04 Sep 2016, 00:00

Search for DNS records with dnsrecon

The information that you can find in a DNS zone of a domain can be very useful to pentesters and hackers. Searching for them can be time consuming and there is nog guarantee that there is some useful in formation in it. In my experience, many DNS zones contain outdated information on DNS records of systems that aren’t used anymore. With the automation of this task, you can save yourself some time.

Install dnsrecon

DNS recon is a tool written in python. The code is hosted and maintained on Github (https://github.com/darkoperator/dnsrecon) where you can download it. My installation is done on a Debian 8 VPS for the test.

First, clone the repository.

git clone https://github.com/darkoperator/dnsrecon

Now install the requirements with pip.

cd dnsrecon
sudo pip install -r requirements.txt

Run the the program to test:

python dnsrecon.py

Running dnsrecon

Now let’s run dnsrecon to a real world domain and take a look at the results. The command has to have a domain name and optional the type tests you want to run.

python dnsrecon.py -d bergenopzoom.nl -t std,brt,axfr,srv


Save your information

When you have to write a report, you can use multiple systems that are designed for gathering information. When running a command on the terminal, most of the time you can choose if you want an output file or you can send the output to a file with > on the Linux console.

Also dnsrecon has multiple output options. I prefer a JSON output, but there are more options. I also recommend to add a sort of a timestamp. This will make it more easy for you and me to find, use and work with the results.


python dnsrecon.py -d eneco.nl -t std,brt,axfr,srv,goo,zonewalk -j ../`date "+%Y%m%d-%H%M%S"`-eneco.nl.json

One more thing

Here is a bit of a larger output.

