TAREA 1: Herramientas básicas para obtener información de servidores externos (#moocHackingMU)

septiembre 22, 2015 en internet, SysAdmin por b3r2c0

Para no personalizar demasiado y darle un poco de integridad a la taréa he realizado las pruebas pertinentes con las direcciones pruebas expuestas en la misma, si bien he realizado pruebas pertinentes, también, con dominios de gente conocida y/o cercana de las cuales, por motivos obvios no se muestran aquí los resultados.

Ping: Tal y cómo solicitaba la taréa se ha realizado ping a los servidores de:

www.google.es (se ve alta latencia porque la red tiene bastante carga a estas horas, no obstante se comprueba que el host está “alive”)

64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=30 ttl=56 time=567 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=31 ttl=56 time=416 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=32 ttl=56 time=515 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=33 ttl=56 time=570 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=34 ttl=56 time=102 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=35 ttl=56 time=317 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=36 ttl=56 time=244 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=37 ttl=56 time=262 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=38 ttl=56 time=277 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=39 ttl=56 time=266 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=40 ttl=56 time=180 ms
64 bytes from mad01s24-in-f227.1e100.net (216.58.211.227): icmp_seq=41 ttl=56 time=25.5 ms

Y con euskalert.net (en este caso el host no da muestras de estar levantado, luego comprobaremos que es una medida de seguridad, ya que responde al nmap)

b@lostintheshell:~$ ping www.euskalert.net
PING www.euskalert.net (193.146.78.12) 56(84) bytes of data.

Whois: He probado con unos cuantos dominios de mi propiedad, si bien es cierto que aparece el nombre del propietario, los datos de contacto aparecen ofuscados, ya que está contratado el servicio de whois-privacy con los ISP que permiten ocultar datos sensibles, lo cual, sin duda, es una práctica recomendada.

En cambio he probado con dominios de gente conocida y, en la mayoría de los casos, aparecen datos de su domicilio, números de teléfono, etc. por no hacer hincapié ni difusión de ninguno de ellos, sirva cómo ejemplo mostrar los datos que se obtienen del registro de euskalert.net

b@lostintheshell:~$ whois euskalert.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: EUSKALERT.NET
Registrar: ACENS TECHNOLOGIES, S.L.U.
Sponsoring Registrar IANA ID: 140
Whois Server: whois.interdomain.net
Referral URL: http://www.interdomain.es
Name Server: NS1.MONDRAGON.EDU
Name Server: NS2.MONDRAGON.EDU
Status: ok http://www.icann.org/epp#OK
Updated Date: 30-jan-2015
Creation Date: 31-oct-2006
Expiration Date: 31-oct-2015

>>> Last update of whois database: Tue, 22 Sep 2015 21:19:02 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (“VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.

Domain Name: euskalert.net
Registry Domain ID:
Registrar WHOIS Server: whois.interdomain.net
Registrar URL: http://www.acens.com/
Updated Date: 2015-05-07T13:44:45Z
Creation Date: 2006-10-31T12:56:37Z
Registrar Registration Expiration Date: 2015-10-31T11:56:37Z
Registrar: acens Technologies, S.L.U.
Registrar IANA ID: 140
Registrar Abuse Contact Email: abuse@acens.com
Registrar Abuse Contact Phone:+34.911418583
Domain Status: ok http://www.icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Mondragon Goi Eskola Politeknikoa, J.M.A., S.Coop
Registrant Organization:
Registrant Street: Loramendi 4
Registrant City: Arrasate
Registrant State/Province: Gipuzkoa
Registrant Postal Code: 20500
Registrant Country: ES
Registrant Phone: 943794700
Registrant Fax:
Registrant Email: amanterola@eps.mondragon.edu
Registry Admin ID:
Admin Name: Mondragon Goi Eskola Politeknikoa, J.M.A., S.Coop
Admin Organization: Mondragon Goi Eskola Politeknikoa, J.M.A., S.Coop
Admin Street: Loramendi,4
Admin City: Arrasate
Admin State/Province: GIPUZKOA
Admin Postal Code: 20500
Admin Country: ES
Admin Phone: +34.943794700
Admin Fax:
Admin Email: sistemak@eps.mondragon.edu
Registry Tech ID:
Tech Name: RESPONSABLE DE DNS
Tech Organization: RESPONSABLE DE DNS
Tech Street: JULIAN CAMARILLO 6
Tech City: MADRID
Tech State/Province: MADRID
Tech Postal Code: 28013
Tech Country: ES
Tech Phone: +34.913752300
Tech Fax:
Tech Email: dns_admin@corp.terra.es
Name Server: ns1.mondragon.edu
Name Server: ns2.mondragon.edu
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database:2015-05-07T13:44:45Z<<<
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

acens’s WHOIS database is provided by acens Technologies for information
purposes only, proving information about or related to a domain name
registration record.
Acens makes this information available “as is,” and does not guarantee
its accuracy.
By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail, or
by telephone; or (2) enable high volume, automated, electronic processes that
apply to acens (or its systems).  The compilation, repackaging,
dissemination or other use of this data is expressly prohibited without the
prior written consent of acens.
acens  reserves the right to modify these terms at any time. By
submitting this query, you agree to abide by these terms.
NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN RECORD

Dónde podemos obtener información relativa a personas concretas, direcciones y teléfonos (en este caso aparece ligado a una entidad)

Nmap: Siguiendo con las URL del curso, realizaremos el escanéo de puertos a la web expuesta en el enunciado.

b@lostintheshell:~$ nmap www.euskalert.net

Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-22 23:29 CEST
Nmap scan report for www.euskalert.net (193.146.78.12)
Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 118.06 seconds

Dónde observamos que tiene abiertos los puertos 80 y 443 correspondientes a apache, tanto HTTP cómo HTTPS.

Vulnerabilidad port 80