Realice auditorías de seguridad en cualquier sitio web con Killshot

La herramienta KillShot puede rastrear una aplicación web objetivo y encontrar su tecnología web back-end, identificar sistemas de administración de contenido (CMS) utilizado, así como escanear puertos abiertos con servicios en ejecución. Con la ayuda de otras herramientas de hacking, como Whatweb, Dig, Fierce o Identifies CMS, Killshot puede escanear y recolectar información sobre cualquier sitio web. El uso de Killshot, así como del resto de herramientas antes mencionadas, forma parte de los temas del curso de hacking ético del Instituto Internacional de Seguridad Cibernética (IICS). 

Instalación

  • Esta herramienta fue probada en Kali Linux 2018.2
  • Abra el terminal y escriba git clone https://github.com/bahaabdelwahed/killshot
  • Cuando se descargue, escriba cd killshot
  • Luego escriba ruby setup.rb (si la configuración muestra algún error, intente instalar las herramienta manualmente)
  • La solicitud de algunos permisos tomará un tiempo, presione siempre SÍ y continúe con la instalación. Para ejecutar la herramienta, escriba ruby killshot.rb
  • Luego escriba help

Uso

  • Estamos utilizando www.hackthissite.org como sitio web objetivo
  • Después de la opción help, elija el sitio e ingrese
root@kali:~/killshot# ruby Killshot.rb
██╗ ██╗██╗██╗ ██╗ ███████╗██╗ ██╗ ██████╗ ████████╗
██║ ██╔╝██║██║ ██║ ██╔════╝██║ ██║██╔═══██╗╚══██╔══╝
█████╔╝ ██║██║ ██║ ███████╗███████║██║ ██║ ██║
██╔═██╗ ██║██║ ██║ ╚════██║██╔══██║██║ ██║ ██║
██║ ██╗██║███████╗███████╗ ███████║██║ ██║╚██████╔╝ ██║
╚═╝ ╚═╝╚═╝╚══════╝╚══════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝
<Track my Target> Gather information About Targets
track>>> : help
[site] MAKE YOUR TARGET
[help] show this MESSAGE
[targ] Search targets
[exit] exit the script
[uptd] Update KillShot
[anon] Run Anonymous Mode
[info] About killShot
track>>> :
  • Luego ingrese el sitio web que desea escanear. Estamos usando www.hackthissite.org
  • Escriba www.hackthissite.org y pulse enter

