PTT – The Pen Testing Toolkit: Websearch

In the last post I have shown how to research some Information in DNS using PTT – The Pen Testing Toolkit. But there should be more. Since everything of interest is on the Web nowadays, we will search the web.

If you installed PTT this morning you are already outdated. Get r801 here.

For the next step you need some adtitionsl modules: google and yahoo. You can use python bin/ptt-confcheck to see if it is installed:

md@hextatic ~ptt$ python bin/ptt-confcheck
I will check now if every is in place for the pen testing toolkit.
checking for module 'google' ... ok
checking for module 'yahoo' ... ok
checking for module 'ADNS' ... ok
checking for module 'OpenSSL' ... ok
checking for programm 'nmap' ...
checking for programm 'unicornscan' ...sh: line 1: unicornscan: command not found
checking for SIGINFO ... ok

If you miss the python google and yahoo bindings, and your package managment system does not provide them, try this:

md@hextatic ~/ptt$ cd thirdparty/
md@hextatic ~/ptt$ tar xzvf pygoogle-0.6.tar.gz
md@hextatic ~/ptt$ cd pygoogle-0.6
md@hextatic ~/ptt/pygoogle-0.6$ python setup.py build
md@hextatic ~/ptt/pygoogle-0.6$ sudo python setup.py install
md@hextatic ~/ptt$ cd ..
md@hextatic ~/ptt$ sudo rm -Rf pygoogle-0.6
md@hextatic ~/ptt$ tar xzvf yws-1.2.tgz 
md@hextatic ~/ptt$ (cd yws-1.2/python/pYsearch-1.3/; 
                    sudo python setup.py install)
md@hextatic ~/ptt$ sudo rm -Rf yws-1.2

Try bin/ptt-confcheck to se if you successfully installed the stuff. Then go back to the directorycreated for our tests. We will look further into the Deutsche Bank.

md@hextatic ~/ptttest$ echo 'deutsche-bank.de' > target-domains.txt
md@hextatic ~/ptttest$ echo 'deutsche-bank.com' >> target-domains.txt
md@hextatic ~/ptttest$ echo 'db.com' >> target-domains.txt
md@hextatic ~/ptttest$ ptt-dnsbruteforce
[wait a long time]
md@hextatic ~/ptttest$ sort -u output/dnsbruteforce.txt target-domains.txt  > t
md@hextatic ~/ptttest$ mv t target-domains.txt

Now that we have a solid basis of host- and domainnames to work from, we add some hints on what might be a good searchterms for finding information related to our target.

echo "Deutsche Bank" > searchterms.txt # not that creative, he?

We start ptt-webharvest-hostsandemail which is menat to collect hostnames and E-Mailaddresses. ptt-webharvest-hostsandemail is very slow so don’t hold your breath while it is running.

ptt-webharvest-hostsandemail first tries to use major search engines (MSN, Google and Yahoo for now) to find hostnames not known to us so far by using the site: operator.

To be somewhat more agile, ptt-webharvest-hostsandemail creates a cache directory in the current pwd called „cache„. This directory can get VERY (several GB) big, but you may delete it whenever you want.

md@hextatic ~/ptttest$ python ptt-webharvest-hostsandemail 
searching for 'site:db.com -site:ns5.db.com -site:brazil.db.com 
-site:ra.db.com -site:www3.db.com -site:ns6.db.com -site:ns7.db.com 
-site:ns2.db.com -site:wave.db.com -site:ftp.db.com 
-site:australia.db.com -site:smtp6.db.com -site:gm.db.com 
-site:ns4.db.com -site:ars.db.com -site:ns1.db.com -site:ger.db.com 
-site:re.db.com -site:fix.db.com -site:argentina.db.com 
-site:chile.db.com -site:em.db.com -site:ns3.db.com -site:wap.db.com'
53 results
Set([u'www.cib.db.com', u'index.db.com', u'www.alexbrown.db.com',
u'www.corporatefinance.db.com', u'www.autobahn-moneymarkets.db.com',
u'europe.dbtrader.db.com', u'www.deam-us.db.com', 
u'primeservices.db.com', u'www.adr.db.com', u'www.community.db.com',
u'dweb.db.com', u'www.connect.db.com', u'conferences.db.com',
u'www.dbgcm.db.com', u'gm-secure.db.com', u'www.weblondon.db.com',
u'wows.db.com', u'equities.research.db.com', u'web-auth.db.com',
u'www.ederivatives.db.com', u'www.optionselect.db.com',
u'www.exchangelink.db.com', u'www.conferences.db.com',
u'ap.research.db.com', u'www.tss.db.com', u'dbrasweb.db.com',
u'eqfinance.db.com', u'vemex.db.com', u'www.db.com',
u'www.coins.db.com'])
searching for 'site:deutsche-bank.com -site:info.deutsche-bank.com
-site:banking.deutsche-bank.com -site:chat.deutsche-bank.com
-site:rp.deutsche-bank.com'
146 results
Set([u'dbmarkets-etrade.deutsche-bank.com',
'www.environment.deut [...] sche-bank.de'
53 results
Set([u'ghp.deutsche-bank.de', u'www.is-asp.pbc.deutsche-bank.de',
u'geschaeftsbericht.deutsche-bank.de', u'www.umwelt.deutsche-bank.de'])
[...]

In the next step we search for sites containing searchterms read from searchterms.txt and hostnames read from target.domains.txt with half a dozen searchengines, download the pages containing this terms and parsee them for hostnames and emailadresses. This Process basically takes forever.

searching for 'link:ns7.db.com'
3 results
http://www.hotmail.com Set(['loginnet.passport.com', 'login.passport.net',
'www.hotmail.com']) Set([])
http://www.w3.org/1999/xhtml Set(['www.w3.org', 'cgi.w3.org']) Set([])
searching for 'link:http://www.wob3.deutsche-bank.de/'
5 results
http://www.wob3.deutsche-bank.de/ Set(['www.wob3.deutsche-bank.de']) Set([])
http://wob.deutsche-bank.de/ Set(['www.db.com', 'wob.[...]']) Set([])
searching for 'link:http://ns4.db.com/'
4 results
http://ns4.db.com/ Set(['ns4.db.com']) Set([])
searching for 'link:http://banking.deutsche-bank.de/'
12 results
http://www.dm-online.de/ Set(['finaonl.ivwbox.de', [...]
http://www.froehner.us/Bookmarks/Bookmarks%20IBM-N.htm 
Set([[...] 'guide.netscape.com', 'finanzen.yahoo.de', 'www.[...]']) Set([])

As you see, we find lot’s of hostnames obviously not directly related to the organiosation we are exploring. How to filter for interesting stuff will be explained in another posting.

One comment on “PTT – The Pen Testing Toolkit: Websearch

  1. pichiboochi
    2009-06-17 at 03:28 #

    thanks for the info -cheers-

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s