Wednesday, January 25, 2012

Site Information Gathering

Ok, next assignment from my sensei.
Perform information gathering on these sites..
is2c-dojo.net
is2c-dojo.com
www.spentera.com

Hmm..
after some time scanning, here's my result :
1. is2c-dojo.net
First of all, I do nslookup in order to know the original IP of the target. By performing this command I also can get Information about the IP block owned by the target.
# nslookup is2c-dojo.net
here's the result.
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:    is2c-dojo.net
Address: 216.239.36.21
Name:    is2c-dojo.net
Address: 216.239.34.21
Name:    is2c-dojo.net
Address: 216.239.32.21
Name:    is2c-dojo.net
Address: 216.239.38.21
From the above information we know that there're some IPs related to the website. 
Ok, lets take the 216.239.36.21 to be tested with whois command.
# whois 216.239.36.21
and here is the result.
Spoiler:
NetRange:       216.239.32.0 - 216.239.63.255
CIDR:           216.239.32.0/19
OriginAS:      
NetName:        GOOGLE
NetHandle:      NET-216-239-32-0-1
Parent:         NET-216-0-0-0-0
NetType:        Direct Allocation
RegDate:        2000-11-22
Updated:        2001-05-11
Ref:            http://whois.arin.net/rest/net/NET-216-239-32-0-1

OrgName:        Google Inc.
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/GOGL

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

OrgAbuseHandle: ZG39-ARIN
OrgAbuseName:   Google Inc
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  arin-contact@google.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

RTechHandle: ZG39-ARIN
RTechName:   Google Inc
RTechPhone:  +1-650-253-0000
RTechEmail:  arin-contact@google.com
RTechRef:    http://whois.arin.net/rest/poc/ZG39-ARI


hmm.. Google.
When the result is like that, I assume that the web is using blogger by Google.
Lets see the page source. 
At the home page, Right click and select View Page Source.
Jackpot, theres a block of text there
Blogger Template Style
Name:   BlueWeb
Author: Klodian
URL:    www.deluxetemplates.net
Date:   November 2011
License:  This free Blogger template is licensed under the Creative Commons Attribution 3.0 License, which permits both personal and commercial use. However, to satisfy the 'attribution' clause of the license, you are required to keep the footer links intact which provides due credit to its authors. For more specific details about the license, you may visit the URL below:
http://creativecommons.org/licenses/by/3.0
It says that the tempelate is for Blogger.


2. is2c-dojo.com
Same as before I do nslookup to see the IP of the target.
# nslookup is2c-dojo.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:    is2c-dojo.com
Address: 67.222.154.106

Then, perform whois command
# whois 67.222.154.106

Spoiler:
NetRange:       67.222.128.0 - 67.222.159.255
CIDR:           67.222.128.0/19
OriginAS:       AS30277
NetName:        DFW-DATACENTER
NetHandle:      NET-67-222-128-0-1
Parent:         NET-67-0-0-0-0
NetType:        Direct Allocation
RegDate:        2008-02-04
Updated:        2011-11-23
Ref:            http://whois.arin.net/rest/net/NET-67-222-128-0-1

OrgName:        DFW Datacenter
OrgId:          TMS-52
Address:        3000 Irving Blvd
City:           Dallas
StateProv:      TX
PostalCode:     75247
Country:        US
RegDate:        2003-08-19
Updated:        2011-11-22
Ref:            http://whois.arin.net/rest/org/TMS-52

OrgTechHandle: DFWDA-ARIN
OrgTechName:   DFW Datacenter
OrgTechPhone:  +1-214-774-2513
OrgTechEmail:  sales@dfw-datacenter.com
OrgTechRef:    http://whois.arin.net/rest/poc/DFWDA-ARIN

OrgAbuseHandle: DFWDA-ARIN
OrgAbuseName:   DFW Datacenter
OrgAbusePhone:  +1-214-774-2513
OrgAbuseEmail:  sales@dfw-datacenter.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/DFWDA-ARIN

RTechHandle: DFWDA-ARIN
RTechName:   DFW Datacenter
RTechPhone:  +1-214-774-2513
RTechEmail:  sales@dfw-datacenter.com
RTechRef:    http://whois.arin.net/rest/poc/DFWDA-ARIN

RNOCHandle: DFWDA-ARIN
RNOCName:   DFW Datacenter
RNOCPhone:  +1-214-774-2513
RNOCEmail:  sales@dfw-datacenter.com
RNOCRef:    http://whois.arin.net/rest/poc/DFWDA-ARIN

RAbuseHandle: DFWDA-ARIN
RAbuseName:   DFW Datacenter
RAbusePhone:  +1-214-774-2513
RAbuseEmail:  sales@dfw-datacenter.com
RAbuseRef:    http://whois.arin.net/rest/poc/DFWDA-ARIN


Hmm..
Datacenter.  No idea what it is.

3. www.spentera.com
Again, perform nslookup
# nslookup www.spentera.com
Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
www.spentera.com    canonical name = spentera.com.
Name:    spentera.com
Address: 74.81.66.104
And then whois
# whois 74.81.66.104
Global Net Access, LLC GNAXNET (NET-74-81-64-0-1) 74.81.64.0 - 74.81.95.255
WebHostingBuzz USA LLC. GNAX-WHB-1 (NET-74-81-66-0-1) 74.81.66.0 - 74.81.66.255
Only got the above information. Looks like it is hosted in US server.

Lets search for a robots.txt in this site. (I'll explain more about robots.txt later)
http://www.spentera.com/robots.txt
Bingo, here's the result
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/

Sitemap: http://www.spentera.com/sitemap.xml.gz
So, this site is using wordpress (note that /wp-admin/ folder)
Lets scan it using wpscan located in /pentest/web/wpscan
# ruby wpscan.rb --url www.spentera.com
[+] The WordPress theme in use is called NovaTheme_v2.0
Hoho, good.

More updates coming soon.  :)