       .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
    `9XXXXXXXXXXXP' `9XX'   Hide    `98v8P'  Hack   `XXP' `9XXXXXXXXXXXP'
        ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX
{0} Spider
{1} Web technologie
{2} WebApp Vul Scanner
{3} Port Scanner
{4} CMS Scanner
{5} Fuzzers
{6} Cms Exploit Scanner
{7} Backdoor Generation
{8} Linux Log Clear
{9} Find MX/NS
info>>> :
  • Ahora mostrará múltiples opciones, puedes usar cualquiera de ellas
  • Aquí estamos utilizando 0 spider
info>>> : 0
ip For www.hackthissite.org :: "137.74.187.104"
Links And Paths ::
Related domains and Parameters ::
https://www.hackthissite.org
irc://irc.hackthissite.org:+7000/
https://www.hackthissite.org/forums
https://www.cafepress.com/htsstore
https://hts.io
https://twitter.com/hackthissite
/
https://www.hackthissite.org/TNG355Q5B85cL3PDeI88H0dLCRYaA776flCTc4MX0u136lQ4hP94cZSnOFheqEU9zT8k6WDlcG17HglFDUi0Tg7kH42bzckCR4Q2ZQ
https://www.hackthissite.org/advertise/
/user/login
/register
/user/resetpass
https://www.hackthissite.org/donate/
/missions/basic/
/missions/realistic/
/missions/application/
/missions/programming/
/missions/phonephreaking/
/missions/javascript/
/missions/forensic/
/missions/playit/extbasic/0/
/missions/playit/stego/0/
irc://irc.hackthissite.org/htb
/blogs
/news
/pages/articles/article.php
/lectures
/pages/programs/programs.php
https://mirror.hackthissite.org/hackthiszine/
  • Esta salida mostrará las páginas rastreadas del dominio objetivo. También mostró el inicio de sesión del usuario y el registro de las páginas del objetivo
  • Y luego estamos usando la opción (1) web technologie, esta opción escaneará el sitio web utilizando WhatWeb Information, Dig y también intentará la transferencia de zona y la fuerza bruta, el resultado de la ruta de rastreo y la detección de cortafuegos e IDS
info>>> : 1
[+]Basic WhatWeb Information ::
terminated with exception (report_on_exception is true):
Traceback (most recent call last):
2542: from /usr/bin/whatweb:981:in block (2 levels) in <main>' 2541: from /usr/bin/whatweb:981:inloop'
2540: from /usr/bin/whatweb:988:in block (3 levels) in <main>' 2539: from /usr/share/whatweb/lib/target.rb:96:inopen'
2538: from /usr/share/whatweb/lib/target.rb:188:in open_url' 2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:inrequest'
2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:in start' 2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:indo_start'
… 2530 levels…
4: from /usr/lib/ruby/2.5.0/resolv.rb:524:in block in fetch_resource' 3: from /usr/lib/ruby/2.5.0/resolv.rb:769:insender'
2: from /usr/lib/ruby/2.5.0/resolv.rb:629:in allocate_request_id' 1: from /usr/lib/ruby/2.5.0/resolv.rb:629:insynchronize'
/usr/lib/ruby/2.5.0/resolv.rb:630:in block in allocate_request_id': stack level too deep (SystemStackError) Traceback (most recent call last): 2542: from /usr/bin/whatweb:981:inblock (2 levels) in
'
.-------------------------SNIP---------------------------------------------
2541: from /usr/bin/whatweb:981:in loop' 2540: from /usr/bin/whatweb:988:inblock (3 levels) in '
2539: from /usr/share/whatweb/lib/target.rb:96:in open' 2538: from /usr/share/whatweb/lib/target.rb:188:inopen_url'
2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:in request' 2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:instart'
2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:in do_start' ... 2530 levels... 4: from /usr/lib/ruby/2.5.0/resolv.rb:524:inblock in fetch_resource'
3: from /usr/lib/ruby/2.5.0/resolv.rb:769:in sender' 2: from /usr/lib/ruby/2.5.0/resolv.rb:629:inallocate_request_id'
1: from /usr/lib/ruby/2.5.0/resolv.rb:629:in synchronize' /usr/lib/ruby/2.5.0/resolv.rb:630:inblock in allocate_request_id': stack level too deep (SystemStackError)
[+]Host Result ::
www.hackthissite.org has address 137.74.187.100
www.hackthissite.org has address 137.74.187.103
www.hackthissite.org has address 137.74.187.104
www.hackthissite.org has address 137.74.187.102
www.hackthissite.org has address 137.74.187.101
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:102
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:103
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:101
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:104
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:100
[+]Dig Result About Dns::
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7021 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;8.8.8.8. IN A ;; AUTHORITY SECTION: . 6767 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019050800 1800 900 604800 86400 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5506
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;www.hackthissite.org. IN A
;; ANSWER SECTION:
www.hackthissite.org. 2440 IN A 137.74.187.100
www.hackthissite.org. 2440 IN A 137.74.187.103
www.hackthissite.org. 2440 IN A 137.74.187.104
www.hackthissite.org. 2440 IN A 137.74.187.102
www.hackthissite.org. 2440 IN A 137.74.187.101
[+]Trying zone transfer and Brute force ::
Option w is ambiguous (wide, wordlist)
Trying zone transfer first…
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
Nope. Good.
Now performing 2280 test(s)…
Subnets found (may want to probe here using nmap or unicornscan):
Done with Fierce scan: https://ha.ckers.org/fierce/
Found 0 entries.
Have a nice day.
  • Esta salida mostrará la información básica de un sitio web. Su escaneo detectó aplicaciones, servidores web y otras tecnologías. También escanea los encabezados HTTP del servidor web y el origen HTML de un destino.
  • Resultado del host: muestra la dirección IP del host del sitio web y también analiza IPv4 o IPv6 de un sitio web.
  • También escanea el Firewall y el IDS en el destino (No se detectó WAF por la detección genérica) significa NO WAF (Firewall de aplicación web).La herramienta Dig se usa para consultar servidores de nombres DNS, para obtener información como direcciones de host, servidor de correo, servidores de nombres e información relacionada. También se encuentran los registros A del objetivo