python dnsrecon.py -t std,brt,axfr,srv,goo,zonewalk -d eneco.nl
[*] Performing General Enumeration of Domain:
[*] DNSSEC is configured for eneco.nl
[*] DNSKEYs:
[*] 	NSEC KSk RSASHA1 03010001f1d1234b9adc1f8b122ac3af 3092163a0e12b6e8078ac5e4ed6ddf20 1f64d4cb54a206a422a74a037387b9cd 57ef25aac9b205d1cccf6cdfd9eb3a71 922d79f0bb66cff4e3592c9f33c347c7 712478b7928ae6bafa17e77ea9a303df 5ad508b2ce51baa134c1c874829a2f6f 64d93158b813669a32d7eb3fbece4d84 82088a23d1e64afdcae68a9d311a9ecf a0884d4c0bd1b45d55101784c15a1388 84b0d291eb99084747202fda38eaf77e 32d67c16dc2aae518d635c0340e31292 4a0cb5b3f0cbb65f756f70ec4b63f3a9 4a26f283fae083e5dbf441e5c434a6dd 6530bc55e56da8a12d83210b5c914c30 47dee90db0a4ad732c56b04379547888 c54e67fd
[*] 	NSEC KSk RSASHA1 03010001c921ec570c09fbaf792754c4 9149cbc7ab87d8595c289ae886a5684b 60d38964b4bce585532287bd2f84d915 ee35715b857513320629d024e74ba567 fd2669b3fbd2fbeade318e74bde54978 0d6f39d3229e4b9ad375aaa8859f4d46 506fbf2b16e47c43013cb4a1b6a271f7 855a04e836fdf0eb4b90c7e007aebb46 efb325ddf21903a3e9e9f2d93e4b1d4c 86ef4ee4e6fee464bda42a544bdc9d77 94bdaff88394bf8556de09ba4e3ed57d e6b7bc6ef2c3592bf02a7179d5546fc8 fc313220f68f1c1824211a19ab3d5b24 baba6258ca1cf2a51df25be5f7d53b94 2967341af6e2a4660a35b93446a4838d 9643083ec910708e8a15662ffb16acc8 eca56f0f
[*] 	NSEC ZSK RSASHA1 03010001d6d6c44375978a4724513eee b4ee07119373ceb618bc5df878b20288 816c7dd5cf6a0d04ff0cedf9c489424f c820b2d284242d146f4a5d769d633707 88df0bb7553035bf14e19cc1552fbfd7 d4e9c814a515d8313d70e22095ecda4a d6067caeb34ad7621e90c944e75eef91 d76300f867fd12e8be6a39a97c8c0b92 49bb22cd
[*] 	NSEC ZSK RSASHA1 03010001e3da5e567430250e8bd0c6a4 e64783cfe82eaa80f1c466f0e8fb29d8 6c4400345c10517aa63fda5f02aa7641 ffda724a937ae1edec7a3173ee4b61e4 ea8713a553cdcf1948562acde79d3b3d aaf592bd7ce3218f296ccabe39a12f50 5fe5c007d666831ca08971c5691469e7 c8d0a8f35ec87d29bf6f09144bb44251 98a17ded
[*] 	 SOA ns1.capgeminioutsourcing.nl
[*] 	 NS ns2.capgeminioutsourcing.nl
[*] 	 NS ns2.capgeminioutsourcing.nl 2a01:67c0:0:913::231
[*] 	 NS ns1.capgeminioutsourcing.nl
[*] 	 MX eneco-nl.mail.protection.outlook.com
[*] 	 MX eneco-nl.mail.protection.outlook.com
[*] 	 A eneco.nl
[*] 	 TXT eneco.nl MS=ms94193666
[*] 	 TXT eneco.nl xP739diW62i/gyWq4cMfbB1En1kHSf3/285Z1Peb74pveZj4Y8LzYj6q+S2ScAHYpGppI/LYJYOpBxcvHuSgNQ==
[*] 	 TXT eneco.nl v=spf1+all
[*] Enumerating SRV Records
[*] 	 SRV _sipfederationtls._tcp.eneco.nl sip.eneco.nl 5061 10
[*] 	 SRV _sip._tls.eneco.nl sip.eneco.nl 5061 10
[+] 2 Records Found
[*] No file was specified with domains to check.
[*] Using file provided with tool: /home/sebastian/Python/dnsrecon/namelist.txt
[*] 	 A access.eneco.nl
[*] 	 A apps.eneco.nl
[*] 	 A as.eneco.nl
[*] 	 A autodiscover.eneco.nl
[*] 	 A chat.eneco.nl
[*] 	 A demo.eneco.nl
[*] 	 A extern.eneco.nl
[*] 	 CNAME forum.eneco.nl forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 CNAME intranet.eneco.nl eneco.sharepoint.com
[*] 	 CNAME eneco.sharepoint.com prodnet21-30a0001.sharepointonline.com.akadns.net
[*] 	 CNAME prodnet21-30a0001.sharepointonline.com.akadns.net prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 A prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 CNAME intranet.eneco.nl eneco.sharepoint.com
[*] 	 CNAME eneco.sharepoint.com prodnet21-30a0001.sharepointonline.com.akadns.net
[*] 	 CNAME prodnet21-30a0001.sharepointonline.com.akadns.net prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 AAAA prodnet21-30selectora0001.sharepointonline.com.akadns.net 2a01:111:f402:9416::26
[*] 	 A kz.eneco.nl
[*] 	 A localhost.eneco.nl
[*] 	 A mail.eneco.nl
[*] 	 A mailhost.eneco.nl
[*] 	 CNAME pop.eneco.nl pop.pinsmail.nl
[*] 	 A pop.pinsmail.nl
[*] 	 A r.eneco.nl
[*] 	 A services.eneco.nl
[*] 	 A smtp.eneco.nl
[*] 	 A webmail.eneco.nl
[*] 	 A win.eneco.nl
[*] 	 A www.eneco.nl
[+] 31 Records Found
[*] Testing NS Servers for Zone Transfer
[*] Checking for Zone Transfer for eneco.nl name servers
[*] Resolving SOA Record
[+] 	 SOA ns1.capgeminioutsourcing.nl
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS ns2.capgeminioutsourcing.nl
[*] 	NS ns2.capgeminioutsourcing.nl 2a01:67c0:0:913::231
[*] 	NS ns1.capgeminioutsourcing.nl
[*] 	NS ns1.capgeminioutsourcing.nl 2a01:67c0:0:913::230
[*] Removing any duplicate NS server IP Addresses...
[*] Trying NS server 2a01:67c0:0:913::230
[-] Zone Transfer Failed for 2a01:67c0:0:913::230!
[-] Port 53 TCP is being filtered
[*] Trying NS server
[+] Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*] Trying NS server
[+] Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] No answer or RRset not for qname
[*] Trying NS server 2a01:67c0:0:913::231
[-] Zone Transfer Failed for 2a01:67c0:0:913::231!
[-] Port 53 TCP is being filtered
[*] Enumerating Common SRV Records against eneco.nl
[*] 	 SRV _sipfederationtls._tcp.eneco.nl sip.eneco.nl 5061 10
[*] 	 SRV _sip._tls.eneco.nl sip.eneco.nl 5061 10
[+] 2 Records Found
[*] Performing Google Search Enumeration against eneco.nl
[*] 	 A www.eneco.nl
[*] 	 A speciaalvoorklanten.eneco.nl
[*] 	 A toonopafstand.eneco.nl
[*] 	 A prive.eneco.nl
[*] 	 CNAME forum.eneco.nl forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 A forum-eneco-nl-insided-com-800748479.eu-west-1.elb.amazonaws.com
[*] 	 CNAME nieuws.eneco.nl client.perspagina.nl
[*] 	 CNAME client.perspagina.nl dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com
[*] 	 A dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com
[*] 	 A dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com
[*] 	 A dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com
[*] 	 CNAME nieuws.eneco.nl client.perspagina.nl
[*] 	 CNAME client.perspagina.nl dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com
