Knock obteniendo subdominios

Knock obteniendo subdominios, en una tarea de auditoría nos pueden encargar que analicemos un dominio en concreto, de ese dominio una de las primeras tareas que tendríamos que realizar es una tarea de fingerprinting. En este punto se trata de obtener la máxima información para la búsqueda de vulnerabilidad, entre otras cosas.

Knock obteniendo subdominios disponibilidad de la herramienta

La herramienta está disponible en Code Google, la bajamos y la tendremos lista para usarla:

darkmac:knock-read-only marc$ python knock.py -h
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

USAGE:
Scanning with internal wordlist:
knock [url]
e.g. knock domain.com
Scanning with external wordlist:
knock [url] [wordlist]
e.g. knock domain.com wordlist.txt
OPTIONS:

-zt Zone Transfer discovery:
knock -zt [url]
e.g. knock -zt domain.com
-wc Wildcard testing:
knock -wc [url]
e.g. knock -wc domain.com
-dns Dns resolving:
knock -dns [url]
e.g. knock -dns domain.com
-bw Bypass wildcard:
knock -bw [stringexclude] [url]
e.g. knock -bw 404 domain.com

Opciones de Knock

Knock contiene varias opciones que podremos usar para obtener el listado de subdominios. Si lo lanzamos sin especificarle ninguna wordlist, knock usará una propia para hacer la búsqueda de subdominios.

Escaneamos un subdominio cualquiera para ver el funcionamiento de la herramienta:

darkmac:knock-read-only marc$ python knock.py dragonjar.org
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

[+] Testing domain
www.dragonjar.org 108.162.207.118
[+] Dns resolving
Domain name Ip address Name server
No address associated with hostname dragonjar.org
[+] Testing wildcard
Ok, no wildcard found.

[+] Scanning for subdomain on dragonjar.org
[!] Wordlist not specified. I scannig with my internal wordlist...
Estimated time about 74.81 seconds

Subdomain Ip address Name server

Found 0 subdomain(s) in 0 host(s) in 233.43 second(s)

En este caso no ha encontrado ningún subdominio.

Si lanzamos este escaneo contra dominios conocidos podemos encontrar cosas interesantes.

blog.warnerbros.com 168.161.242.18 redirect.warnerbros.com
bo.warnerbros.com 168.161.242.18 redirect.warnerbros.com
br.warnerbros.com 168.161.242.18 redirect.warnerbros.com
bugzilla.warnerbros.com 168.161.244.244 traffic.warnerbros.com
bz.warnerbros.com 168.161.242.18 redirect.warnerbros.com
ca.warnerbros.com 168.161.242.18 redirect.warnerbros.com
cache.warnerbros.com 168.161.242.18 redirect.warnerbros.com

Interesante ¿No?

También puedes encontrar acceso a paneles de administración.

¿Tendrá el usuario y password por defecto?

Cuantos subdominios para tema de developers ¿No?

Con Knock, también seremos capaces de probar las trasferencias de zona

pc:knock-read-only marc$ python knock.py -zt planetronic.es
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

[+] Testing domain
www.planetronic.es 95.211.135.108
[+] Dns resolving
Domain name Ip address Name server
planetronic.es 95.211.135.108 planetronic.cyberneticos.com
Found 1 host(s) for planetronic.es
[+] Getting NS records for planetronic.es

Found name server: planetronic1.cyberneticos.com.
Found name server: planetronic2.cyberneticos.com.

[+] Trying a zone transfer for planetronic.es from name server planetronic1.cyberneticos.com.

@ 14400 IN SOA planetronic1.cyberneticos.com. hostmaster 2011122800 14400 3600 1209600 86400

@ 14400 IN MX 10 mail

@ 14400 IN TXT "v=spf1 a mx ip4:95.211.135.107 ip4:95.211.135.101 ~all"

@ 14400 IN A 95.211.135.108

@ 14400 IN NS planetronic1.cyberneticos.com.
14400 IN NS planetronic2.cyberneticos.com.

pop 14400 IN A 95.211.135.108

ftp 14400 IN A 95.211.135.108

www 14400 IN A 95.211.135.108

mayoristainformatica 14400 IN A 95.211.135.108

localhost 14400 IN A 127.0.0.1

mail 14400 IN A 95.211.135.108

smtp 14400 IN A 95.211.135.108

www.mayoristainformatica 14400 IN A 95.211.135.108

[+] Trying a zone transfer for planetronic.es from name server planetronic2.cyberneticos.com.

