Vulnerability Assessment and Penetration Testing – Enumeration

If you are already aware of the term VAPT and Reconnaissance then go ahead. If not, then I recommend you to read my previous blogs about the same. In this blog we will see another reconnaissance activity known as enumeration. We can divide the enumeration activity into 3 categories:

• Subdomain discovery & takeover
• Content Discovery
• Port & Service Scanning

Subdomain Discovery & Takeover

Depending upon the scope of our VAPT we might be required to cover each and every subdomain. If the subdomains are not explicitly mentioned then Subdomain enumeration helps us in finding them. There are different ways by which we can find the subdomains. Some of them are listed below:

Google Dorking

We can make use of google dorking to find out the subdomains by using the combination of different dorks:

• site:paypal.com

As you can we still have way too high search result count to go through. We need to filter it further.

• site:paypal.com -inurl:www

Now our search result has drastically reduced to few thousands. In the above screenshot, observe that demo.paypal.com is listed twice. We can make a note of it and remove it from the list by using -inurl dork.

• site:paypal.com -inurl:www -inurl:demo

Above steps needs to repeated several times till we have found all the unique subdomains. This method is definitely time consuming but it is worth the effort. If You don’t want to put that much manual efforts then you can switch a subdomain enumeration tool.

Sublist3r

 Sublist3r is a python based open source tool which is used for Subdomain Enumeration. It uses Search engines like google, Baidu, Bing and many others to find the subdomains of the provided domain.

Reference Link for Sublist3r: https://github.com/aboul3la/Sublist3r

How to run/use?

• python ./sublist3r.py -h

python ./sublist3r.py -d target.com -v -o file.txt

• -d: is the domain name to enumerate
• -v: verbose to check the real-time results
• -o: to save the results in a file.

knockpy

It is another python based open source tool which helps us in finding subdomains of a target domain by using a wordlist. It can also scan for DNS zone transfer.

Reference Link for Knockpy: https://github.com/guelfoweb/knock

How to run/use?

• python ./knockpy -h target.com

• python ./knockpy target.com -w wordlists.txt

It is a good practice to use the combination of above tools and techniques for subdomain enumeration.

aquatone

  Aquatone is also an open source tool that can be used to find out not only the subdomains but discover open ports, detect account takeovers and access the discovered ports and provide information. All these activities are performed in different steps and the order must be as following:

• aquatone-discover
• aquatone-scan
• aquatone-takeover
• aquatone-gather

How to run/use?

Let’s have a look at each of these commands one by one.

• aquatone-discover -d domain.com

This will give us a list of subdomains and their respective IPs.Once we have discovered the subdomains, its time to find out the open ports.

• aquatone-scan -d domain.com -p ports

Instead of mentioning the comma separated ports, we can also specify:

• small: 80, 443
• medium: 80, 443, 8000, 8080, 8443 (same as default)
• large: 80, 81, 443, 591, 2082, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888, 55672
• huge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5280, 5281, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8083, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8337, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 11371, 12443, 16080, 18091, 18092, 20720, 55672

Now we need to find if subdomain takeover is possible.

• aquatone-takeover -d domain.com

We can see in the above screenshots that there are 4 instances which are vulnerable. Now we need to try each one of these individually.Now we need to find out the result of accessing the open ports.

• aquatone-gather -d domain.com

Note: The above command should be run from GUI enabled interface

This command will try to access each and every port that was found to be open in previous steps and take the screenshot of the result. In this way by the end of the scan, we will get to know which all ports are accessible and the services running on them. This completes all the four stages of aquatone scan and also our Subdomain discovery activity.

Content Discovery

  Once we are done with subdomain enumeration, we should check the content of each and every subdomains. We can and should try to find out the directories or hidden endpoints. There are certain tools that we can make use of.

wfuzz

  wfuzz is used for finding contents like directories, scripts, images, etc. by brute forcing the web application. It can bruteforce GET and POST requests with parameters and hence it can also be used to brute passwords.Some of the useful options that can be used with wfuzz are as following:

• h: simple help
• help: Advanced help
• c: Output with color
• s: delay between requests
• u: specify the url for request
• z: payload/wordlist want to use
• hc: ignore response containing invalid
• d: for post request
• w: Specify a wordlist file (alias for -z file,wordlist)
• FUZZ: wherever you put these keywords wfuzz will replace them with the values of the specified payload.

How to run/use?

• wfuzz -c -w /path/to/wordlist/file.txt –hc 404 http://target.com/FUZZ

An example of using wfuzz with a POST request.

• wfuzz -c -z file,UbaidWordList.txt -d “uname=test&pass=FUZZ” http://testphp.vulnweb.com/userinfo.php
  • -d: denotes a POST request

dirSearch

  We can use a tool called DirSearch for this purpose. It is a simple tool to brute force files and directories on websites. You also specify the extension of files to search for. It supports delaying requests, reporting in plain text, JSON formats, etc.

How to run/use?

• ./dirsearch.py -u example.com -e html,asp
  • -u: for specifying url
  • -e: used for extensions

If you want to introduce a time delay then use the following

• ./dirsearch.py -u example.com -e html,asp,jsp -t 5 -s 0.5 -x 400,301
  • t: number of threads (default is 10)
  • s: delay in between requests (float number)
  • x: exclude HTTP status code

Port & Service Scanning

  Till now you have found out the subdomains and you have also brute forced each subdomain for the content. Now it’s time to find the open ports and services running on them. When we used the aquatone for subdomain enumeration, by the end of fourth step we knew what all ports are open and if they are accessible. By looking at the screenshots sometimes we can find out the services running on them as well. However, certain ports like 21, 22, 3306, 3389 which cannot be accessed via browser. We make use of another open source tool called nmap for this purpose.

nmap

  It is an open source network scanning tool which helps in host detection, port scanning, OS detection and gathering more information about our target.

How to run/use?

• Basic scan: nmap ip/hostname

• Specific Ports: nmap ip/hostname -p21,22,3306

• Scanning Multiple IPs: nmap -p0-65535 ip1 ip2

• Scanning list of IPs from a text file: nmap -p0-65535 -iL ip.txt
• OS Detection: nmap -A -T4 ip/hostname
  • A: for OS and service detection
  • T4 for faster execution

• Service/Version Info: nmap -sV ip/hostname

• Saving output to a file: nmap -p0-65535 -oX outfile
  • oX: output in XML format
  • oN: normal format
  • oS: script kiddie format
  • oG: grepable format

Conclusion

  During the recon activity, we found subdomains, directories, files, open ports, and services. Each of these subdomains, depending upon the scope, should be treated as an individual application. Additionally, we can go ahead and perform further content discovery for each of them. The whole idea behind the reconnaissance activity is to gather as much information as we can about the target to have a better attack surface.