Basics
The first step in any penetration test (or hacking) engagement is gathering information. The first part of that step is, in real world scenarios, OSINT or Open Source Intelligence.
This post is not about OSINT, it is about direct information gathering from the target, service enumeration and fingerprinting, and exploit finding; with an open source tool written in python : Reconnoitre.
Requirements
- Reconnoitre (I will walk you through the installation)
- Python (Usually installed by default on Linux)
- A target IP address (Most websites now run on shared hosting, so by targeting the IP address of a particular website, you’re most likely targeting a decent server with several websites and services.)
- A working internet connection if the target is not on a private network.
Installing Reconnoitre
- From a terminal, run: git clone https://github.com/codingo/Reconnoitre.git (You may also manually get the files from here)
- That’s it.
Usage
1. Navigate to the directory containing the python code:
cd Reconnoitre/reconnoitre/
2. Let’s take a quick look at the available options:
python reconnoitre.py -h
We obviously need -t to set the target or target range, -o to save all the results, and –services to scan for services.
We don’t need any other options for the default scan we’re gonna run.
So our command should be:
python reconnoitre.py --services -o [directory] -t [target-IP]
3. Start the scan with the command above.
Reconnoitre will create a directory named after the target, in the specified output directory. It will then create 3 directories and 1 file inside it: loot, exploit, scans, and proof.txt. All results and findings will be written to those.
It will start with a quick nmap scan on the target, then a full TCP + UDP scan. The latter is especially useful when services are not running on the usual ports. The full scan will take a while.
As you can see, the detailed scans didn’t find anything new, or so it seems.
4. Take a closer look at the findings:
Navigate to the newly created scans directory. You will find the outputs of 3 different scans: the quick scan, the full TCP scan, and the UDP scan. Each scan result is saved in different formats. XML, nmap (which is just regular nmap output), and gnmap (which is greppable). Take a look at each scan result, you will find detailed information including OS Versions and Service Versions, useful for finding potential exploits.
5. Further scans/attacks: cat [target]_findings.txt
Reconnoitre, depending on the results, will suggest relevant scans and attacks for each found service. Including but not limited to: nmap NSE scans, fingerprinting scans and brute force attacks. That is very useful.
Exploit-DB
Exploit-DB is a well known database of around 40,000 exploits of various types as of august 2018. It also hosts shellcode and security papers. You can access it here.
Consider the following Nmap output:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
Service Info: OS: Unix
We can see that it found vsftpd (a popular FTP server) running on port 21. It identified the version as 2.3.4. By looking up “vsftpd 2.3.4” on exploit-db, we find an exploit from 2011 that allows RCE. This means that we could obtain command-line access to this machine.
If you’re running Kali Linux, you can use ‘searchsploit’, a convenient CLI tool that allows you to search the exploit-db database from a terminal.
Usage is very simple, for example: searchsploit vsftpd 2.3.4