Knock obteniendo subdominios

Knock obteniendo subdominios, en una tarea de auditoría nos pueden encargar que analicemos un dominio en concreto, de ese dominio una de las primeras tareas que tendríamos que realizar es una tarea de fingerprinting. En este punto se trata de obtener la máxima información para la búsqueda de vulnerabilidad, entre otras cosas.

Índice

    Knock obteniendo subdominios disponibilidad de la herramienta

    La herramienta está disponible en Code Google, la bajamos y la tendremos lista para usarla:

    darkmac:knock-read-only marc$ python knock.py -h
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    USAGE:
    Scanning with internal wordlist:
    knock [url]
    e.g. knock domain.com
    Scanning with external wordlist:
    knock [url] [wordlist]
    e.g. knock domain.com wordlist.txt
    OPTIONS:

    -zt Zone Transfer discovery:
    knock -zt [url]
    e.g. knock -zt domain.com
    -wc Wildcard testing:
    knock -wc [url]
    e.g. knock -wc domain.com
    -dns Dns resolving:
    knock -dns [url]
    e.g. knock -dns domain.com
    -bw Bypass wildcard:
    knock -bw [stringexclude] [url]
    e.g. knock -bw 404 domain.com

    Opciones de Knock

    Knock contiene varias opciones que podremos usar para obtener el listado de subdominios. Si lo lanzamos sin especificarle ninguna wordlist, knock usará una propia para hacer la búsqueda de subdominios.

    Escaneamos un subdominio cualquiera para ver el funcionamiento de la herramienta:

    darkmac:knock-read-only marc$ python knock.py dragonjar.org
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    [+] Testing domain
    www.dragonjar.org 108.162.207.118
    [+] Dns resolving
    Domain name Ip address Name server
    No address associated with hostname dragonjar.org
    [+] Testing wildcard
    Ok, no wildcard found.

    [+] Scanning for subdomain on dragonjar.org
    [!] Wordlist not specified. I scannig with my internal wordlist...
    Estimated time about 74.81 seconds

    Subdomain Ip address Name server

    Found 0 subdomain(s) in 0 host(s) in 233.43 second(s)

    En este caso no ha encontrado ningún subdominio.

    Si lanzamos este escaneo contra dominios conocidos podemos encontrar cosas interesantes.

    blog.warnerbros.com 168.161.242.18 redirect.warnerbros.com
    bo.warnerbros.com 168.161.242.18 redirect.warnerbros.com
    br.warnerbros.com 168.161.242.18 redirect.warnerbros.com
    bugzilla.warnerbros.com 168.161.244.244 traffic.warnerbros.com
    bz.warnerbros.com 168.161.242.18 redirect.warnerbros.com
    ca.warnerbros.com 168.161.242.18 redirect.warnerbros.com
    cache.warnerbros.com 168.161.242.18 redirect.warnerbros.com

    Interesante ¿No?

    También puedes encontrar acceso a paneles de administración.

    Knock obteniendo subdominios

    ¿Tendrá el usuario y password por defecto?

    Knock obteniendo subdominios

    Cuantos subdominios para tema de developers ¿No?

    Con Knock, también seremos capaces de probar las trasferencias de zona

    pc:knock-read-only marc$ python knock.py -zt planetronic.es
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    [+] Testing domain
    www.planetronic.es 95.211.135.108
    [+] Dns resolving
    Domain name Ip address Name server
    planetronic.es 95.211.135.108 planetronic.cyberneticos.com
    Found 1 host(s) for planetronic.es
    [+] Getting NS records for planetronic.es

    Found name server: planetronic1.cyberneticos.com.
    Found name server: planetronic2.cyberneticos.com.

    [+] Trying a zone transfer for planetronic.es from name server planetronic1.cyberneticos.com.

    @ 14400 IN SOA planetronic1.cyberneticos.com. hostmaster 2011122800 14400 3600 1209600 86400

    @ 14400 IN MX 10 mail

    @ 14400 IN TXT "v=spf1 a mx ip4:95.211.135.107 ip4:95.211.135.101 ~all"

    @ 14400 IN A 95.211.135.108

    @ 14400 IN NS planetronic1.cyberneticos.com.
    14400 IN NS planetronic2.cyberneticos.com.

    pop 14400 IN A 95.211.135.108

    ftp 14400 IN A 95.211.135.108

    www 14400 IN A 95.211.135.108

    mayoristainformatica 14400 IN A 95.211.135.108

    localhost 14400 IN A 127.0.0.1

    mail 14400 IN A 95.211.135.108

    smtp 14400 IN A 95.211.135.108

    www.mayoristainformatica 14400 IN A 95.211.135.108

    [+] Trying a zone transfer for planetronic.es from name server planetronic2.cyberneticos.com.