NOTA: PARA OBTENER TODAS LAS OPCIONES NO NECESITA DESPLAZARSE, SÓLO ESCRIBA BANNER Y SE MOSTRARÁN TODAS LAS OPCIONES

  • Y ahora usaremos la opción {3} Port Scanner, este escaneará puertos de destino completos utilizando dos herramientas: nmap y unicorn scan

Escaneo con Nmap

  • Elija cualquiera de ellos
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0
  • Escriba 0
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0
[2] Nmap Os Scan
[3] Nmap TCP Scan
[4] Nmap UDB Scan
[5] Nmap All scan
[6] Nmap Http Option Scan
[7] Nmap Live target In Network
Scanner >>
  • Mostrará todas las opciones de Nmap
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0
[2] Nmap Os Scan
[3] Nmap TCP Scan
[4] Nmap UDB Scan
[5] Nmap All scan
[6] Nmap Http Option Scan
[7] Nmap Live target In Network
Scanner >>5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-09 05:59 EDT
Nmap scan report for www.acunetix.com (54.208.84.166)
Host is up (0.24s latency).
rDNS record for 54.208.84.166: ec2-54-208-84-166.compute-1.amazonaws.com
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
|http-server-header: acunetix.com |_http-title: Did not follow redirect to https://acunetix.com/ 443/tcp open ssl/http nginx | http-robots.txt: 3 disallowed entries |/dontVisitMe/ /blog/worldsecuritynews/* /
|_http-server-header: acunetix.com
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=.acunetix.com/organizationName=Acunetix Ltd/stateOrProvinceName=ST. JULIANS/countryName=MT | Subject Alternative Name: DNS:.acunetix.com, DNS:acunetix.com
| Not valid before: 2018-10-24T00:00:00
|_Not valid after: 2020-11-18T12:00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: media device|specialized|general purpose
Running: Crestron embedded, Wago Kontakttechnik embedded, Linux 2.4.X
OS CPE: cpe:/h:crestron:mpc-m5 cpe:/h:wago_kontakttechnik:750-852 cpe:/o:linux:linux_kernel:2.4.26
OS details: Crestron MPC-M5 AV controller or Wago Kontakttechnik 750-852 PLC, Linux 2.4.26 (Slackware 10.0.0)
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 …
2 4.06 ms 115.97.136.1
3 … 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.15 seconds
  • Nmap TCP Scan muestra los puertos abiertos y cerrados de TCP. Este es uno de los temas más relevantes del curso de hacking ético del IICS

