INFORMATION GATHERING

This time I will tell my first exercise of information gathering.

1.      OWASP-IG-001

Black box testing :

by using the console, I write this command :

root@bt:~# wget http://www.akakom.ac.id/robots.txt

--2011-06-02 09:48:22-- http://www.akakom.ac.id/robots.txt

Resolving www.akakom.ac.id... 110.76.151.4

Connecting to www.akakom.ac.id|110.76.151.4|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 304 [text/plain]

Saving to: `robots.txt'

100%[=============================================================>] 304 --.-K/s in0s

2011-06-02 09:48:22 (25.2 MB/s) - `robots.txt' saved [304/304]

From the command above I get a robots.txt file. contents of the file are as follows :

User-agent: *

Disallow: /administrator/

Disallow: /cache/

Disallow: /components/

Disallow: /images/

Disallow: /includes/

Disallow: /installation/

Disallow: /language/

Disallow: /libraries/

Disallow: /media/

Disallow: /modules/

Disallow: /plugins/

Disallow: /templates/

Disallow: /tmp/

Disallow: /xmlrpc/

2.      OWASP-IG-002

To find web content of akakom.ac.id indexed by google cache the following google search query is issued :

site:akakom.ac.id

Result of writing the above on google will produce a list of addresses owned by akakom.ac.id

To display the index.html of akakom.ac.id as cached by google the following google search query is issued :

cache:akakom.ac.id

Result of writing the above on google will go on the website akakom

3.      OWASP-IG-003

I don't know about this step.

4.      OWASP-IG-004

This is what I did on the fourth of Information Gathering :

root@bt:~# nmap -v -A akakom.ac.id

Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-03 09:36 WIT

NSE: Loaded 57 scripts for scanning.

Initiating Ping Scan at 09:36

Scanning akakom.ac.id (110.76.151.2) [4 ports]

Completed Ping Scan at 09:36, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:36

Completed Parallel DNS resolution of 1 host. at 09:36, 0.01s elapsed

Initiating SYN Stealth Scan at 09:36

Scanning akakom.ac.id (110.76.151.2) [1000 ports]

Discovered open port 25/tcp on 110.76.151.2

Discovered open port 80/tcp on 110.76.151.2

Discovered open port 22/tcp on 110.76.151.2

Discovered open port 993/tcp on 110.76.151.2

Discovered open port 143/tcp on 110.76.151.2

Discovered open port 587/tcp on 110.76.151.2

Discovered open port 110/tcp on 110.76.151.2

Discovered open port 53/tcp on 110.76.151.2

Discovered open port 995/tcp on 110.76.151.2

Completed SYN Stealth Scan at 09:36, 4.76s elapsed (1000 total ports)

Initiating Service scan at 09:36

Scanning 9 services on akakom.ac.id (110.76.151.2)

Completed Service scan at 09:37, 19.48s elapsed (9 services on 1 host)

Initiating OS detection (try #1) against akakom.ac.id (110.76.151.2)

Initiating Traceroute at 09:37

Completed Traceroute at 09:37, 0.71s elapsed

Initiating Parallel DNS resolution of 3 hosts. at 09:37

Completed Parallel DNS resolution of 3 hosts. at 09:37, 4.01s elapsed

NSE: Script scanning 110.76.151.2.

Initiating NSE at 09:37

Completed NSE at 09:37, 12.14s elapsed

Nmap scan report for akakom.ac.id (110.76.151.2)

Host is up (0.18s latency).

rDNS record for 110.76.151.2: ns.akakom.ac.id

Not shown: 990 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.5 (protocol 2.0)

| ssh-hostkey: 1024 cf:ae:6d:b6:d6:c0:18:3b:1e:b1:8f:be:ac:fd:13:fa (DSA)

|_1024 d9:81:45:02:76:e9:f7:54:4d:d2:b9:ec:b4:e3:21:3f (RSA)

25/tcp open smtp Sendmail 8.14.4/8.14.4

| smtp-commands: mail.akakom.ac.id Hello [172.17.38.155], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH LOGIN PLAIN, STARTTLS, DELIVERBY, HELP

|_ 2.0.0 This is sendmail version 8.14.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info