[*] 	 AAAA dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com 2a01:578:3::3412:fa78
[*] 	 AAAA dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com 2a01:578:3::364c:255f
[*] 	 AAAA dualstack.pp-prod-1298634554.eu-west-1.elb.amazonaws.com 2a01:578:3::364c:74e7
[*] 	 A projecten.eneco.nl
[*] 	 A energytradeuk.eneco.nl
[*] 	 A windlab.eneco.nl
[*] 	 A zonnepanelensimulator.eneco.nl
[*] 	 A thuis.eneco.nl
[*] 	 CNAME intranet.eneco.nl eneco.sharepoint.com
[*] 	 CNAME eneco.sharepoint.com prodnet21-30a0001.sharepointonline.com.akadns.net
[*] 	 CNAME prodnet21-30a0001.sharepointonline.com.akadns.net prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 A prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 CNAME intranet.eneco.nl eneco.sharepoint.com
[*] 	 CNAME eneco.sharepoint.com prodnet21-30a0001.sharepointonline.com.akadns.net
[*] 	 CNAME prodnet21-30a0001.sharepointonline.com.akadns.net prodnet21-30selectora0001.sharepointonline.com.akadns.net
[*] 	 AAAA prodnet21-30selectora0001.sharepointonline.com.akadns.net 2a01:111:f402:9416::26
[*] 	 A mijn.eneco.nl
[*] 	 A zonnepanelenvoordummies.eneco.nl
[*] 	 A energiemanagerexpert.eneco.nl
[+] 34 Records Found
[*] Performing NSEC Zone Walk for eneco.nl
[*] Getting SOA record for eneco.nl
[*] Name Server will be used
[*] 	 A eneco.nl
[*] 	 A 4dms-wsdm.eneco.nl
[*] 	 A 4dms-wsp.eneco.nl
[*] 	 A 4dms-wsra.eneco.nl
[*] 	 A 4dms-wst.eneco.nl
[*] 	 A 7c8482b9-684e-4b05-8540-ba67a19134ae.eneco.nl no_ip
[*] 	 SRV _sipfederationtls._tcp.eneco.nl sip.eneco.nl 5061 10
[*] 	 SRV _sip._tls.eneco.nl sip.eneco.nl 5061 10
[*] 	 A acc.eneco.nl
[*] 	 A energytradeuk.acc3.eneco.nl
[*] 	 A aardgasservicenoord.acc.eneco.nl
[*] 	 A beheer.acc.eneco.nl
[*] 	 A citytec.acc.eneco.nl
[*] 	 A beheer.citytec.acc.eneco.nl
[*] 	 A citytec-bedrijfsleven.acc.eneco.nl
[*] 	 A citytec-overheid.acc.eneco.nl
[*] 	 A corporatefr.acc.eneco.nl
[*] 	 A corporatenl.acc.eneco.nl
[*] 	 A beheer.corporatefr.acc.eneco.nl
[*] 	 A access.eneco.nl
[*] 	 A beheer.corporatenl.acc.eneco.nl
[*] 	 A corporateuk.acc.eneco.nl
[*] 	 A enecohrplaza.acc.eneco.nl
[*] 	 A beheer.corporateuk.acc.eneco.nl
[*] 	 A actie.eneco.nl
[*] 	 CNAME www.actie.eneco.nl actie.eneco.nl
[*] 	 A actie.eneco.nl
[*] 	 A beheer.citytec-bedrijfsleven.acc.eneco.nl
[*] 	 A actiewindcertificaat.eneco.nl
[*] 	 A enecojobs.acc.eneco.nl
[*] 	 A beheer.citytec-overheid.acc.eneco.nl
[*] 	 A apps.eneco.nl
[*] 	 A beheer.enecojobs.acc.eneco.nl
[*] 	 A enecoplaza.acc.eneco.nl
[*] 	 A arkel.eneco.nl
[*] 	 A as.eneco.nl
[*] 	 A enecoworld.acc.eneco.nl
[*] 	 A energytradeuk.acc.eneco.nl
[*] 	 A energytradeuk.acc.eneco.nl
[*] 	 A beheer.enecoworld.acc.eneco.nl
[*] 	 A beheer.energytradeuk.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A gasspeicher.acc.eneco.nl
[*] 	 A gasspeicherdu.acc.eneco.nl
[*] 	 A beheer.gasspeicher.acc.eneco.nl
[*] 	 CNAME grz.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A beheer.gasspeicherdu.acc.eneco.nl
[*] 	 A gsu.acc.eneco.nl
[*] 	 A autodiscover.eneco.nl
[*] 	 A installatiebedrijven.acc.eneco.nl
[*] 	 A ballonnenwedstrijd.eneco.nl
[*] 	 A beheer.eneco.nl
[*] 	 A joulz.acc.eneco.nl
[*] 	 A joulzhrplaza.acc.eneco.nl
[*] 	 A belterug.eneco.nl
[*] 	 A test.belterug.eneco.nl
[*] 	 A bespaarcadeau.eneco.nl
[*] 	 A beheer.installatiebedrijven.acc.eneco.nl
[*] 	 A binnenkort.eneco.nl
[*] 	 A maakjouwcv.acc.eneco.nl
[*] 	 A borneo.eneco.nl
[*] 	 A beheer.maakjouwcv.acc.eneco.nl
[*] 	 A businessportal.eneco.nl
[*] 	 A businessportalmkb.eneco.nl
[*] 	 A cadeau.eneco.nl
[*] 	 A cct.eneco.nl
[*] 	 A cct-acc.eneco.nl
[*] 	 A chat.eneco.nl
[*] 	 A meetbedrijf.acc.eneco.nl
[*] 	 A beheer.merkplatform.acc.eneco.nl
[*] 	 A metapart.acc.eneco.nl
[*] 	 A beheer.meetbedrijf.acc.eneco.nl
[*] 	 CNAME mijn.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A mijncitytec.acc.eneco.nl
[*] 	 CNAME mkb.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A beheer.mijncitytec.acc.eneco.nl
[*] 	 A mobiel.acc.eneco.nl
[*] 	 A prijstool.acc.eneco.nl
[*] 	 A projecten.acc.eneco.nl
[*] 	 A citytec.eneco.nl
[*] 	 A beheer.projecten.acc.eneco.nl
[*] 	 A energytradeuk.cms1.eneco.nl
[*] 	 CNAME projectensc.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A projectontwikkelaars.acc.eneco.nl
[*] 	 A beheer.citytec.eneco.nl
[*] 	 A test.citytec.eneco.nl
[*] 	 A citytec-bedrijfsleven.eneco.nl
[*] 	 A beheer.projectontwikkelaars.acc.eneco.nl
[*] 	 A services3.acc.eneco.nl
[*] 	 A citytec-corporate.eneco.nl
[*] 	 A grootzakelijk.cms2.eneco.nl
[*] 	 A beheer.citytec-bedrijfsleven.eneco.nl
[*] 	 A steden.acc.eneco.nl
[*] 	 A mijn.cms2.eneco.nl
[*] 	 A citytec-demo.eneco.nl
[*] 	 A projecten.cms2.eneco.nl
[*] 	 A windlab.cms2.eneco.nl
[*] 	 A citytec-overheid.eneco.nl
[*] 	 A co-operatie.eneco.nl
[*] 	 A m.windlab.cms2.eneco.nl
[*] 	 A beheer.citytec-overheid.eneco.nl
[*] 	 A stedinhrplaza.acc.eneco.nl
[*] 	 A comfortvanhethuis.eneco.nl
[*] 	 CNAME consumenten.eneco.nl prive.eneco.nl
[*] 	 A prive.eneco.nl
[*] 	 A beheer.stijlgids.acc.eneco.nl
[*] 	 A contract.eneco.nl
[*] 	 A cookiewebservice.eneco.nl
[*] 	 A tempus.acc.eneco.nl
[*] 	 A corporatefr.eneco.nl
[*] 	 A beheer.thewhisper.acc.eneco.nl
[*] 	 A thewisper.acc.eneco.nl
[*] 	 CNAME thuis.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A corporatenl.eneco.nl
[*] 	 A beheer.thuis.acc.eneco.nl
[*] 	 A vaney.acc.eneco.nl
[*] 	 A beheer.vaney.acc.eneco.nl
[*] 	 A vastgoedbeleggers.acc.eneco.nl
[*] 	 A warmteindelft.acc.eneco.nl
[*] 	 A beheer.vastgoedbeleggers.acc.eneco.nl
[*] 	 A wind.acc.eneco.nl
[*] 	 A windenergiesintannaland.acc.eneco.nl
[*] 	 A windgame.acc.eneco.nl
