PRACTICAL 2

AIM: Use of open-source intelligence and passive reconnaissance.

THEORY Open-Source intelligence
Open-source intelligence, or OSINT, refers to the process of gathering information from public,
legal data sources to serve a specific function. Some open sources might include social media,
blogs, news, and the dark web.

Passive Reconnaissance
Passive reconnaissance is an attempt to gain information about targeted computers and
networks without actively engaging with the systems. In active reconnaissance, in contrast, the
attacker engages with the target system, typically conducting a port scan to find any open ports.

A) install sublin3r

sudo apt install sublist3r

sublist3r -d packtpub.com -t 3 -e bing

B) Install Maltego

(i) maltego

(ii) In order to access Maltego, we need to create an account by visiting

https://www.maltego.com/ ce-registeration/ .Once the account is created and we
 are successfully logged in to the Maltego application, we should see the screen on
given picture.

(iii) Accept License.

(iv) Log in to use the free online version of Maltego.
(v) Click the next button to install transforms.
(vi) Click the next.

(vii) Enter the any web browser like Firefox and click on next.

(viii)
Choose the Footprint L1 & next.
(ix) Enter the domain name like cyberhia.com.
C) Install OSRF Framework
1. sudo install pip3 by running sudo apt install python3-pip in the terminal.

2. sudo pip3 install osrframework to install osframework

3. We will be using the Usufy sub-command for getting information about the victim user.
4. In the below Screenshot, We have got the various platform links which are associated
with our victim user.
5. Next, we will use the mailfy tool to get information about email accounts that have the
given nickname. We can use the command: “sudo mailfy –n cyberhia”.
6. In the below Screenshot, We have got the results of our scan.
7. In this example, We will be using the Searchfy sub-command for getting the information
about the victim user.
a) CachedViews.com
b) WayBack Machine
 c) RISKIQ

D) Gathering usernames and email address The Harvester is a Python script that searches
through popular search engines and other sites email addresses, hosts, and sub-domains.
 Using the Harvester is relatively simple, as there only a few command switches to set. The
Harvester is a tool that was developed in python. Using this you can gather information
like emails, subdomains, hosts, employee names, open ports and banners from different
public sources like search engines, PGP key servers, and SHODAN computer database.

E) Obtaining user information

Tineye
F) Google Hacking database
• The Google Hacking Database (GHDB) is a compendium of Google hacking search terms
that have been found to reveal sensitive data exposed by vulnerable servers and web
applications.
• The GHDB was launched in 2000 by Johnny Long to serve penetration testers.
 • In 2010, Long turned the database over to Offensive Security and it became part of
exploitdb.com.
• It was also expanded to include not only the Google search engine but also other search
engines like Microsoft’s Bing as well as other repositories such as GitHub.

a) To search for any plaintext passwords or poorly configured WordPress sites:

“inurl:/wp-content/uploads/ ext:txt “username” AND “password” | “pwd” | “pw”.

 b)
To search for any vulnerable web servers:

“inurl:/proc/self/cwd”

To search for any Open FTP Servers:

‘intitle:”index of” inurl:ftp‘

 c)

To search for any Email Lists:

“ filetype:xls inurl:”email.xls” ”
d)

To search for any Live Cameras:

 e)
For various IP based Cameras:

“ inurl:top.htm inurl:currenttime ”
f)
G) For various Webcam-XP based transmissions: Webcam-XP is the most popular webcam
and network camera software for Windows. It allows you to monitor your belongings
from any location with access to Internet by turning your computer into a security
system.
 a. “ intitle:”webcamXP 5” ”

b. For various general live cameras:

“ inurl:”lvappl.htm” ”
 H) MP3, Movies, and PDF files

Nowadays almost no one downloads music after Spotify and Apple music appeared on the
market. However, if you’re one of those classic individuals who still download legal music, you
can use this dork to find mp3 files:

a) For various MP3 files:

“ intitle: index of mp3 ”

 b) For various MP4 files:

“ intitle: index of mp4 ”

 c) For various PDF files:

“ intitle: index of pdf ”

 d) To search for any Government Documents:

“ Alli title: restricted filetype:doc site:gov

 I) Security Breaches:

• A security breach is any incident that results in unauthorized access to computer data,
applications, networks, or devices.
• It results in information being accessed without authorization. Typically, it occurs when an
intruder is able to bypass security mechanisms.
• Technically, there is a distinction between a security breach and a data breach. A security breach
is effectively a break-in, whereas a data breach is defined as the cybercriminal getting away with
information. Imagine a burglar; the security breach is when he climbs through the window, and
the data breach is when he grabs your pocketbook or laptop and takes it away.
• There are various websites that can check if your account or phone number has been a victim of a
security breach.

a) https://haveibeenpwned.com
b) https://haveibeenzuckered.com/
 J) Profiling for password lists

• Lists of commonly used passwords.

• The Common User Password Profiler (CUPP) allows the penetration tester to generate a wordlist
that is specific to a particular user.

• It is not installed by default on Kali Linux. It need to be installed: “ sudo apt install cupp”
• It can be invoked using: “ cupp -i ”.
• This will launch CUPP in the interactive mode, which will prompt the tester for the specific
elements of the wordlist.
 J) Creating Custom wordlists for cracking passwords

• We can use CeWL to create the custom wordlist.

• CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified
depth, and returns a list of words which can then be used for password crackers such as John the
Ripper.

• Optionally, CeWL can follow external links.

• CeWL can also create a list of email addresses found in mail to links. These email addresses can be
used as usernames in brute force actions.

J) Nmap:

• Nmap is a network scanner created by Gordon Lyon.

• Nmap is used to discover hosts and services on a computer network by sending packets and
analyzing the responses.
• Nmap provides a number of features for probing computer networks, including host discovery and
service and operating system detection.
• First we use Metsploitable2 to find the ip address of the target machine.
Then we use the MSF Console. This is the Metasploit Framework console that allows the penetration
tester to run exploits on the target machine.

• Then we search for ms08_067.

 PRACTICAL- 03

Aim:-Practical on enumerating host, port, and service scanning.

Theory

Enumeration is fundamentally checking. An attacker sets up a function associated with the

objective host. The weaknesses are then tallied and evaluated. It is done mostly to look for
assaults and dangers to the objective framework. Enumeration is utilized to gather usernames,
hostname, IP addresses, passwords, arrangements, and so on. At the point when a functioning
connection with the objective host is set up, hackers oversee the objective framework.

A) Port Scanning