Tema 2 - Information Gathering

•
Vicente Riva Palacio

GGI Mantu
22/6/2023
¡Este material tiene más páginas!
Entonces, ¿te gustó este material?
Ayude a animar a otros estudiantes a mejorar el contenido
¿Te gustó este material? ¡Compartir! 🧡
Informática I

55.633 Materiales compartidos
Descarga la aplicación para disfrutar aún más
Lea materiales sin conexión, sin usar Internet. Además de muchas otras características!
Vista previa del material en texto
© All rights reserved. www.keepcoding.io
Information Gathering
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Information Gathering
● Obtener información del sistema que vamos a atacar 
● A la hora de realizar esta fase hablamos de: 
○ Footprinting y Fingerprinting 
■ No es necesario interactuar directamente 
● Whois, búsquedas en google 
■ Interacción directa con los sistemas 
● Escaneo de puertos 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Footprinting
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Buscadores
Buscadores: 
● www.google.com 
● www.bing.com 
● www.duckduckgo.com 
 
http://www.keepcoding.io
http://www.google.com
http://www.bing.com
http://www.duckduckgo.com
© All rights reserved. www.keepcoding.io
Dorks
● site:trello.com password 
● inurl:5601/app/kibana 
● inurl:"/xmlrpc.php?rsd" & ext:php 
http://www.exploit-db.com/google-dorks/ 
 
http://www.keepcoding.io
http://www.exploit-db.com/google-dorks/
© All rights reserved. www.keepcoding.io
Dorks
● site:policia.es login 
● "database_password" filetype:yml "config/parameters.yml" 
● filetype:pdf "acunetix website audit" "alerts summary" 
● xamppdirpasswd.txt filetype:txt 
● "DB_PASSWORD" filetype:env 
○ Laravel apps 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
GitLeaks
● https://github.com/zricethezav/gitleaks 
● https://github.com/michenriksen/gitrob
http://www.keepcoding.io
https://github.com/zricethezav/gitleaks
https://github.com/michenriksen/gitrob
© All rights reserved. www.keepcoding.io
Robots.txt
● Robots.txt es un mecanismo utilizado 
para que buscadores como Bing o 
Google no indexen ciertas páginas 
● No hace falta indicar en robots.txt las 
direcciones de login o intranets 
● Alternativa X-Robots-Tag 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Security.txt
https://securitytxt.org/
http://www.keepcoding.io
https://securitytxt.org/
© All rights reserved. www.keepcoding.io
DNS transfer zone
● Transferencia de zona de DNS 
○ Proceso por el cual se solicita una copia de base de datos del 
servidor DNS
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Certificate Transparency
● Proyecto que pública y monitoriza los certificados SSL 
 
● Detectar certificados maliciosos o detectar una entidad 
certificadora comprometida 
https://www.certificate-transparency.org/
https://github.com/x0rz/phishing_catcher
http://www.keepcoding.io
https://www.certificate-transparency.org/
https://github.com/x0rz/phishing_catcher
© All rights reserved. www.keepcoding.io
Abusing Certificate Transparency
https://github.com/UnaPibaGeek/ctfr
http://www.keepcoding.io
https://github.com/UnaPibaGeek/ctfr
© All rights reserved. www.keepcoding.io
Abusing Certificate Transparency
1. git clone https://github.com/UnaPibaGeek/ctfr.git 
2. cd ctfr 
3. sudo apt install python3-pip 
4. pip3 install -r requirements.txt 
5. python3 ctfr.py -d keepcoding.io
https://github.com/UnaPibaGeek/ctfr
http://www.keepcoding.io
https://github.com/UnaPibaGeek/ctfr.git
https://github.com/UnaPibaGeek/ctfr
© All rights reserved. www.keepcoding.io
Whois
● Empresa registradora del dominio 
● Quién lo registro 
https://whois.domaintools.com/ 
 