    @ 14400 IN SOA planetronic1.cyberneticos.com. hostmaster 2011122800 14400 3600 1209600 86400

    @ 14400 IN MX 10 mail

    @ 14400 IN TXT "v=spf1 a mx ip4:95.211.135.107 ip4:95.211.135.101 ~all"

    @ 14400 IN A 95.211.135.108

    @ 14400 IN NS planetronic1.cyberneticos.com.
    14400 IN NS planetronic2.cyberneticos.com.

    pop 14400 IN A 95.211.135.108

    ftp 14400 IN A 95.211.135.108

    www 14400 IN A 95.211.135.108

    mayoristainformatica 14400 IN A 95.211.135.108

    localhost 14400 IN A 127.0.0.1

    mail 14400 IN A 95.211.135.108

    smtp 14400 IN A 95.211.135.108

    www.mayoristainformatica 14400 IN A 95.211.135.108

    Como veis, es capaz de hacer la trasferencia de zona

    Otra de las opciones de Knock obteniendo subdominios, es el poder resolver el DNS

    pc:knock-read-only marc$ python knock.py -dns antena3.com
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    [+] Testing domain
    www.antena3.com 8.254.95.126
    [+] Dns resolving
    Domain name Ip address Name server
    antena3.com 194.224.72.187 www.neoxfanawards.com
    Found 1 host(s) for antena3.com

    Si un dominio tiene activado wildcard, nos dará un error y nos volcará un HTML por pantalla.

    pc:knock-read-only marc$ python knock.py -wc github.com
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    [+] Testing domain
    www.github.com 204.232.175.90
    [+] Testing wildcard
    <!DOCTYPE html>
    <!--

    Hello future GitHubber! I bet you're here to remove those nasty inline styles,
    DRY up these templates and make 'em nice and re-usable, right?

    Please, don't. https://github.com/styleguide/templates/2.0

    -->
    <html>
    <head>
    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
    <title>Page not found &middot; GitHub Pages</title>
    <style type="text/css" media="screen">
    body {
    background-color: #f1f1f1;
    margin: 0;
    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
    }

    .container { margin: 50px auto 40px auto; width: 600px; text-align: center; }

    a { color: #4183c4; text-decoration: none; }
    a:hover { text-decoration: underline; }

    h1 { width: 800px; position:relative; left: -100px; letter-spacing: -1px; line-height: 60px; font-size: 60px; font-weight: 100; margin: 0px 0 50px 0; text-shadow: 0 1px 0 #fff; }
    p { color: rgba(0, 0, 0, 0.5); margin: 20px 0; line-height: 1.6; }

    ul { list-style: none; margin: 25px 0; padding: 0; }
    li { display: table-cell; font-weight: bold; width: 1%; }

    .logo { display: inline-block; margin-top: 35px; }
    .logo-img-2x { display: none; }
    @media
    only screen and (-webkit-min-device-pixel-ratio: 2),
    only screen and ( min--moz-device-pixel-ratio: 2),
    only screen and ( -o-min-device-pixel-ratio: 2/1),
    only screen and ( min-device-pixel-ratio: 2),
    only screen and ( min-resolution: 192dpi),
    only screen and ( min-resolution: 2dppx) {
    .logo-img-1x { display: none; }
    .logo-img-2x { display: inline-block; }
    }

    #suggestions {
    margin-top: 35px;
    color: #ccc;
    }
    #suggestions a {
    color: #666666;
    font-weight: 200;
    font-size: 14px;
    margin: 0 10px;
    }

    </style>
    </head>
    <body>

    <div class="container">

    <h1>404</h1>
    <p><strong>There isn't a GitHub Page here.</strong></p>

    <p><em>Are you trying to publish one?</em>
    We'll send you an email when your page has been built. It may take up to ten minutes until your page is available.
    </p>

    <p>
    <a href="http://pages.github.com/">Read the full documentation</a>
    to learn how to set up <strong>GitHub Pages</strong><br />
    for your repository, organization, or user account.
    </p>

    <div id="suggestions">
    <a href="https://github.com/contact">Contact Support</a> &mdash;
    <a href="https://status.github.com">GitHub Status</a> &mdash;
    <a href="https://twitter.com/githubstatus">@githubstatus</a>
    </div>