[*] 	 A beheer.windenergiesintannaland.acc.eneco.nl
[*] 	 A beheer.wind.acc.eneco.nl
[*] 	 CNAME windlab.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A corporatepublicaties.eneco.nl
[*] 	 A beheer.warmteindelft.acc.eneco.nl
[*] 	 A windstroom.acc.eneco.nl
[*] 	 A beheer.woningcorporaties.acc.eneco.nl
[*] 	 A corporateuk.eneco.nl
[*] 	 A dagjeuit.eneco.nl
[*] 	 A beheer.windstroom.acc.eneco.nl
[*] 	 CNAME www.acc.eneco.nl esp.acc.eneco.nl
[*] 	 A esp.acc.eneco.nl
[*] 	 A dco.eneco.nl
[*] 	 A zakelijk.acc.eneco.nl
[*] 	 A demo.eneco.nl
[*] 	 A dialin.eneco.nl
[*] 	 A directie.eneco.nl
[*] 	 A duurzaamdagjegenk.eneco.nl
[*] 	 A duurzaamondernemen.eneco.nl
[*] 	 A duurzaamzakelijk.eneco.nl
[*] 	 A e-mail.eneco.nl
[*] 	 A e-sites-p.eneco.nl
[*] 	 A e-sites-ra.eneco.nl
[*] 	 A e-sites-t.eneco.nl
[*] 	 A b.e-mail.eneco.nl no_ip
[*] 	 A workshop.ebc.eneco.nl
[*] 	 A ebcpm.eneco.nl
[*] 	 A beheer.workshop.ebc.eneco.nl
[*] 	 A eblc-ocs-h1.eblc.eneco.nl
[*] 	 A ecoenergie.eneco.nl
[*] 	 A ecoenergy.eneco.nl
[*] 	 A ecoenergy1.eneco.nl
[*] 	 A ecoenergy2.eneco.nl
[*] 	 A ecoparkwaalwijk.eneco.nl
[*] 	 A edigas.eneco.nl
[*] 	 A beheer.acc.ecoparkwaalwijk.eneco.nl
[*] 	 A eeeisv1.eneco.nl
[*] 	 A edigas-a.eneco.nl
[*] 	 A eeeisv2.eneco.nl
[*] 	 A egis-demo.eneco.nl
[*] 	 A edigas-rxa.eneco.nl
[*] 	 A elektrachallenge.eneco.nl
[*] 	 A elektriciteit.eneco.nl
[*] 	 A elektriciteitsmeter.eneco.nl
[*] 	 A elektrischvervoer.eneco.nl
[*] 	 A beheer.merkplatform.en.eneco.nl
[*] 	 A enbu.eneco.nl
[*] 	 A eneco.eneco.nl
[*] 	 A enecotour.eneco.nl
[*] 	 A enecocentralpool.eneco.nl
[*] 	 A acc.enecoworld.eneco.nl
[*] 	 A beheer.acc.enecoworld.eneco.nl
[*] 	 A enecogen.eneco.nl
[*] 	 A enecojobs.eneco.nl
[*] 	 A energie.eneco.nl
[*] 	 A energieinkoop.eneco.nl
[*] 	 A energiebedrijf.eneco.nl
[*] 	 A energiekosten.eneco.nl
[*] 	 CNAME energiebespaarshop.eneco.nl speciaalvoorklanten.eneco.nl
[*] 	 A speciaalvoorklanten.eneco.nl
[*] 	 A energielease.eneco.nl
[*] 	 A energiemanager.eneco.nl
[*] 	 A energiebesparing.eneco.nl
[*] 	 A energiemanager-test.eneco.nl
[*] 	 A cap11.energielease.eneco.nl
[*] 	 A beheer.test.energiemanager.eneco.nl
[*] 	 A energiemanagerthuis.eneco.nl
[*] 	 A energiemanagerutrecht.eneco.nl
[*] 	 A energiemanagerdemo.eneco.nl
[*] 	 CNAME www.energiemanager.eneco.nl energiemanager.eneco.nl
[*] 	 A energiemanager.eneco.nl
[*] 	 A energiemarkt.eneco.nl
[*] 	 A energiescan.eneco.nl
[*] 	 A energietarief.eneco.nl
[*] 	 A energiemanagerexpert.eneco.nl
[*] 	 A energietegoed.eneco.nl
[*] 	 A energietrade.eneco.nl
[*] 	 A energieverbruik.eneco.nl
[*] 	 A energyadvisor.eneco.nl
[*] 	 A acc.energyadvisor.eneco.nl
[*] 	 A dev.energyadvisor.eneco.nl
[*] 	 A beheer.energytrade.eneco.nl
[*] 	 A lif.energyadvisor.eneco.nl
[*] 	 A energytradeuk.eneco.nl
[*] 	 A prod.energyadvisor.eneco.nl
[*] 	 A esp-demo.eneco.nl
[*] 	 A tst.energyadvisor.eneco.nl
[*] 	 A express.eneco.nl
[*] 	 A expressfoto.eneco.nl
[*] 	 A extern.eneco.nl
[*] 	 A forum.eneco.nl
[*] 	 A forum.eneco.nl
[*] 	 A forum.eneco.nl
[*] 	 A gas.eneco.nl
[*] 	 A gasspeicher.eneco.nl
[*] 	 A gasspeicherdu.eneco.nl
[*] 	 A generiek.eneco.nl
[*] 	 A geodiensten.eneco.nl
[*] 	 A www.gasspeicher.eneco.nl
[*] 	 A gezichtenboek.eneco.nl
[*] 	 A gisportal2.eneco.nl
[*] 	 A beheer.generiek.eneco.nl
[*] 	 A groenaanbod.eneco.nl
[*] 	 A grootzakelijk.eneco.nl
[*] 	 A groenaanbod2.eneco.nl
[*] 	 A grz-acc.eneco.nl
[*] 	 A halfjaarbericht2012.eneco.nl
[*] 	 A halfjaarbericht2013.eneco.nl
[*] 	 A halfjaarbericht2014.eneco.nl
[*] 	 A halfjaarbericht2014.eneco.nl
[*] 	 A halfjaarbericht2015.eneco.nl
[*] 	 A halfjaarbericht2015.eneco.nl
[*] 	 A halfjaarbericht2016.eneco.nl
[*] 	 A halfjaarbericht2016.eneco.nl
[*] 	 A homepage.eneco.nl
[*] 	 AAAA hrplaza.eneco.nl 2a01:111:f402:9416::26
[*] 	 A hrplaza.eneco.nl
[*] 	 A ikdoemee.eneco.nl
[*] 	 A infra.eneco.nl
[*] 	 A inlogenergiemanager.eneco.nl
[*] 	 A innovatiequiz.eneco.nl
[*] 	 A installatiebedrijven.eneco.nl
[*] 	 AAAA intranet.eneco.nl 2a01:111:f402:9416::26
[*] 	 A intranet.eneco.nl
[*] 	 A investorrelations.eneco.nl
[*] 	 A inwisselweken.eneco.nl
[*] 	 A isc-accp.eneco.nl
[*] 	 A beheer.installatiebedrijven.eneco.nl
[*] 	 A isc-prod.eneco.nl
[*] 	 A jaarverslag.eneco.nl
[*] 	 A jaarverslag.eneco.nl
[*] 	 A jobpartners.eneco.nl
[*] 	 A jaarverslag2011.eneco.nl
[*] 	 A joulz.eneco.nl
[*] 	 A jaarverslag2012.eneco.nl
[*] 	 A kennisplaza.eneco.nl
[*] 	 A jaarverslag2013.eneco.nl
[*] 	 A jaarverslag2013.eneco.nl
[*] 	 A jaarverslag2014.eneco.nl
[*] 	 A jaarverslag2014.eneco.nl
[*] 	 A jaarverslag2015.eneco.nl
[*] 	 A jaarverslag2015.eneco.nl
[*] 	 A ketelcheck.eneco.nl
[*] 	 A keuze.eneco.nl
[*] 	 A kies.eneco.nl
[*] 	 A kleinzakelijk.eneco.nl
[*] 	 A kls.eneco.nl
[*] 	 A kz.eneco.nl
[*] 	 A legacy.eneco.nl
[*] 	 A leverancier.eneco.nl
[*] 	 A libelle.eneco.nl
[*] 	 A liberalisering.eneco.nl
[*] 	 A livesupport.eneco.nl
[*] 	 A localhost.eneco.nl
[*] 	 A login-demo.eneco.nl
[*] 	 A lynccentralpool.eneco.nl
[*] 	 CNAME lyncdiscover.eneco.nl Lynccentralpool.eneco.nl
[*] 	 A Lynccentralpool.eneco.nl
[*] 	 A mail.eneco.nl
[*] 	 A mailhost.eneco.nl
[*] 	 A managementconferentie.eneco.nl
[*] 	 A margriet.eneco.nl
[*] 	 A eweb.mdds.eneco.nl
[*] 	 A meet.eneco.nl
[*] 	 CNAME merkplatform.eneco.nl brandsite.eneco.com
[*] 	 A brandsite.eneco.com
[*] 	 A metering.eneco.nl
[*] 	 CNAME meetbedrijf.eneco.nl www.stedinmeetbedrijf.nl
[*] 	 A www.stedinmeetbedrijf.nl
[*] 	 A mijn.eneco.nl
[*] 	 A mijn-acc.eneco.nl
[*] 	 A mijnwindcertificaat.eneco.nl
[*] 	 A beheer.meetbedrijf.eneco.nl
[*] 	 A mijn-test.eneco.nl
[*] 	 A mijnzon.eneco.nl
[*] 	 A mijncitytec.eneco.nl