http://www.dominios.es/dominios/  
 
http://www.keepcoding.io
https://whois.domaintools.com/keepcoding.io
http://www.dominios.es/dominios/
© All rights reserved. www.keepcoding.io
Renovación de dominios
http://www.keepcoding.io
https://www.theverge.com/2015/6/19/8811425/heinz-ketchup-qr-code-porn-site-fundorado
© All rights reserved. www.keepcoding.io
SSL Server Test
https://www.ssllabs.com/ssltest/
http://www.keepcoding.io
https://www.ssllabs.com/ssltest/
© All rights reserved. www.keepcoding.io
SSL Server Test
● Puntuaciones de A+ a F
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Wappapelyzer
● Detectar tecnologías web 
● Desarrollada en nodejs y open source 
● Plugins para navegadores: 
○ https://chrome.google.com/webstore/detail/wappalyzer/
gppongmhjkpfnbhagpmjfkannfbllamg 
○ https://addons.mozilla.org/es/firefox/addon/wappalyzer/
https://www.wappalyzer.com/
http://www.keepcoding.io
https://github.com/AliasIO/Wappalyzer
https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg
https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg
https://addons.mozilla.org/es/firefox/addon/wappalyzer/
https://www.wappalyzer.com/
© All rights reserved. www.keepcoding.io
Fingerprinting
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap
● Programa open source para realizar escaneos de puertos 
● Primera versión de 1997 
● GUI oficial: 
○ https://nmap.org/zenmap/ 
● Permite scripts 
○ https://nmap.org/book/man-nse.html  
https://nmap.org/
http://www.keepcoding.io
https://nmap.org/zenmap/
https://nmap.org/book/man-nse.html
https://nmap.org/
© All rights reserved. www.keepcoding.io
Tipos de escaneo Nmap 
● TCP SYN (-sS) 
● UDP ( -sU ) 
● TCP ACK ( -sA ) 
● TCP NULL ( -sN ) 
● TCP XMAS ( -sX ) 
● TCP FIN ( -sF ) 
● TCP IDLE ( -sI )  
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap Host Discovery
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Host Discovery con ARP
● ARP: protocolo de resolución en red
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap Scan
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap 
● -O Información del sistema operativo 
● -v Verbosity 
● -sV Información de las versiones 
● -A Activa la detección de sistema operativo, de versiones y traceroute 
● -Pn No ping 
● -p port number 
Por defecto Nmap escanea puertos hasta el 1024 y los especificados en el fichero 
nmap-services 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap modos y tiempos
● -T 0,1,2,3,4,5 : Tiempo y envio de paquetes 
○ paranoid 0 
○ sneaky 1 
○ polite 2 
○ normal 3 
○ aggressive 4 
○ insane 5 
 Los modos 1 y 2 se utilizan para evadir IDS 
 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap Output
● -oN Normal output	 
● -oX XML output 
● -oS Script KIdd|3 Output (salida HaXXorZ) 
○ Ejemplo: 4pacH3 JsErv (PROtOC0L v1.3) 
○ Es una broma de los desarrolladores 
● -oG grepable output 
● -oA Output en todos los formatos 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Banner
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Nmap Scripts
● Localización de scripts: /usr/share/nmap/scripts/ 
● Añadir un script: 
a.Copiar a la carpeta /usr/share/nmap/scripts 
b.--script-updatedb 
c.--script <<nombre-script>> 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Zenmap GUI
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Zenmap GUI
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan
● Shodan es un buscador de dispositivos conectados a internet 
● Nos permite obtener información del objetivo de forma silenciosa 
○ www.shodan.io 
● Existen extensiones para Firefox y Chrome: 
○ https://addons.mozilla.org/es/firefox/addon/shodan_io/ 
○ https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap 
 
http://www.keepcoding.io
http://www.shodan.io
https://addons.mozilla.org/es/firefox/addon/shodan_io/
https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap
© All rights reserved. www.keepcoding.io
Shodan
http://www.keepcoding.io
https://twitter.com/shodanhq/status/654348699582251009?lang=es
https://account.shodan.io/login
© All rights reserved. www.keepcoding.io
Shodan
● City: Dispositivos ubicados en determinadaciudad 
● Country: Dispositivos ubicados en un país 
● Geo: Búsqueda por coordenadas 
● Hostname: Búsqueda de dispositivos por nombre 
● Org: Búsqueda de dispositivos por nombre de organización 
● Net: Búsqueda de una IP 
● os: Búsqueda basada en el sistema operativo 
● Port: Búsqueda de determinados puertos 
● Before/after: Resultados en un rango de tiempo. 
● Product: Búsqueda por producto. MySQL, MongoDB, PostgreSQL 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Práctica 
● "authentication disabled" port:5900 
● port:554 Hipcam country:ES 
● product:MongoDB 
● port:9200 json 
● title:"xzeres wind" 
● Minecraft Server port:25565 
Twitter hashtag #ShodanSafari
http://www.keepcoding.io
https://twitter.com/hashtag/ShodanSafari?src=hash
© All rights reserved. www.keepcoding.io
Shodan Plugin
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Equipos mal configurados
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan
VNC sin autenticación 
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan
http://www.keepcoding.io
https://www.shodan.io/host/77.226.237.252
© All rights reserved. www.keepcoding.io
Shodan
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan API
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan Maps
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Shodan ScanHub
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Metadatos
● Metadata hace referencia a los “datos de los datos”. 
○ Coordenadas GPS 
○ Fecha de edición, creación 
○ Usuario que creo que el archivo
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
John McAfee
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Foca
● Herramienta centrada en la extracción de metadatos 
● Permite la descarga automatizada y análisis de documentos 
presentes en una web 
● Obtiene todos los documentos, asociados a un dominio, que han 
sido indexados por los buscadores  
https://www.elevenpaths.com/es/labstools/foca-2/index.html
http://www.keepcoding.io
https://github.com/ElevenPaths/FOCA
https://www.elevenpaths.com/es/labstools/foca-2/index.html
© All rights reserved. www.keepcoding.io
ExifTool
● Herramienta centrada en la extracción de metadatos 
● Permite la modificación de metadatos 
● Multiplataforma 
● Instalar: 
○ apt install exiftool
http://www.keepcoding.io
https://www.sno.phy.queensu.ca/~phil/exiftool/
© All rights reserved. www.keepcoding.io
Foca
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Foca
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
ExifTool
1. site:keepcoding.io filetype:pdf 
2. exiftool <<documento>>
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
ExifTool modificar metadatos
1. exiftool -rights="Copyright" -CopyrightNotice="Copyright" 
<<archivo>> 
1. exiftool -overwrite_original -Author="Carlos Cilleruelo" <<archivo>>  
http://www.keepcoding.io
© All rights reserved. www.keepcoding.io
Spiderfoot
● Herramienta open source de footprinting e inteligencia 
automatizada 
http://www.spiderfoot.net/download/
http://www.keepcoding.io
http://www.spiderfoot.net/download/
© All rights reserved. www.keepcoding.io
Spiderfoot
http://www.keepcoding.io