    <a href="/" class="logo logo-img-1x">
    <img width="32" height="32" title="" alt="" src="data:image/png;base64,i VBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo1Q0EwODYxRTlGQjcxMUUyODZFNEMyMjBCNzE0Q0JGNCIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo1Q0EwODYxRjlGQjcxMUUyODZFNEMyMjBCNzE0Q0JGNCI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjFGMjYzQzg5OUZCNjExRTI4NkU0QzIyMEI3MTRDQkY0IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjFGMjYzQzhBOUZCNjExRTI4NkU0QzIyMEI3MTRDQkY0Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Cwlf8AAAAuBJREFUeNrEl0tIVVEUhs89OkhIe1Cmk7q3oiAwMCuIGtQlKBokZEjQ1KKhYEE0qVEGlhQ0s1HQpLRL5SDCKHqM0oQcaJk3etHDsvRGRlmnf8F/4bjb69xzvEda8A3Ofqz1n/1Ye+/ESPaFE9IWgXqwDawFKTCXdd+AOHoC7oBr4FMYp4kQAmrBUbAHlIYUOwWuglOgP6ihG1A3D3SAPtAYIbjDto3s20FfkQTUUnmTjJIzc0vQRz99hhKQBnc5x3FZij7ThQTUgQyocOK3Cvqu0wQsAJ1G8EEupokZBJxg30FDRCdj/SPgDEgaTk6CBlDJufzg23YD4B4ZYJnDNk3s00Affksy1rRtuB48svyFDNdjY2dUg2fgj2U6V4F3YNxXvo67wbQNoDc/AseUYSwxvsXxkCW4w7IhI7jNh+OPKQKqwG6l0ZoYFp/mQ2JWuUyvNpVvwI0YBIiP18ro1ru2vUk7DsZiECA+Tih1aRFQY6n4DbpizAFd9GlajWvZemJvLYupGBunT9OSIqDMUvFzFjLhL0tZmXYYLZkFAZXaYZSzlJdrHYoIXm4pz4mArNJpZ4wCNF9ZV0mTYi0RLyFBl5MWpa5PBPQolXLva4tBQBt92axHBHSD70qDZnCF6TqqVbNvs1IvMbvzi/CioXgruM/vveAVuAwO8OQsUYZ6EzjEe8BL9tVMYubyx/FS8BTMAR44As7zrN9odMzwnPcs978Mz5ZC9gOslh/L5wH5w1afo9O8RO6zHCTtluAOy9pDTk8rY057F5Ty4riZ37fADjCffyzJqRfcVvK62GLwsUDwh5ziKdvDRBbbA7DCtwjPRVh4IvZLQP0I2ALeB72MlnFrruS3CLoORinwLOcwqoDnYDsXZ8Gn2UJwSclgcqP9GlHATbDfdr9wAy4Ru7jtRotIQvJAPUhfY1HfhrKqL4Dl4DAYBp/BZECfSbYZ5lZO8W3oqW83z/Oc/2l/BRgAx0yx3NLWxQgAAAAASUVORK5CYII=" />
    </a>

    <a href="/" class="logo logo-img-2x">
    <img width="32" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo2OEUxMDcyOTlGQ0ExMUUyODZFNEMyMjBCNzE0Q0JGNCIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo2OEUxMDcyQTlGQ0ExMUUyODZFNEMyMjBCNzE0Q0JGNCI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjY4RTEwNzI3OUZDQTExRTI4NkU0QzIyMEI3MTRDQkY0IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjY4RTEwNzI4OUZDQTExRTI4NkU0QzIyMEI3MTRDQkY0Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+CPpQ2wAABfBJREFUeNrkW11sFVUQPt2I1tJaUFBpUxAoUuuDQYsmWi2Jiok2gfiAWoIYUxMTH2wgUBJ4kIcawQQwmqhoYh80oqR9ASVqBfwlIU0ggCjWIpJqEIvW0BbLT68z2W+bm+3e3TNn9957bjrJl1DunnNmvj0/M3Nmi3pP/qqyLNWE+wm1hFsJ8wg3EEoJJXhmmDBIOEfoIfxMOE74hvBLNpW7Kkt9Pkx4kvAgoVKjTQlwI+E232+/E74k7CB8QbicpLJFCc6AmYQXCSsI07P0ws4S3ie8RjidRIdOAn3MJ7Rjqq7KovEKM2QVxmrH2HkjoIzwCuEoYSVhksqdTMKYR6FDWa4JWEz4idCaY8ODiGiFLotzQQAPuJnwGaFC2SMV0Gmz9IVICOC1vZewRtkra6Dj9KQJmE04QKhX9ks9dJ2dFAHVcEjmqsKRudC5Oi4BMwhdms6MbVIJ3WeYElBM+IQwSxWuzIINxSYEvE5YEDHAf4SRPBo4ojH+AtgiIuBpQnNEx5cxzdiHryG0EA7lwOhDGKsGY1doxAfNsEkrFriJcIJQHtFpF4IevywivERoSNjwr9Dv/oDfOEh6KKL9v3Cd/4yKBrdqGM/ybYb/3w8SHidsI1QRevHmfiAw42cI/WlvjvWYRrgZx9ftmLq8m/chyOoM0eU7DQLKYVtTGAH81p7SfCMnIn7vhHdWBoNNhAk5TxiKqYsnbNvbmE2Be8BGgXLnNJ4ZimG8Qtshjef6BX1uzLQJPiBct2XKHpHo0gBbxxHQIhy0yiICpLq0+AngDahR2EmDRQRIdWmEzWMENOU5rs9HHqEpnYAlwg5OIiNji6zEUSuRJR4B7CffJ2zcjOPJFmFdnhO2YZuLHcTP1wgasge4z8JpvQ+66QrbXM8E1AkHesvitS3Vrc5BUKErlwh7LCZgD3TUlRopAZyGHraYgGHEGyICJNmeUwVwxP0meLbSEbqR5wuAgAGJC+1ohr6eXF0ABEhOtHLpxUhpARAwWfIwEzAqeL6iAAiQ7GmjjnBdF8LdwBzJnuYIExZTlFvhYavMg466csYRHhu2hcFxdTvNBEhrcJ6wmACpbj1MQLewEdf91FpofC10k0g3E3BQ2KiI0GYhAW3QTSIHmQAuR/tD2HApYZlFxi+DThJhm48zASnCpwaDvke4xwLjWYd2g3Zsc8rzBDsMOuB7uc8Jj+XR+EYkQa41aNvheYIKhvQZdHIdYTfhDcLUHBp+PeFNwi5D97wPNo8RwO7w9kxnJeFV5V4pZaqqfAG/8XPzs2g43xluQVj+fIx+tnshQPrt8DR07A8m+BKUS9AugLBnlVupWRIyAPsWXN76NeFH5db+DgmVnAoy+Xjjm5xFKpliDdbjFoXrNP/1+CbC2oBGx5R7sXgsbePpEky/bhhxQTdOV26S864szCIupWsdO9N9BEzB2woqMxvETDiAv5crt243SkYwdaV5ew5quAAyyQubv5RbsT6QHg77synrQ3IBnWnkfEDYqTHoTgPjWfjyZUfCb3+D8mWMghIi72L9Bgnf17+c9vczyq0BCJPdMRTelaDxbNM7QQkRv6RgWKbcGv82E//mLOyj2JGP+JIrvBFu9Y4bQzmSkPED0Ds1zq8P+V7gEXhLQSTxKRB0nT4ZS6Qfe0Zc4ZPg75h9jOIlBc7UsJwgN1gdcu7fneGIOZWQ8SrojRnI6rBlGpUU3Yaj0S9cW8QFiHXKbtkEG5QpASzr4H35hR2n7+H9VVlo/BboHh7bC74ZWpthNnhTlTcsvjrj4im+P/A+gLpXuTV6JsJ+yT8G7daF6DpuKks8qF6EnqUBSZI7gKAESq5kELu9dnQrvRjpwLo/bOGUPwzdRKG9yTdDXJS4EF7VRQsMvwhdFir9gslYBLBwiSvn4Phq/aOIZ4tjGBe1RD+GDm3K8IPKuN8N8g7KX4hyXe+HhCsZHBFTCdo/rmCsO5WbBo/15aeT4PprQgS3HhGlgqJnY0Zv3gzrwVSfg7ESKc0vSqVSaiKLoya4THgC/hdgACmaMFn8bUltAAAAAElFTkSuQmCC" />
    </a>
    </div>
    </body>
    </html>

    Wildcard enabled! Try with -bw option
    Example: knock -bw 404 github.com

    Si queremos obtener la lista de subdominios que tienen wildcard habilitado también podemos hacerlo.

    darkmac:knock-read-only marc$ python knock.py -bw 404 github.com
    Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

    [+] Testing domain
    www.github.com 204.232.175.90
    [+] Dns resolving
    Domain name Ip address Name server
    github.com 204.232.175.90 github.com
    Found 1 host(s) for github.com
    [+] Bypass wildcard
    blog.github.com
    docs.github.com
    download.github.com
    enterprise.github.com
    fi.github.com
    help.github.com
    id.github.com
    jobs.github.com
    lab.github.com
    launch.github.com
    new.github.com
    news.github.com
    support.github.com
    wiki.github.com
    www.github.com

    Found 15 subdomain(s) in 1232.3 second(s)

    Knock obteniendo subdominios, Knock es una herramienta que no servirá para sacar la lista de subdominios, esto nos ayudará a identificar servicios en el dominio escaseado, entre otras cosas.

    Subir