823ed797b724fb96e40c3 723c5038c31f901d3f11ddb603f4faf8 648e76be9ed433a748dba757e0d4ea3c 4b6e874411acb1f4b61e7bf4eca0bcec 4e9a49ef
[*] 	None KSk RSASHA1NSEC3SHA1 03010001c7599346c3ee0382fdb4787a 4c8139d992072476bbfad2bbed3113cc e8b8514c5c0fabdf99a1d86a138c9a24 24ae3c4150a87e45fa4f9b034776f528 c9729514139ec5bf10afe018cd686f81 f2bf045924ccd2351abb9ec383867ad3 309e113d46b99d1d4d0be62027fecf2f 9485a96d62a13e5a2a7c4e362a885241 abc5b6b397caa1ea06a16941100ce9f6 67b0afa0bd09b2e0b403fecd451c8dbb f19f6e310149a40c34f5d4b6dc522036 b547387eb4bcc8d8db28f0af9e5103c7 2bf6ca9f3389b24c9ed4dbd4448895ca 22d419cf4178b46ca17dea10eea59957 95cb18d0724d896a33b8ac0cbf46d10f 3c1ebdef5e97829ee64f0f3a2badcbc5 b5f7a2e7
[*] 	 NS ns2.nsa.gov 10.1.0.51
[*] 	 NS ns1.nsa.gov 10.1.0.50
[*] 	 MX mail2.nsa.gov 10.1.0.26
[*] 	 MX mail1.nsa.gov 10.1.0.25
[*] Enumerating SRV Records
[+] 0 Records Found
  • dnsenum

III. Mail

  • $smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.56.7 (very long list)
  • $ismtp -h 192.168.56.7 -e /usr/share/wordlists/metasploit/unix_users.txt (very long list)
  • Custom python file to enumerate finger service
$cat finger_enum.py 
import argparse
import socket


def recv_all(s):
    result = ""
    buf = 32
    while True:
        data = s.recv(buf)
        result += data.decode()
        if not data:
            return result


def do_enumerate(target, wordlist):
    for username in open(wordlist):
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((target, 79))
            s.send(username.encode())
            result = recv_all(s)
            if "No one logged on" not in result and "no such user" not in result:
                print(result)
            s.close()
        except Exception as error:
            print(error)


parser = argparse.ArgumentParser()
parser.add_argument("-t", help="target")
parser.add_argument("-w", help="wordlist file")

args = parser.parse_args()
do_enumerate(args.t, args.w)

Result

python3 finger_enum.py -t 192.168.56.7 -w /usr/share/wordlists/metasploit/unix_users.txt
Login: backup         			Name: backup
Directory: /var/backups             	Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.

Login: bin            			Name: bin
Directory: /bin                     	Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.

Login: colord         			Name: colord colour management daemon
Directory: /var/lib/colord          	Shell: /bin/false
Never logged in.
No mail.
No Plan.

-- very long result --
  • custom tool logidoor for web mail server: Ran with false positive of login analysis
  • hydra $hydra -L mail_user -P mail_password pop3://192.168.56.7 result [110][pop3] host: 192.168.56.7 login: johnk password: webmail
  • sslscan
$sslscan 192.168.56.7
Version: 2.0.10-static
OpenSSL 1.1.1l-dev  xx XXX xxxx

Connected to 192.168.56.7

Testing SSL server 192.168.56.7 on port 443 using SNI name 192.168.56.7

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.2 vulnerable to heartbleed
TLSv1.1 vulnerable to heartbleed
TLSv1.0 vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits

  Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)

  SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength:    1024

Subject:  hackbloc.linux01.lab
Issuer:   Superfish, Inc.

Not valid before: May 12 16:25:00 2014 GMT
Not valid after:  May  7 16:25:00 2034 GMT

IV. Web server

V. VPN

VI. File server

VII. Unix

VIII. Database

IX. Web App

X. Windows enterprise

XI. Password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment