Recon (Part 1.0): Finding Login Panels

Reconnaissance
, , ,
1

In this post, I will uncover the mysteries torward finding hidden login panels and portals, something critical to finding low hanging fruit, uncovering larger vulnerabilities.

Reconassiance

In this multipart series, I will be demonstrating and explaining the basics of reconaissance, something that is critical to finding and successfully exploiting boxes. Instead of covering purely technical aspects, I will be covering practical aspects. So rather than focussing on just DNS recon for this part, I will be looking at finding Admin Login portals and panels for sites, something that uses multiple skills to execute successful in most engagements.

Finding hidden subdomains with dnsenum.

The first thing I check a domain for is hidden subdomains, a lot of people don’t hide their subdomains very well, and with a quick run of dnsenum you have access to panel for their login. You can get dnsnum here at Github

./dnsenum.pl target.com

And it will return whatever subdomains, and mail servers it can find, you can also do a bruteforce using a wordlist. I find it generally returns something decent, and gives me another lead.

Finding hidden login panels with AdminFinder

The next tool I’ll run is AdminFinder, it will essentially run through a list of known rules for admin and login portals, and will try to retrieve them, if the server reponds with a 404, it will assume that it doesn’t exist, but if it returns a 200 it will alert you and assume it works. While the script is simplistic, it can save you a lot of time. You can get AdminFinder here at Github

Finding hidden login panels with robots.txt

A lot of sites put their secretive directories in example.com/robots.txt to stop search engines like google picking them up and indexing them, so if you just put /robots.txt on the end of a site, you’ll generally be surprised at how much result you get.

Theoretical - Finding hidden login panels through an XSS Hook.

In theory, if you can find a stored site wide XSS vuln, you can run hook their browser with BeEF and watch as they navigate directories, this could lead you to gold.

Golden bullet - Finding hidden login panels with a baseball bat.

If worse comes to worse, people will probably give out the details to the whereabouts to their login panels through a social engineering engagement, but of course, you will need to be much more creative than the rest of these methods.

So using this, you’ve hopefully found your login panel, and can now decide whether to launch a social engineering campaign using SET or manually, or a bruteforce attack with THC-Hydra.

Stay tuned 0x00er’s for the next part of my reconaissance series!
pry0cc

14 Likes
2

Great post, I’m for sure gonna stay tuned. Bet I’ll get a lot from it!

1 Like
3

Nice! Definitely some useful info…

2 Likes
4

Hmmm… Nice post but there’s somethings missing. Of course this was a introduction but I might make my own tutorial about web exploitation if that’s cool with ya. Anyways, nice user friendly introduction. Cheers.

5

Go for it :wink: what’s missing?

6

Can’t you just look at the source code to figure out the directories? What about Joomscan or WPscan or golismero or other webscanners? I know it’s just a introduction, but you could find a ton with just running golismero (although I don’t know if it’s in the other Linux distributions). It just seems like you missed in my opinion, some very important details. Then again, I have a different way to hacking web sites.

1 Like
7

You’re absolutely right, if the site is using a pre-packaged framework such as Joomla or WordPress. But if it isn’t, and is home made such as a school, or government site, as well as many business sit es, then you won’t get far with the tools you’ve mentioned.

2 Likes
8

Yes, but no matter what site it is a webscanner like golismero can actually figure alot out. :slight_smile:

9

I’ve used Joomscan and WPscan a lot! Of course they are not suited for the site-types @pry0cc mentioned but I always wonder when I open the robots.txt and see that another site’s using Joomla/WordPress :smile:. Especially since CVE-2016-8870 + CVE-2016-8869 Joomla is a sweet target (exploit) :wink:.

Would be great to read something about golismero. Never heard of it before but it seems to be pretty cool :slight_smile:.

2 Likes
10

Yes! I saw that tweet! :slight_smile: I was thinking about it today; site frameworks are actually a golden bullet for hackers to develop 0days for. If you can develop a 0day for a piece of software only 1 big company uses, then that’s gonna be worth a fair bit. If you can develop a 0day that will work for thousands of sites, then you’ve got something a whole lot more valuable.

The fact that a lot of site frameworks are Open Source is incredibly important; it’s this quick fire development and update cycle that allows major issues to be fixed.

So - what are your thoughts on site frameworks, do their predictability and openness make a site less secure; or do their openness and large developer base actually improve security? I’d be interested in what you think. One of the common arguments against open source is that their openness itself is a security risk.

1 Like
11

I think it’s not as easy as saying it’s insecure or not. It depends :smile:. Of course Open Source helps to secure software because people who’re interested in it can help the original author by re-reading the code and searching for vulnerabilities. The problem is that there aren’t that much people who want to read the complete source of some semi-famous program just to secure the world. Many people search for vulnerabilities to save/sell them which stands in heavy contrast to the real idea of reducing security risks…

On the other hand black-hats who want to find vulnerablities would do it with or without the source. If you know what you’re doing the source isn’t needed but public source code opens the world of vulnerability finding to semi-skilled hackers who not always have a good intention… As an example we can take the Joomla account creation bug. If the source wouldn’t be public the vulnerabilty would’ve stayed for a much longer time and it wasn’t even that hard to find.

If you ask me whether open source in general is good the answer would be surely “yes!” because everyone can edit the code and could know what he’s really running. If you ask me whether open source supports security I’d say it depends on the project: If you’ve got a good team where you can assume you don’t place big vulnerabilities in the code I’d say open source could be not that useful for security reasons. If you’ve got a hobbyproject or something similiar I’d highly recommend to make it open source because it can be easier supported by other people. Of course this is only from the perspectivity of security. As I said above, open source is very advisable due to the other reasons :slight_smile:.

Personally I think sponsored projects, like one of the EU I heard of (Sadly I don’t remember the name), which take a big open source program like OpenSSH or Joomla and search in the code for vulnerabilities are a good way to handle the problem; but of course these aren’t that cheap…

1 Like
12

@pry0cc The white house website currently use Drupal 7 :wink:

Fly away

1 Like
13

Hahaha you’re absolutely correct.

I was referring in my comment to the custom web-apps they use for certain activities.

1 Like
14

It’s actually drupal 7.

15

Yep , I miswrote … :stuck_out_tongue:
I edited my post :slight_smile:

1 Like
16

This topic was automatically closed after 30 days. New replies are no longer allowed.