Quick Tip on E-mail Gathering

Here’s a quick tip for when you don’t have search engine API keys, theHarvester doesn’t work, and Burp Suite fails to grab all the e-mail addresses from the search engine results.

  1. Search for on Google
  2. Go to last page of results and click “repeat search with the omitted results included”
  3. Go through each page of results, select all, save as a plain text document (results1.txt, results2.txt, etc)
  4. Run grep -E -o "\b[A-Za-z0-9._%+-]\b" results*.txt

This method, although manual and time consuming, avoids having to deal with HTML and obfuscation tricks and instead allows you to work with plain text.

This should work for other search engines as well.

Another pro tip: disable instant results and infinite scrolling deal, and set number of results per page to maximum allowed.

A Note on Hacking Citrix

During one of my pentests recently I was able to gain access to a Citrix server with user-level privileges. The user had access to some client-specific applications and read/write access to a share. Changing .ica shortcuts to point to other programs did not work out; access to cmd.exe was disabled by the administrators. So, what to do? Why, create a .bat file on that writable share, of course! It’s not cmd.exe that’s important, it’s running commands such as “net user” what really matters. But, just a “net user” by itself won’t do — the window closes right after execution. Not a big deal, throw a “pause” in there which will make it wait for user input before exiting. Editing and saving the .batch file to run new commands each time is tiresome, though. That is why I created a tiny script that simply loops and keeps asking for new commands to execute:

@echo off
echo %CD%^>
set /p cmd=
goto awesome

With this I was able to easily enumerate the domain. Unfortunately that’s where I had to stop due to time constraints. What would I have done if I could have kept going? Probably enumerate all the users and do some sweeps for weak passwords using command to map network drives. Perhaps enumerate the network and scan for misconfigured hosts that have domain users in their local administrators group. Maybe TFTP out and download a malicious tool or document to leave for the user to open. Maybe all of the above and more! I wish I had more time because that would have been a lot of fun!

Edit: updated the script slightly (%CD% is to show current working directory and ^ is to escape greater than sign).

Another reason to look at NTP

Here is something I came across recently that I have’t seen before:

NTP internal IP disclosure

This is from an Internet facing host. The interesting bit here is the disclosure of internal IP addresses in the “refid” field. Just another thing to watch out for during pentests and when configuring your NTP services.

As a side note, carnal0wnage has some great posts on getting information out of NTP services.