DATOS RECOPILADOS:
Citar
./proxychains dig xxxx.com @xx.xx.xx.xxx axfr
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-xx.xx.xx.xxx:53-<><>-OK
; <<>> DiG 9.6.1-P2 <<>> xxx.com @xx.xx.xx.xxx axfr
;; global options: +cmd
xxx.com. 43200 IN SOA ns1.xxxxhosting.com. hostmaster.xxxxxxhosting.com. 2007070901 3600 15 1209600 43200
xxx.com. 43200 IN MX 5 mail.xxx.com.
xxx.com. 43200 IN NS ns1.xxxxhosting.com.
xxx.com. 43200 IN NS ns2.xxxxhosting.com.
xxx.com. 43200 IN A xx.xx.xx.xxx
ftp.xxx.com. 43200 IN A xx.xx.xx.xxx
mail.xxx.com. 43200 IN A xx.xx.xx.xxx
smtp.xxx.com. 43200 IN A xx.xx.xx.xxx
srv1.xxx.com. 43200 IN A xx.xx.xx.xxx
www.xxx.com. 43200 IN A xx.xx.xx.xxx
xxx.com. 43200 IN SOA ns1.xxxhosting.com. hostmaster.xxxhosting.com. 2007070901 3600 15 1209600 43200
;; Query time: 389 msec
;; SERVER: xx.xx.xx.xxx#53(xx.xx.xx.xxx)
;; WHEN: Mon Sep 27 19:57:43 2010
;; XFR size: 11 records (messages 1, bytes 295)
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-xx.xx.xx.xxx:53-<><>-OK
; <<>> DiG 9.6.1-P2 <<>> xxx.com @xx.xx.xx.xxx axfr
;; global options: +cmd
xxx.com. 43200 IN SOA ns1.xxxxhosting.com. hostmaster.xxxxxxhosting.com. 2007070901 3600 15 1209600 43200
xxx.com. 43200 IN MX 5 mail.xxx.com.
xxx.com. 43200 IN NS ns1.xxxxhosting.com.
xxx.com. 43200 IN NS ns2.xxxxhosting.com.
xxx.com. 43200 IN A xx.xx.xx.xxx
ftp.xxx.com. 43200 IN A xx.xx.xx.xxx
mail.xxx.com. 43200 IN A xx.xx.xx.xxx
smtp.xxx.com. 43200 IN A xx.xx.xx.xxx
srv1.xxx.com. 43200 IN A xx.xx.xx.xxx
www.xxx.com. 43200 IN A xx.xx.xx.xxx
xxx.com. 43200 IN SOA ns1.xxxhosting.com. hostmaster.xxxhosting.com. 2007070901 3600 15 1209600 43200
;; Query time: 389 msec
;; SERVER: xx.xx.xx.xxx#53(xx.xx.xx.xxx)
;; WHEN: Mon Sep 27 19:57:43 2010
;; XFR size: 11 records (messages 1, bytes 295)
Bueno no voy a explicar lo que se ve porque ya se ve no?...
Citar
./proxychains nmap -sS -sV -O -P0 xxx.com
Interesting ports on srv1.xxx.com (xx.xx.xx.xxx):
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
25/tcp open smtp?
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g)
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind
113/tcp open ident
143/tcp open imap Dovecot imapd
443/tcp open ssl/http Apache httpd 2.2.9 (PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g)
873/tcp open rsync (protocol version 30)
993/tcp open ssl/ssl OpenSSL (SSLv3)
995/tcp open ssl/ssl OpenSSL (SSLv3)
3306/tcp open mysql MySQL 5.0.51a-24+lenny4-log
Device type: general purpose|WAP|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (92%), D-Link Linux 2.4.X (89%), Netgear embedded (89%), Gemtek embedded (89%), Siemens embedded (89%), Aastra embedded (87%)
Aggressive OS guesses: Linux 2.6.23 (Gentoo) (92%), Linux 2.6.18 (91%), Linux 2.6.22 (89%), Linux 2.6.15 - 2.6.26 (89%), D-Link DSL-G624T wireless ADSL router (MontaVista embedded Linux 2.4.17), or Netgear DG834Bv3 ADSL router or DG834G WAP (89%), Linux 2.6.13 - 2.6.24 (89%), Linux 2.6.13 - 2.6.27 (89%), Linux 2.6.18 - 2.6.26 (89%), Linux 2.6.18-em64t (x86-64) (89%), Linux 2.6.24 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 10 hops
Service Info: OSs: Unix, Linux
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.59 seconds
Interesting ports on srv1.xxx.com (xx.xx.xx.xxx):
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
25/tcp open smtp?
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g)
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind
113/tcp open ident
143/tcp open imap Dovecot imapd
443/tcp open ssl/http Apache httpd 2.2.9 (PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g)
873/tcp open rsync (protocol version 30)
993/tcp open ssl/ssl OpenSSL (SSLv3)
995/tcp open ssl/ssl OpenSSL (SSLv3)
3306/tcp open mysql MySQL 5.0.51a-24+lenny4-log
Device type: general purpose|WAP|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (92%), D-Link Linux 2.4.X (89%), Netgear embedded (89%), Gemtek embedded (89%), Siemens embedded (89%), Aastra embedded (87%)
Aggressive OS guesses: Linux 2.6.23 (Gentoo) (92%), Linux 2.6.18 (91%), Linux 2.6.22 (89%), Linux 2.6.15 - 2.6.26 (89%), D-Link DSL-G624T wireless ADSL router (MontaVista embedded Linux 2.4.17), or Netgear DG834Bv3 ADSL router or DG834G WAP (89%), Linux 2.6.13 - 2.6.24 (89%), Linux 2.6.13 - 2.6.27 (89%), Linux 2.6.18 - 2.6.26 (89%), Linux 2.6.18-em64t (x86-64) (89%), Linux 2.6.24 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 10 hops
Service Info: OSs: Unix, Linux
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.59 seconds
Despues suelo hacer BUSQUEDA DE VULNERABILIDADES/EXPLOITS en este caso no e encontrado ningun exploit relevante que funcione las paginas que suelo usar son NVD, Security focus y google. Tambien uso el msf.
Ahora lo que necesito es otro metodo de ataque que no se base en busca de exploits.. sin llegar a ingenieria social..
He usado http://www.informatica69.com/FOCA/default.aspx con algunos archivos .doc pero an sido creados con microsoft office sin especificar versiones.
Si alguien pudiera ayudarme se lo agradeceria...