[*] 	 A test.mijncitytec.eneco.nl
[*] 	 A mijnelektrischladen.eneco.nl
[*] 	 A milieu.eneco.nl
[*] 	 A mijnelektrischvervoer.eneco.nl
[*] 	 CNAME minto.eneco.nl webmail.eneco.nl
[*] 	 A webmail.eneco.nl
[*] 	 A mkb.eneco.nl
[*] 	 A mkb-acc.eneco.nl
[*] 	 A beheer.test.mijncitytec.eneco.nl
[*] 	 A mkbkostenindicatie.eneco.nl
[*] 	 A acceptatie.mkb.eneco.nl
[*] 	 A mms.eneco.nl
[*] 	 A cap11.mkb.eneco.nl
[*] 	 A mobiel.eneco.nl
[*] 	 A netbeheer.eneco.nl
[*] 	 AAAA nieuws.eneco.nl 2a01:578:3::364c:255f
[*] 	 AAAA nieuws.eneco.nl 2a01:578:3::3412:fa78
[*] 	 AAAA nieuws.eneco.nl 2a01:578:3::364c:74e7
[*] 	 A nieuws.eneco.nl
[*] 	 A nieuws.eneco.nl
[*] 	 A nieuws.eneco.nl
[*] 	 A nlms026.eneco.nl
[*] 	 A nota.eneco.nl no_ip
[*] 	 A notatest.eneco.nl
[*] 	 A nrgspot.eneco.nl
[*] 	 A nrgspotontzorgpakket.eneco.nl
[*] 	 A od.eneco.nl
[*] 	 A pakjesparade.eneco.nl
[*] 	 A pilot.eneco.nl
[*] 	 A plaza.eneco.nl
[*] 	 A pop.eneco.nl
[*] 	 A portal-demo.eneco.nl
[*] 	 A prijstool.eneco.nl
[*] 	 A test.prijstool.eneco.nl
[*] 	 A prive.eneco.nl
[*] 	 A acceptatie.prive.eneco.nl
[*] 	 A cap11.prive.eneco.nl
[*] 	 A projecten.eneco.nl
[*] 	 A cap21.prive.eneco.nl
[*] 	 A beheer.projecten.eneco.nl
[*] 	 A cap31.prive.eneco.nl
[*] 	 A projectensc-acc.eneco.nl
[*] 	 A test.prive.eneco.nl
[*] 	 A projectontwikkelaars.eneco.nl
[*] 	 A beheer.projectontwikkelaars.eneco.nl
[*] 	 A pv.eneco.nl
[*] 	 A q7.eneco.nl
[*] 	 A qwsag.eneco.nl
[*] 	 A r.eneco.nl
[*] 	 A ram.eneco.nl
[*] 	 A samenvoorduurzaam.eneco.nl
[*] 	 A rds-demo.eneco.nl
[*] 	 A sap-aannemersportal-demo.eneco.nl
[*] 	 A rdsweb-demo.eneco.nl
[*] 	 A sap01j.eneco.nl
[*] 	 A sap02j.eneco.nl
[*] 	 A sap03a.eneco.nl
[*] 	 A sap04a.eneco.nl
[*] 	 A sap04j.eneco.nl
[*] 	 A sap05a.eneco.nl
[*] 	 A sap05j.eneco.nl
[*] 	 A sap06a.eneco.nl
[*] 	 A sap06j.eneco.nl
[*] 	 A sap08a.eneco.nl
[*] 	 A services.eneco.nl
[*] 	 A sharepoint-demo.eneco.nl
[*] 	 CNAME tussenstand.services.eneco.nl thuis.eneco.nl
[*] 	 A thuis.eneco.nl
[*] 	 A sip.eneco.nl
[*] 	 A slimladen.eneco.nl
[*] 	 A smoelenboek.eneco.nl
[*] 	 A smtp.eneco.nl
[*] 	 A sp2010.eneco.nl
[*] 	 A speciaalvoorklanten.eneco.nl
[*] 	 A energytradeuk.staging.eneco.nl
[*] 	 A stagingenergiescan.eneco.nl
[*] 	 A stedin.eneco.nl
[*] 	 A stijlgids.eneco.nl
[*] 	 A stroom.eneco.nl
[*] 	 A tableeditor.eneco.nl
[*] 	 A tempus.eneco.nl
[*] 	 A energytradeuk.test.eneco.nl
[*] 	 A energytradeuk3.test.eneco.nl
[*] 	 A grz.test.eneco.nl
[*] 	 A gsu.test.eneco.nl
[*] 	 A hrplaza.test.eneco.nl
[*] 	 A maakjouwcv.test.eneco.nl
[*] 	 A metapart.test.eneco.nl
[*] 	 A beheer.metapart.test.eneco.nl
[*] 	 A mijn.test.eneco.nl
[*] 	 A mijn3.test.eneco.nl
[*] 	 A mkb.test.eneco.nl
[*] 	 A projecten.test.eneco.nl
[*] 	 A beheer.gsu.test.eneco.nl
[*] 	 A tempus.test.eneco.nl
[*] 	 A beheer.projecten.test.eneco.nl
[*] 	 A thuis.test.eneco.nl
[*] 	 A werkmanager2.test.eneco.nl
[*] 	 A www.test.eneco.nl
[*] 	 A beheer.tempus.test.eneco.nl
[*] 	 A zakelijk.test.eneco.nl
[*] 	 A test2.eneco.nl
[*] 	 A teto.eneco.nl
[*] 	 A werkmanager.test2.eneco.nl
[*] 	 A beheer.zakelijk.test.eneco.nl
[*] 	 A thuis.eneco.nl
[*] 	 A acc.thuis.eneco.nl
[*] 	 A beheer.acc.thuis.eneco.nl
[*] 	 A toon.eneco.nl
[*] 	 A toonopafstand.eneco.nl
[*] 	 CNAME trackentrace.eneco.nl trackntrace.eneco.nl
[*] 	 A trackntrace.eneco.nl
[*] 	 A beheer.thuis.eneco.nl
[*] 	 A thuis-acc.eneco.nl
[*] 	 A trackntrace.eneco.nl
[*] 	 CNAME www.trackentrace.eneco.nl trackntrace.eneco.nl
[*] 	 A trackntrace.eneco.nl
[*] 	 CNAME www.thuis.eneco.nl thuis.eneco.nl
[*] 	 A thuis.eneco.nl
[*] 	 A tuinbouw.eneco.nl
[*] 	 CNAME www.trackntrace.eneco.nl trackntrace.eneco.nl
[*] 	 A trackntrace.eneco.nl
[*] 	 A tullowindfarm.eneco.nl
[*] 	 A userapp-demo.eneco.nl
[*] 	 A vaney.eneco.nl
[*] 	 A beheer.vastgoedbeleggers.eneco.nl
[*] 	 A verhuizen.eneco.nl
[*] 	 A verwarming.eneco.nl
[*] 	 A vpn-nl1.eneco.nl
[*] 	 A vragen.eneco.nl
[*] 	 A vriendendienst.eneco.nl
[*] 	 A wal-demo.eneco.nl
[*] 	 A warmteactie.eneco.nl
[*] 	 A warmteindelft.eneco.nl
[*] 	 A warmwelkom.eneco.nl
[*] 	 A wb-tool-demo.eneco.nl
[*] 	 A wco2.eneco.nl
[*] 	 A webmail.eneco.nl
[*] 	 A www.wco2.eneco.nl
[*] 	 A werkenbijstedin.eneco.nl
[*] 	 A werkmanager.eneco.nl
[*] 	 A win.eneco.nl
[*] 	 A wind.eneco.nl
[*] 	 A wintercheck.eneco.nl
[*] 	 AAAA wintercheck.eneco.nl 2a01:4f8:150:6025::2
[*] 	 A test.wind.eneco.nl
[*] 	 A windenergiehendrikpolder.eneco.nl
[*] 	 A windactie.eneco.nl
[*] 	 A beheer.woningcorporaties.eneco.nl
[*] 	 A windcadeau.eneco.nl
[*] 	 A beheer.test.wind.eneco.nl
[*] 	 A wsp-tool-demo.eneco.nl
[*] 	 A windenergieinsteenbergen.eneco.nl
[*] 	 A www.eneco.nl
[*] 	 A windactie2.eneco.nl
[*] 	 A prototype.www.eneco.nl
[*] 	 A windenergiekannapolder.eneco.nl
[*] 	 A beheer.prototype.www.eneco.nl
[*] 	 A zakelijk.eneco.nl
[*] 	 A zakelijkacc.eneco.nl
[*] 	 A nood.zakelijk.eneco.nl
[*] 	 A zakelijkbeheeracc.eneco.nl
[*] 	 A windenergiereuseldemierden.eneco.nl
[*] 	 A zomercadeau.eneco.nl
[*] 	 A beheer.test.zakelijk.eneco.nl
[*] 	 A windenergiesintannaland.eneco.nl
[*] 	 CNAME www.zakelijk.eneco.nl zakelijk.eneco.nl
[*] 	 A zakelijk.eneco.nl
[*] 	 A zomervoordeel.eneco.nl
[*] 	 A zonnepanelen.eneco.nl
[*] 	 A zonnepanelensimulator.eneco.nl
[*] 	 A windenergiesteenbergen.eneco.nl
[*] 	 A zonnepanelenvoordummies.eneco.nl
[*] 	 A windgame.eneco.nl
[*] 	 A windlab.eneco.nl
[*] 	 A m.windlab.eneco.nl
[*] 	 CNAME windstroom.eneco.nl prive.eneco.nl
[*] 	 A prive.eneco.nl
[*] 	 A winmettoon.eneco.nl
[*] 	 A beheer.acc.windstroom.eneco.nl
[*] 	 A beheer.windstroom.eneco.nl
[*] 	 A test.windstroom.eneco.nl
[*] 	 A beheer.test.windstroom.eneco.nl
[+] 488 records found

31 Aug 2016, 00:00

Information, meet your harvester!

Gathering intelligence is most of the time a very time consuming jobs. But having the right information is also very important and it can save you a lot of time later on the job and time is money! Most hackers don’t have a deadline to watch. If you hire a pentester, he/she has to get the job done following a time schedule. To make a start gathering information, you can use theHarvester.

What does it do?

theHarvester get its information by searching on the internet for e-mail addresses, URL’s IP’s and do different lookups.

Sources theHarvester use are:

  • google
  • googleCSE
  • bing
  • bingapi
  • pgp
  • linkedin
  • google-profiles
  • jigsaw
  • twitter
  • googleplus

Install theHarvester

theHarvester is a program made in python. Installing it from Github is easy. Go to the directory you want and run:

git clone https://github.com/laramies/theHarvester.git

The results:

Cloning into 'theHarvester'...
remote: Counting objects: 232, done.
remote: Total 232 (delta 0), reused 0 (delta 0), pack-reused 232
Receiving objects: 100% (232/232), 103.11 KiB | 0 bytes/s, done.
Resolving deltas: 100% (122/122), done.
Checking connectivity... done.

Of course you need to have git. Witch I have installed on my Debian 8 machine with:

apt install git

Now do a test run:

cd theHarvester/
python ./theHarvester.py

*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.7                                           *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *

Usage: theharvester options 

       -d: Domain to search or company name
       -b: data source: google, googleCSE, bing, bingapi, pgp, linkedin,
                        google-profiles, jigsaw, twitter, googleplus, all

       -s: Start in result number X (default: 0)
       -v: Verify host name via dns resolution and search for virtual hosts
       -f: Save the results into an HTML and XML file (both)
       -n: Perform a DNS reverse query on all ranges discovered
       -c: Perform a DNS brute force for the domain name
       -t: Perform a DNS TLD expansion discovery
       -e: Use this DNS server
       -l: Limit the number of results to work with(bing goes from 50 to 50 results,
            google 100 to 100, and pgp doesn't use this option)
       -h: use SHODAN database to query discovered hosts

        theHarvester.py -d microsoft.com -l 500 -b google -h myresults.html
        theHarvester.py -d microsoft.com -b pgp
        theHarvester.py -d microsoft -l 200 -b linkedin
        theHarvester.py -d apple.com -b googleCSE -l 500 -s 300

Get some information

Now it is time to get some information! I can do a run on my own domain, but I think it will not find very much. Just do it for the example.

python ./theHarvester.py -b all -d binaryfigments.com

*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.7                                           *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *

Full harvest..
[-] Searching in Google..
	Searching 0 results...
	Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
	Searching 50 results...
	Searching 100 results...
[-] Searching in Exalead..
	Searching 50 results...
	Searching 100 results...
	Searching 150 results...

[+] Emails found:
No emails found

[+] Hosts found in search engines:
[-] Resolving hostnames IPs...
[+] Virtual hosts:
==================	xpired.nl	binaryfigments.com

And now with a real company, what is a bit more interesting.

python ./theHarvester.py -b all -d bergenopzoom.nl

*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.7                                           *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *

Full harvest..
[-] Searching in Google..
	Searching 0 results...
	Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
	Searching 50 results...
	Searching 100 results...
[-] Searching in Exalead..
	Searching 50 results...
	Searching 100 results...
	Searching 150 results...

[+] Emails found:

[+] Hosts found in search engines:
[-] Resolving hostnames IPs...
[+] Virtual hosts:
==================	www.bergenopzoom	www.ondernemeninbergenopzoom	www.bergenopzoom.nl	www.ondernemeninbergenopzoom.nl


Tools like theHarvester are great for finding information on the web. Only most of these tools aren’t updated very often. That can be a drawback becouse the sources where it is looking in are changing reguraly. It’s a good thing these tools are open source, so you can help with the project if you want.

30 Aug 2016, 00:00

Install and use WPScan on Debian 8

WPScan is a great tool for auditing Wordpress websites. Wordpress is the most popular content management system in this time. It is widely used and it has many plugins and themes. There you have also the problem. Because the large install base it is under the attention of hackers and script kiddies. Every vulnerability will be watched and where possible abused. And that is NOT only Wordpress, also it’s themes and plugins.

How do I get this thing to work?

If you use Kali Linux, WPScan is installed by default. But on a Debian 8 system, you have to do some work yourself. First we begin with the dependencies.

# Become root
# Install software
apt install sudo git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev

If you haven’t used sudo before, you have to edit the sudoers file with visudo and give your user the sudo rights he deserve.

After installing the dependencies, we can go install rvm. The Ruby Version Manager is needed because WPScan is written in Ruby and rvm is an easy way to manage Ruby installations.

cd ~
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -sSL https://get.rvm.io | bash -s stable
source ~/.profile
rvm install 2.3.1
rvm use 2.3.1 –default
echo "gem: --no-ri --no-rdoc" > ~/.gemrc
gem install bundler

After the installation, you may want to check for updates.

ruby ./wpscan.rb –update

Now run WPScan!

Running WPScan can be simple with a short line.

ruby ./wpscan.rb -e vt,tt,u,ap -r --url xpired.nl

And I got these results.

But looking at the results, I saw that the one plugin I am using is not liste. So I did take a look at the wpscan options with --help and added some options to the command.

ruby ./wpscan.rb -e vt,tt,u,ap -r --url xpired.nl

Now, WPScan was running for 35 minutes! But, the results are as I wanted them to have, and I found my plugin listed.

Final thoughts

WPScan is one of the finest tools for information gathering on a Wordpress website. Taking a look in my Wordfence settings on the test website, I saw the user agent WPScan v2.9.1. To make it less easy for a targets webmaster, you may want to use a random user agent and add the option -r to the command. And take a good look at the license model before using it in a commercial environment.

