Ok, next assignment from my sensei.
Perform information gathering on these sites..
is2c-dojo.net
is2c-dojo.com
www.spentera.com
Hmm..
after some time scanning, here’s my result :
1. is2c-dojo.net
First of all, I do nslookup in order to know the original IP of the target. By performing this command I also can get Information about the IP block owned by the target.
# nslookup is2c-dojo.net
here’s the result.
Server: 192.168.1.1
Address: 192.168.1.1#53Non-authoritative answer:
Name: is2c-dojo.net
Address: 216.239.36.21
Name: is2c-dojo.net
Address: 216.239.34.21
Name: is2c-dojo.net
Address: 216.239.32.21
Name: is2c-dojo.net
Address: 216.239.38.21
From the above information we know that there’re some IPs related to the website.
Ok, lets take the 216.239.36.21 to be tested with whois command.
# whois 216.239.36.21
and here is the result.
hmm.. Google.
When the result is like that, I assume that the web is using blogger by Google.
Lets see the page source.
At the home page, Right click and select View Page Source.
Jackpot, theres a block of text there
Blogger Template Style
Name: BlueWeb
Author: Klodian
URL: www.deluxetemplates.net
Date: November 2011
License: This free Blogger template is licensed under the Creative Commons Attribution 3.0 License, which permits both personal and commercial use. However, to satisfy the ‘attribution’ clause of the license, you are required to keep the footer links intact which provides due credit to its authors. For more specific details about the license, you may visit the URL below:
http://creativecommons.org/licenses/by/3.0
It says that the tempelate is for Blogger.
2. is2c-dojo.com
Same as before I do nslookup to see the IP of the target.
# nslookup is2c-dojo.com
Server: 192.168.1.1
Address: 192.168.1.1#53Non-authoritative answer:
Name: is2c-dojo.com
Address: 67.222.154.106
Then, perform whois command
# whois 67.222.154.106
Hmm..
Datacenter. No idea what it is.
3. www.spentera.com
Again, perform nslookup
# nslookup www.spentera.com
Server: 192.168.1.1
Address: 192.168.1.1#53Non-authoritative answer:
www.spentera.com canonical name = spentera.com.
Name: spentera.com
Address: 74.81.66.104
And then whois
# whois 74.81.66.104
Global Net Access, LLC GNAXNET (NET-74-81-64-0-1) 74.81.64.0 – 74.81.95.255
WebHostingBuzz USA LLC. GNAX-WHB-1 (NET-74-81-66-0-1) 74.81.66.0 – 74.81.66.255
Only got the above information. Looks like it is hosted in US server.
Lets search for a robots.txt in this site. (I’ll explain more about robots.txt later)
http://www.spentera.com/robots.txt
Bingo, here’s the result
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/Sitemap: http://www.spentera.com/sitemap.xml.gz
So, this site is using wordpress (note that /wp-admin/ folder)
Lets scan it using wpscan located in /pentest/web/wpscan
# ruby wpscan.rb –url www.spentera.com
[+] The WordPress theme in use is called NovaTheme_v2.0
Hoho, good.
More updates coming soon. 🙂