53/tcp open domain Mikrotik RouterOS named or OpenDNS Updater

80/tcp open http Apache httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 302)

| http-title: 302 Found

|_Did not follow redirect to http://www.akakom.ac.id/

110/tcp open pop3 Dovecot pop3d

|_pop3-capabilities: OK(K) CAPA RESP-CODES UIDL PIPELINING STLS TOP SASL

143/tcp open imap Dovecot imapd

|_imap-capabilities: LOGIN-REFERRALS SORT=DISPLAY UNSELECT LOGINDISABLED STARTTLS IMAP4rev1 QUOTA CONDSTORE LIST-STATUS ID SEARCHRES WITHIN CHILDREN LIST-EXTENDED ESORT ESEARCH QRESYNC CONTEXT=SEARCH THREAD=REFS THREAD=REFERENCES I18NLEVEL=1 UIDPLUS NAMESPACE ENABLE SORT LITERAL+ IDLE SASL-IR MULTIAPPEND

445/tcp filtered microsoft-ds

587/tcp open smtp Sendmail 8.14.4/8.14.4

| smtp-commands: mail.akakom.ac.id Hello [172.17.38.155], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, AUTH LOGIN PLAIN, STARTTLS, DELIVERBY, HELP

|_ 2.0.0 This is sendmail version 8.14.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info

993/tcp open ssl/imap Dovecot imapd

|_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers

|_imap-capabilities: LOGIN-REFERRALS SORT=DISPLAY UNSELECT AUTH=LOGIN AUTH=PLAIN IMAP4rev1 QUOTA CONDSTORE LIST-STATUS ID SEARCHRES WITHIN CHILDREN LIST-EXTENDED ESORT ESEARCH QRESYNC CONTEXT=SEARCH THREAD=REFS THREAD=REFERENCES I18NLEVEL=1 UIDPLUS NAMESPACE ENABLE SORT LITERAL+ IDLE SASL-IR MULTIAPPEND

995/tcp open ssl/pop3 Dovecot pop3d

|_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers

|_pop3-capabilities: OK(K) CAPA RESP-CODES UIDL PIPELINING USER TOP SASL(PLAIN LOGIN)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.13 - 2.6.31

Uptime guess: 4.051 days (since Mon May 30 08:23:48 2011)

Network Distance: 3 hops

TCP Sequence Prediction: Difficulty=198 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: Host: mail.akakom.ac.id; OS: Unix

TRACEROUTE (using port 1720/tcp)

HOP RTT ADDRESS

1 689.84 ms hotspot.akakom (172.17.38.254)

2 684.53 ms 172.17.46.1

3 700.44 ms ns.akakom.ac.id (110.76.151.2)

Read data files from: /usr/local/share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/

Nmap done: 1 IP address (1 host up) scanned in 45.66 seconds

Raw packets sent: 1066 (47.882KB) | Rcvd: 1052 (43.022KB)

5.      OWASP-IG-005

My experiment in this step :

root@bt:~# nmap -PN -sT -sV -p0-1720 110.76.151.2

Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-03 10:09 WIT

Nmap scan report for mail.akakom.ac.id (110.76.151.2)

Host is up (0.029s latency).

Not shown: 1711 closed ports

PORT    STATE    SERVICE      VERSION

22/tcp  open     ssh          OpenSSH 5.5 (protocol 2.0)

25/tcp  open     smtp         Sendmail 8.14.4/8.14.4

53/tcp  open     domain       Mikrotik RouterOS named or OpenDNS Updater

80/tcp  open     http         Apache httpd

110/tcp open     pop3         Dovecot pop3d

143/tcp open     imap         Dovecot imapd

445/tcp filtered microsoft-ds

587/tcp open     smtp         Sendmail 8.14.4/8.14.4

993/tcp open     ssl/imap     Dovecot imapd

995/tcp open     ssl/pop3     Dovecot pop3d

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 43.35 seconds