29 Aug 2016, 00:00

Detect the CMS with CMSmap

There are plenty of tools available that you can use to find vulnerability flaws on a website. One tool I use is CMSmap (https://github.com/Dionach/CMSmap) that is written in Python.

Let’s install CMSmap

Installing CMSmap is an easy job. On my clean Debian 8.5 machine it was done in a second. There is one tool that you will need, and that is git.

apt install git

After installing git you can create a local clone of the repo.

# git clone https://github.com/Dionach/CMSmap.git
Cloning into 'CMSmap'...
remote: Counting objects: 34, done.
remote: Total 34 (delta 0), reused 0 (delta 0), pack-reused 34
Unpacking objects: 100% (34/34), done.
Checking connectivity... done.

Be sure you update CMSmap before you use it.

# python cmsmap.py --update A
[-] Date & Time: 29/08/2016 23:52:36
[-] Updating CMSmap to the latest version from GitHub repository... 
Already up-to-date.
[-] CMSmap is now updated to the latest version!
[-] Downloading wordpress plugins from svn website
[-] 62039 plugins found
[-] Wordpress Plugin File: /opt/tools/CMSmap/data/wp_plugins.txt
[-] Downloading WordPress plugins from ExploitDB website
[-] File: /opt/tools/CMSmap/data/wp_plugins_small.txt
[-] Downloading WordPress themes from ExploitDB website
[-] File: /opt/tools/CMSmap/data/wp_themes_small.txt
[-] Downloading Joomla components from ExploitDB website
[-] File: /opt/tools/CMSmap/data/joo_plugins_small.txt
[-] Downloading drupal modules from drupal.org
[-] Drupal Plugin File: /opt/tools/CMSmap/data/dru_plugins_small.txt

Your first CMSmap scan

CMSmap takes it time to run and find some useful information. Sometimes it runs for 5 minutes or longer. You can speed this up (or low it down!) when needed and specify the maximum of threads (--theads) the program can use.

Run the scan with this command:

python cmsmap.py -t https://xpired.nl

See the results:

[-] Date & Time: 30/08/2016 00:02:21
[-] Target: https://xpired.nl
[I] Server: Caddy
[L] X-Frame-Options: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[L] Robots.txt Found: https://xpired.nl/robots.txt
[I] CMS Detection: Wordpress
[I] Wordpress Theme: twentysixteen
[-] Enumerating Wordpress Usernames via "Feed" ...
[-] Enumerating Wordpress Usernames via "Author" ...
[M] Sebastian Broekhoven
[I] Forgotten Password Allows Username Enumeration: https://xpired.nl/wp-login.php?action=lostpassword
[M] Website vulnerable to XML-RPC Brute Force Vulnerability
[I] Autocomplete Off Not Found: https://xpired.nl/wp-login.php
[-] Default WordPress Files:
[I] https://xpired.nl/license.txt
[I] https://xpired.nl/wp-includes/images/crystal/license.txt
[I] https://xpired.nl/wp-includes/images/crystal/license.txt
[I] https://xpired.nl/wp-includes/js/plupload/license.txt
[I] https://xpired.nl/wp-includes/js/tinymce/license.txt
[I] https://xpired.nl/wp-includes/js/swfupload/license.txt
[I] https://xpired.nl/wp-includes/ID3/license.txt
[I] https://xpired.nl/wp-includes/ID3/readme.txt
[I] https://xpired.nl/wp-includes/ID3/license.commercial.txt
[-] Searching Wordpress Plugins ...
[-] Searching Wordpress TimThumbs ...
[I] Checking for Directory Listing Enabled ...
[-] Date & Time: 30/08/2016 00:05:25
[-] Completed in: 0:03:03

When you are sure that the website is running Wordpress for example, and you want to do a full scan, the command to use is:

python cmsmap.py -f W -F -t https://xpired.nl

Some thoughts

Tools like CMSmap are great for automatic testing. But when you are testing websites that are secured with plugins like Wordfence, there is big chance that you will not find where you are looking for. You cannot always trust on automated scans. If you do an automated scan on your website, and it thinks the state of your website is OK, think again and do some manual auditing. You always have to double-check your results.

Note: https://xpired.nl is my test website

24 Aug 2016, 00:00

Play with Nmap

Nmap is most used as a portscanner. If you want to know if your firewall correctly setup, Nmap is THE tool to use. Unfortunately, Nmap is also used by hackers and script kiddies. I think, most of the time, it are the script kiddies who use it to do some harm. IDS’s and firewalls are getting better at detecting portscans with for example Nmap. Hackers want to stay more under the radar to avoid detection.

More than a portscanner

There is a scripting engine in Nmap, called the Nmap Scripting Engine (NSE), that you can use with Nmap to do some more than a portscan. NSE scripts are programmed in Lua and there are a bunch delivered with the installation of Nmap. You can find NSE documentation over here: https://nmap.org/nsedoc/.

Installing Nmap

Nmap has installable packages in much Linux distributions. So, installing it with a package can be easy as:

# Debian / Ubuntu
apt install nmap
# Redhat / CentOS
yum install nmap
# Fedora
dnf install nmap

Script catecories

The NSE scripts delivered with Nmap are divided in a few categories so you can find and run them seperatly. These are the main categories:

  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

You can find them all here: https://nmap.org/book/nse-usage.html#nse-categories

Running the scripts

Running the script is easy. The default scripts are from itself very powerful. But if you want to go further and look for vulnerabilitys, you can use the vuln category like this.

nmap --script vuln yourdomain.nl

Running all the NSE scripts in de vuln category can take a while.

Another nice category is the discover category.

nmap --script discover yourdomain.nl

To run the default scripts:

nmap -sC yourdomain.nl

When you get the message “check disables” you can add an argument to run unsage scripts.

nmap --script-args=unsafe=1 --script vuln yourdomain.nl

Updates for the scripts

Nmap can be installed and updated with your package manager, but the development of some scripts are going a bit faster than your package manager knows.

nmap --script-updatedb

Starting Nmap 6.47 ( http://nmap.org ) at 2016-08-25 00:18 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.34 seconds

Take a look at the scripts and go play with them. There are some awesome scripts packed with Nmap. Most of the time, you can find them here: /usr/share/nmap/scripts.

It’s a multitool!

As you can see, Nmap can be a real multitool. With some effort you can cat much information of your server with it.

17 Aug 2016, 00:00

PTR Records

When using the internet, we all use DNS records to resolve the name of websites so our computer and/or browser knows that when we go to https://binaryfigments.com the browser has to go to the webserver with the IP address of the IPv6 address 2a01:448:1003::130.

The other way around

There is also a way to get a name behind an IP address. This is also a DNS record named a PTR record. PTR stand for Pointer Record, also known as reverse DNS record. If you do reversed lookup for a IP address, you will get the name behind it. There records are commonly used by mail systems to check if the sending mail server is who he is that he say he is.

For example, if we do a look up to the name of SMTP server of my domain provider we get the following results:

$ dig A filter01.networking4all.net +short

Or for IPv6:

$ dig AAAA filter01.networking4all.net +short

With the host command:

$ host filter01.networking4all.net
filter01.networking4all.net has address
filter01.networking4all.net has IPv6 address 2a01:448:1:1002::8

These are normal lookup’s checking what IP address is behind what full qualified domain name. If we want to do a reversed lookup to these addresses, we can also use the dig or host command.