Escaneo de Unicorn

  • Ahora analizaremos la herramienta Unicorn. Debe seguir todos los pasos para obtener la opción de escaneo de puertos y luego seleccionar 1
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>
  • Se mostrarán los tipos de escaneados disponibles
  • Deje que seleccione [9] TCP SYN Scan en una red completa y le pedirá una dirección IP 192.168.1.1 del enrutador
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>9
Your Router Ip : 192.168.1.1
  • Deje que el escaneo continúe
            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__|_|
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>9
Your Router Ip : 192.168.1.1
adding 192.168.1.0/24 mode TCPscan' ports7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
using interface(s) eth0
----------------------------------SNIP-------------------------------------
scaning 2.56e+02 total hosts with 8.65e+04 total packets, should take a little longer than 4 Minutes, 55 Seconds
connected 192.168.1.12:34682 -> 192.168.1.10:139
TCP open 192.168.1.10:139 ttl 128
connected 192.168.1.12:19928 -> 192.168.1.5:139
TCP open 192.168.1.5:139 ttl 128
connected 192.168.1.12:57128 -> 192.168.1.3:139
TCP open 192.168.1.3:139 ttl 128
connected 192.168.1.12:40890 -> 192.168.1.4:139
TCP open 192.168.1.4:139 ttl 128
connected 192.168.1.12:63984 -> 192.168.1.3:3389
TCP open 192.168.1.3:3389 ttl 128
connected 192.168.1.12:4474 -> 192.168.1.1:23
TCP open 192.168.1.1:23 ttl 64
connected 192.168.1.12:19804 -> 192.168.1.5:445
TCP open 192.168.1.5:445 ttl 128
connected 192.168.1.12:17218 -> 192.168.1.10:445
TCP open 192.168.1.10:445 ttl 128
connected 192.168.1.12:16075 -> 192.168.1.4:445
TCP open 192.168.1.4:445 ttl 128
connected 192.168.1.12:35635 -> 192.168.1.3:445
TCP open 192.168.1.3:445 ttl 128
connected 192.168.1.12:59512 -> 192.168.1.1:53
TCP open 192.168.1.1:53 ttl 64
connected 192.168.1.12:17273 -> 192.168.1.1:80
TCP open 192.168.1.1:80 ttl 64
connected 192.168.1.12:17994 -> 192.168.1.3:554
TCP open 192.168.1.3:554 ttl 128
connected 192.168.1.12:10098 -> 192.168.1.4:554
TCP open 192.168.1.4:554 ttl 128
connected 192.168.1.12:5254 -> 192.168.1.10:135
TCP open 192.168.1.10:135 ttl 128
connected 192.168.1.12:10011 -> 192.168.1.3:135
TCP open 192.168.1.3:135 ttl 128
connected 192.168.1.12:19956 -> 192.168.1.4:135
TCP open 192.168.1.4:135 ttl 128
connected 192.168.1.12:21180 -> 192.168.1.5:135
TCP open 192.168.1.5:135 ttl 128
connected 192.168.1.12:14926 -> 192.168.1.1:443
TCP open 192.168.1.1:443 ttl 64
connected 192.168.1.12:17101 -> 192.168.1.10:443
TCP open 192.168.1.10:443 ttl 128
connected 192.168.1.12:6074 -> 192.168.1.3:443
TCP open 192.168.1.3:443 ttl 128
connected 192.168.1.12:51922 -> 192.168.1.4:443
TCP open 192.168.1.4:443 ttl 128
connected 192.168.1.12:13164 -> 192.168.1.6:22
TCP open 192.168.1.6:22 ttl 64
sender statistics 177.8 pps with 86528 packets sent total
listener statistics 2894 packets recieved 0 packets droped and 0 interface drops
TCP open telnet[ 23] from 192.168.1.1 ttl 64
TCP open domain[ 53] from 192.168.1.1 ttl 64
TCP open http[ 80] from 192.168.1.1 ttl 64
TCP open https[ 443] from 192.168.1.1 ttl 64
TCP open epmap[ 135] from 192.168.1.3 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.3 ttl 128
TCP open https[ 443] from 192.168.1.3 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.3 ttl 128
TCP open rtsp[ 554] from 192.168.1.3 ttl 128
TCP open ms-wbt-server[ 3389] from 192.168.1.3 ttl 128
TCP open epmap[ 135] from 192.168.1.4 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.4 ttl 128
TCP open https[ 443] from 192.168.1.4 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.4 ttl 128
TCP open rtsp[ 554] from 192.168.1.4 ttl 128
TCP open epmap[ 135] from 192.168.1.5 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.5 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.5 ttl 128
TCP open ssh[ 22] from 192.168.1.6 ttl 64
TCP open epmap[ 135] from 192.168.1.10 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.10 ttl 128
TCP open https[ 443] from 192.168.1.10 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.10 ttl 128
  • Se escanearán todos los puertos TCP abiertos en el objetivo
connected 192.168.1.12:34682 -> 192.168.1.10:139
TCP open 192.168.1.10:139 ttl 128
  • También escanean los puertos TCP abiertos y muestra los servicios con puertos
  • Estadísticas del remitente 177.8 pps con 86528 paquetes enviados en total
  • Para escanear utiliza su tarjeta de red local como se muestra a continuación
using interface(s) eth0