@ 14400 IN SOA planetronic1.cyberneticos.com. hostmaster 2011122800 14400 3600 1209600 86400

@ 14400 IN MX 10 mail

@ 14400 IN TXT "v=spf1 a mx ip4:95.211.135.107 ip4:95.211.135.101 ~all"

@ 14400 IN A 95.211.135.108

@ 14400 IN NS planetronic1.cyberneticos.com.
14400 IN NS planetronic2.cyberneticos.com.

pop 14400 IN A 95.211.135.108

ftp 14400 IN A 95.211.135.108

www 14400 IN A 95.211.135.108

mayoristainformatica 14400 IN A 95.211.135.108

localhost 14400 IN A 127.0.0.1

mail 14400 IN A 95.211.135.108

smtp 14400 IN A 95.211.135.108

www.mayoristainformatica 14400 IN A 95.211.135.108

Como veis, es capaz de hacer la trasferencia de zona

Otra de las opciones de Knock obteniendo subdominios, es el poder resolver el DNS

pc:knock-read-only marc$ python knock.py -dns antena3.com
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

[+] Testing domain
www.antena3.com 8.254.95.126
[+] Dns resolving
Domain name Ip address Name server
antena3.com 194.224.72.187 www.neoxfanawards.com
Found 1 host(s) for antena3.com

Si un dominio tiene activado wildcard, nos dará un error y nos volcará un HTML por pantalla.

pc:knock-read-only marc$ python knock.py -wc github.com
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

[+] Testing domain
www.github.com 204.232.175.90
[+] Testing wildcard
<!DOCTYPE html>
<!--

Hello future GitHubber! I bet you're here to remove those nasty inline styles,
DRY up these templates and make 'em nice and re-usable, right?

Please, don't. https://github.com/styleguide/templates/2.0

-->
<html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Page not found &middot; GitHub Pages</title>
<style type="text/css" media="screen">
body {
background-color: #f1f1f1;
margin: 0;
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}

.container { margin: 50px auto 40px auto; width: 600px; text-align: center; }

a { color: #4183c4; text-decoration: none; }
a:hover { text-decoration: underline; }

h1 { width: 800px; position:relative; left: -100px; letter-spacing: -1px; line-height: 60px; font-size: 60px; font-weight: 100; margin: 0px 0 50px 0; text-shadow: 0 1px 0 #fff; }
p { color: rgba(0, 0, 0, 0.5); margin: 20px 0; line-height: 1.6; }

ul { list-style: none; margin: 25px 0; padding: 0; }
li { display: table-cell; font-weight: bold; width: 1%; }

.logo { display: inline-block; margin-top: 35px; }
.logo-img-2x { display: none; }
@media
only screen and (-webkit-min-device-pixel-ratio: 2),
only screen and ( min--moz-device-pixel-ratio: 2),
only screen and ( -o-min-device-pixel-ratio: 2/1),
only screen and ( min-device-pixel-ratio: 2),
only screen and ( min-resolution: 192dpi),
only screen and ( min-resolution: 2dppx) {
.logo-img-1x { display: none; }
.logo-img-2x { display: inline-block; }
}

#suggestions {
margin-top: 35px;
color: #ccc;
}
#suggestions a {
color: #666666;
font-weight: 200;
font-size: 14px;
margin: 0 10px;
}

</style>
</head>
<body>

<div class="container">

<h1>404</h1>
<p><strong>There isn't a GitHub Page here.</strong></p>

<p><em>Are you trying to publish one?</em>
We'll send you an email when your page has been built. It may take up to ten minutes until your page is available.
</p>

<p>
<a href="http://pages.github.com/">Read the full documentation</a>
to learn how to set up <strong>GitHub Pages</strong><br />
for your repository, organization, or user account.
</p>

<div id="suggestions">
<a href="https://github.com/contact">Contact Support</a> &mdash;
<a href="https://status.github.com">GitHub Status</a> &mdash;
<a href="https://twitter.com/githubstatus">@githubstatus</a>
</div>

<a href="/" class="logo logo-img-1x">
<img width="32" height="32" title="" alt="" src="data:image/png;base64,i VBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo1Q0EwODYxRTlGQjcxMUUyODZFNEMyMjBCNzE0Q0JGNCIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo1Q0EwODYxRjlGQjcxMUUyODZFNEMyMjBCNzE0Q0JGNCI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjFGMjYzQzg5OUZCNjExRTI4NkU0QzIyMEI3MTRDQkY0IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjFGMjYzQzhBOUZCNjExRTI4NkU0QzIyMEI3MTRDQkY0Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Cwlf8AAAAuBJREFUeNrEl0tIVVEUhs89OkhIe1Cmk7q3oiAwMCuIGtQlKBokZEjQ1KKhYEE0qVEGlhQ0s1HQpLRL5SDCKHqM0oQcaJk3etHDsvRGRlmnf8F/4bjb69xzvEda8A3Ofqz1n/1Ye+/ESPaFE9IWgXqwDawFKTCXdd+AOHoC7oBr4FMYp4kQAmrBUbAHlIYUOwWuglOgP6ihG1A3D3SAPtAYIbjDto3s20FfkQTUUnmTjJIzc0vQRz99hhKQBnc5x3FZij7ThQTUgQyocOK3Cvqu0wQsAJ1G8EEupokZBJxg30FDRCdj/SPgDEgaTk6CBlDJufzg23YD4B4ZYJnDNk3s00Affksy1rRtuB48svyFDNdjY2dUg2fgj2U6V4F3YNxXvo67wbQNoDc/AseUYSwxvsXxkCW4w7IhI7jNh+OPKQKqwG6l0ZoYFp/mQ2JWuUyvNpVvwI0YBIiP18ro1ru2vUk7DsZiECA+Tih1aRFQY6n4DbpizAFd9GlajWvZemJvLYupGBunT9OSIqDMUvFzFjLhL0tZmXYYLZkFAZXaYZSzlJdrHYoIXm4pz4mArNJpZ4wCNF9ZV0mTYi0RLyFBl5MWpa5PBPQolXLva4tBQBt92axHBHSD70qDZnCF6TqqVbNvs1IvMbvzi/CioXgruM/vveAVuAwO8OQsUYZ6EzjEe8BL9tVMYubyx/FS8BTMAR44As7zrN9odMzwnPcs978Mz5ZC9gOslh/L5wH5w1afo9O8RO6zHCTtluAOy9pDTk8rY057F5Ty4riZ37fADjCffyzJqRfcVvK62GLwsUDwh5ziKdvDRBbbA7DCtwjPRVh4IvZLQP0I2ALeB72MlnFrruS3CLoORinwLOcwqoDnYDsXZ8Gn2UJwSclgcqP9GlHATbDfdr9wAy4Ru7jtRotIQvJAPUhfY1HfhrKqL4Dl4DAYBp/BZECfSbYZ5lZO8W3oqW83z/Oc/2l/BRgAx0yx3NLWxQgAAAAASUVORK5CYII=" />
</a>

<a href="/" class="logo logo-img-2x">
<img width="32" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo2OEUxMDcyOTlGQ0ExMUUyODZFNEMyMjBCNzE0Q0JGNCIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo2OEUxMDcyQTlGQ0ExMUUyODZFNEMyMjBCNzE0Q0JGNCI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjY4RTEwNzI3OUZDQTExRTI4NkU0QzIyMEI3MTRDQkY0IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjY4RTEwNzI4OUZDQTExRTI4NkU0QzIyMEI3MTRDQkY0Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+CPpQ2wAABfBJREFUeNrkW11sFVUQPt2I1tJaUFBpUxAoUuuDQYsmWi2Jiok2gfiAWoIYUxMTH2wgUBJ4kIcawQQwmqhoYh80oqR9ASVqBfwlIU0ggCjWIpJqEIvW0BbLT68z2W+bm+3e3TNn9957bjrJl1DunnNmvj0/M3Nmi3pP/qqyLNWE+wm1hFsJ8wg3EEoJJXhmmDBIOEfoIfxMOE74hvBLNpW7Kkt9Pkx4kvAgoVKjTQlwI+E232+/E74k7CB8QbicpLJFCc6AmYQXCSsI07P0ws4S3ie8RjidRIdOAn3MJ7Rjqq7KovEKM2QVxmrH2HkjoIzwCuEoYSVhksqdTMKYR6FDWa4JWEz4idCaY8ODiGiFLotzQQAPuJnwGaFC2SMV0Gmz9IVICOC1vZewRtkra6Dj9KQJmE04QKhX9ks9dJ2dFAHVcEjmqsKRudC5Oi4BMwhdms6MbVIJ3WeYElBM+IQwSxWuzIINxSYEvE5YEDHAf4SRPBo4ojH+AtgiIuBpQnNEx5cxzdiHryG0EA7lwOhDGKsGY1doxAfNsEkrFriJcIJQHtFpF4IevywivERoSNjwr9Dv/oDfOEh6KKL9v3Cd/4yKBrdqGM/ybYb/3w8SHidsI1QRevHmfiAw42cI/WlvjvWYRrgZx9ftmLq8m/chyOoM0eU7DQLKYVtTGAH81p7SfCMnIn7vhHdWBoNNhAk5TxiKqYsnbNvbmE2Be8BGgXLnNJ4ZimG8Qtshjef6BX1uzLQJPiBct2XKHpHo0gBbxxHQIhy0yiICpLq0+AngDahR2EmDRQRIdWmEzWMENOU5rs9HHqEpnYAlwg5OIiNji6zEUSuRJR4B7CffJ2zcjOPJFmFdnhO2YZuLHcTP1wgasge4z8JpvQ+66QrbXM8E1AkHesvitS3Vrc5BUKErlwh7LCZgD3TUlRopAZyGHraYgGHEGyICJNmeUwVwxP0meLbSEbqR5wuAgAGJC+1ohr6eXF0ABEhOtHLpxUhpARAwWfIwEzAqeL6iAAiQ7GmjjnBdF8LdwBzJnuYIExZTlFvhYavMg466csYRHhu2hcFxdTvNBEhrcJ6wmACpbj1MQLewEdf91FpofC10k0g3E3BQ2KiI0GYhAW3QTSIHmQAuR/tD2HApYZlFxi+DThJhm48zASnCpwaDvke4xwLjWYd2g3Zsc8rzBDsMOuB7uc8Jj+XR+EYkQa41aNvheYIKhvQZdHIdYTfhDcLUHBp+PeFNwi5D97wPNo8RwO7w9kxnJeFV5V4pZaqqfAG/8XPzs2g43xluQVj+fIx+tnshQPrt8DR07A8m+BKUS9AugLBnlVupWRIyAPsWXN76NeFH5db+DgmVnAoy+Xjjm5xFKpliDdbjFoXrNP/1+CbC2oBGx5R7sXgsbePpEky/bhhxQTdOV26S864szCIupWsdO9N9BEzB2woqMxvETDiAv5crt243SkYwdaV5ew5quAAyyQubv5RbsT6QHg77synrQ3IBnWnkfEDYqTHoTgPjWfjyZUfCb3+D8mWMghIi72L9Bgnf17+c9vczyq0BCJPdMRTelaDxbNM7QQkRv6RgWKbcGv82E//mLOyj2JGP+JIrvBFu9Y4bQzmSkPED0Ds1zq8P+V7gEXhLQSTxKRB0nT4ZS6Qfe0Zc4ZPg75h9jOIlBc7UsJwgN1gdcu7fneGIOZWQ8SrojRnI6rBlGpUU3Yaj0S9cW8QFiHXKbtkEG5QpASzr4H35hR2n7+H9VVlo/BboHh7bC74ZWpthNnhTlTcsvjrj4im+P/A+gLpXuTV6JsJ+yT8G7daF6DpuKks8qF6EnqUBSZI7gKAESq5kELu9dnQrvRjpwLo/bOGUPwzdRKG9yTdDXJS4EF7VRQsMvwhdFir9gslYBLBwiSvn4Phq/aOIZ4tjGBe1RD+GDm3K8IPKuN8N8g7KX4hyXe+HhCsZHBFTCdo/rmCsO5WbBo/15aeT4PprQgS3HhGlgqJnY0Zv3gzrwVSfg7ESKc0vSqVSaiKLoya4THgC/hdgACmaMFn8bUltAAAAAElFTkSuQmCC" />
</a>
</div>
</body>
</html>

Wildcard enabled! Try with -bw option
Example: knock -bw 404 github.com

Si queremos obtener la lista de subdominios que tienen wildcard habilitado también podemos hacerlo.

darkmac:knock-read-only marc$ python knock.py -bw 404 github.com
Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )

[+] Testing domain
www.github.com 204.232.175.90
[+] Dns resolving
Domain name Ip address Name server
github.com 204.232.175.90 github.com
Found 1 host(s) for github.com
[+] Bypass wildcard
blog.github.com
docs.github.com
download.github.com
enterprise.github.com
fi.github.com
help.github.com
id.github.com
jobs.github.com
lab.github.com
launch.github.com
new.github.com
news.github.com
support.github.com
wiki.github.com
www.github.com

Found 15 subdomain(s) in 1232.3 second(s)

Knock obteniendo subdominios, Knock es una herramienta que no servirá para sacar la lista de subdominios, esto nos ayudará a identificar servicios en el dominio escaseado, entre otras cosas.