With dig:

$ dig -x +short
$ dig -x 2a01:448:1:1002::8 +short

With host:

$ host domain name pointer filter01.networking4all.net.
host 2a01:448:1:1002::8 domain name pointer filter01.networking4all.net.

Notation of a PTR record

As you can see in the results of the last host commands, PTR records have a bit of a strange notation. These PTR records are the IP address, but in a reversed notation in the zone in-addr.arpa, for IPv4 and for IPv6 the zone ip6.arpa. (.in-addr.arpa)

Who is maintaining these records?

The PTR records are in the DNS servers of the network maintainer. If I want to get a PTR record on the IP address that I have from my provider and add the name binaryfigments.com to it, I will have to ask them to set it for me. Even better it is if you can set it up on your own in a portal. The provider will set this PTR record in their name server. If you have a IP subnet, you can possible use your own nameservers.

To get the zone you are in you can run the command:

$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21458
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;	IN	A

93.249.213.in-addr.arpa. 1799	IN	SOA	ns1.networking4all.com. hostmaster.yourdomainprovider.net. 2016081703 14400 3600 1209600 7200

;; Query time: 48 msec
;; WHEN: Wed Aug 17 14:47:08 2016
;; MSG SIZE  rcvd: 136

And for IPv6:

$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 806
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

; IN A

;; AUTHORITY SECTION: 1799	IN	SOA	ns1.networking4all.com. hostmaster.networking4all.com. 2016081706 3600 3600 1209600 7200

;; Query time: 131 msec
;; WHEN: Wed Aug 17 14:42:22 2016
;; MSG SIZE  rcvd: 159

At the authority section you see the SOA of the zone of the IP address. The name server in the SOA is the authoritive name server for the zone of your IP address.

Zone for my IPv4: 93.249.213.in-addr.arpa.

Zone for my IPv6:

The primary name server for this zone is ns1.networking4all.com, and there you have to add the right PTR record.

How and where is this set?

The RIPE is the organization that manages the IP subnets in the region I am in. My provider, Networking4all, need to add an DOMAIN object in de database off the RIPE with the right name servers in it.

You can search it here: https://apps.db.ripe.net/search/query.html?searchtext=93.249.213.in-addr.arpa#resultsAnchor

This is the DOMAIN object that you will find: https://apps.db.ripe.net/search/lookup.html?source=ripe&key=93.249.213.in-addr.arpa&type=domain

You can see, PTR records have a slightly different approach for looking up. It is important to set a right PTR record for your IP address on your server if you user services like e-mail and DNS.

21 Apr 2016, 00:00

Generate Random Passwords

Who needs random password generators when you can do it on the command-line on you Mac or Linux computer? Even Windows!

You simply start a terminal, type the command, choose how many characters and go!

The easy way is with OpenSSL:

openssl rand -base64 12

If you don’t have OpenSSL, you can also use this command:

date | md5

This creates a md5 hash of the date. Because md5 does not use special characters, the password is less advanced.

16 Apr 2016, 00:00

Cleaning Up PowerDNS Records

PowerDNS is a nice and advanced domain name server. PowerDNS is written in C++. One of the upsides of PowerDNS is that is can work with multiple back-ends like Bind, MySQL and PostgreSQL. A PowerDNS server can in MASTER / SLAVE mode and in NATIVE mode. I personal like the NATIVE mode because your can use database replication for your other nameservers. So if you have PowerDNS running and a working back-end, it just serve your zones.


While working with PowerDNS and a MySQL back-end, I thing the flexibility can also be a huge downside for people who do not fill in the records and zones with great care. Your nameserver is the back-bone of your domain! If make a mistake, your domain can get unresolvable and that is not what you want. A better way is NOT writing directly in the MySQL back-end and do some input control.

Search the records

While running MySQL as a back-end for PowerDNS, your can easily run queries to find the faulty records. Most of the time people cut and paste the values from an other system, copying to many characters of spaces and even TABS! There is also a difference between systems. For one system you have to use the @ as a placeholder for the domain and end CNAMES and MX records with a dot (.). A few queries I run to cleanup my records are down here.

SELECT id, name, type, content FROM records WHERE name LIKE '.%';
SELECT id, name, type, content FROM records WHERE name LIKE '%..%';
SELECT id, name, type, content FROM records WHERE name LIKE '% %';
SELECT id, name, type, content FROM records WHERE name LIKE '%@.%';
// This one is nice to, find tabs!
SELECT id, name, type, content FROM records WHERE name LIKE '\t%';

When you get some results, you know that to cleanup. If you dare to, you can create a query for that to do dat for you. Like replace the @. in some records. Please make backups before doing this! And test your results.

update records set name = replace(name,'@.','');

After this query , your records like @.domainname.com will be domainname.com. You can also do that wit a double dot.

update records set name = replace(name,'..','.');

To check the concistancy of all your zones, you can run a command like this:

# vanaf PowerDNS 3.x:
pdnssec check-all-zones
# vanaf PowerDNS 4.x:
pdnsutil check-all-zones

This commang gave me much work… But, we are creating a new better and improved system to manage your zones!

06 Feb 2016, 00:00

Limit requests on Caddy with fail2ban

I’m using Caddy for a few weeks at the moment. I like the sense and simplicity of this web server. The only thing is that my website scanner complains about infinite HTTP requests. It is able to send many requests. The Caddy web server doesn’t crash, that is a good thing, but a downside can be that it is eating up de CPU and RAM resources.

The simple solution

It would be nice if Caddy has a solution for that. Looking at the project in Github, they are thinking about it. For now, I choose for the easy way with Fail2Ban. Fail2Ban is a tool that can scan log files, find patterns and take actions on the findings in the patterns.


The first thing we do is create a filter file for this. The file name in my example is /etc/fail2ban/filter.d/caddy-req-limit.conf but you can name it what you want.

So, Start the text editor:

vim /etc/fail2ban/filter.d/caddy-req-limit.conf

And add this content to the file:

failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

Then we edit the /etc/fail2ban/jail.local file.

vim /etc/fail2ban/jail.local

Add the following lines to the bottom:

# Caddy request limit

enabled = true
filter = caddy-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /opt/CaddyServer/logs/binaryfigments.log
findtime = 300
bantime = 7200
maxretry = 300

Be aware that you change the logpath value the the correct file on your system. You can also adjust the values of findtime, bantime and maxretry to whatever fits your needs.

After this is done, you have to restart fail2ban.

systemctl restart fail2ban

You can see is the fail2ban jail / filter is running:

fail2ban-client status caddy-req-limit

Status for the jail: caddy-req-limit
|- filter
|  |- File list:	/opt/CaddyServer/logs/binaryfigments.log
|  |- Currently failed:	0
|  `- Total failed:	669
`- action
   |- Currently banned:	2
   |  `- IP list:
   `- Total banned:	2

In the output above, fail2ban has already found some heavy requesters.

Note on logging with Caddy

Logging in Caddy can be enabled with editing the Caddyfile. Add the following options to the website that you want.

log logs/binaryfigments.log {
    rotate {
        size 100 # Rotate after 100 MB
        age  14  # Keep log files for 14 days
        keep 10  # Keep at most 10 log files

This is from the example on the website of Caddy.