Government Security
Network Security Resources

Jump to content

Photo

Srgn-infogather-v2.0


  • Please log in to reply
5 replies to this topic

#1 SuRGeoN

SuRGeoN

    Private First Class

  • Members
  • 83 posts

Posted 01 April 2008 - 04:41 AM

Attached File  srgn_infogather_v2.0.zip   2.27KB   134 downloads or http://surgeon.gotdns.org/

Information Gathering Script by SuRGeoN [ver. 2.0]
usage: ./srgn-infogather-v2.0.sh options

OPTIONS:
-h Show this message
-d Domain name
-N Do not check for Version.Bind & Zone-Transfers
-M Do not check for Version, User-enumeration & Mail Relay
-i IP Address or IP Range
-f Reads IP addresses from the specified file
-S Do not search for MSN VHosts

Examples
——–
./srgn-infogather-v2.0.sh -d domain.com -i 1.1.3.4 // Check Nameservers/Mailservers & Revese lookup / MSN VHosts Search for IP
./srgn-infogather-v2.0.sh -d domain.com -i 1.1.3.4-14 -f file_with_ips // Check Nameservers/Mailservers & Revese lookup / MSN VHosts Search for IP addresses (parameter&file)
./srgn-infogather-v2.0.sh -d domain.com -i 1.1.3.4 -f file_with_ips -D -M -S // Show Nameservers/Mailservers & Reverse lookup for IP addresses (paramater&file)

[Domain]

Name Servers->
1.1) check for NS records
1.2) check for BIND version
1.3) check for Zone Transfers for each NS record

Mail Servers->
2.1) check for MX records
2.2) check for BANNER (version)
2.3) check for USER ENUMERATION with VRFY/EXPN
2.4) check for relay with RCPT TO another domain

[IP Addresses - File]

1.1) NSLookup for each IP address (If you get a result it will be within brackets[])
1.2) Check for VHosts through MSN (If you get a result it will be without brackets[]) - MSNPawn like
when a hungry man comes to ask your help, do not give him a fish, rather teach him how to catch a fish

#2 SuRGeoN

SuRGeoN

    Private First Class

  • Members
  • 83 posts

Posted 20 April 2008 - 11:16 AM

srgn-infogather v3.0
http://surgeon.gotdns.org

Attached File  srgn_infogather800.jpg   80.94KB   131 downloads

I convert the previous unix (bash script) version in VB .NET. Now it’s more flexible and more options are available.
It will you help to do the very first steps of information gathering technique for domains, hostnames and ip addresses.

——–
FEATURES
—————————————-
-Mail Servers
-Sorted list with Mail Servers
-Name Servers
-Sorted list with Name Servers
-Hosts
-Zone Transfers
-Zone Transfers for subzones (example: zone1.example.com)
-Brute Force (from Hosts.txt, if you really want to find all the subdomains and more information, wait for it to finish)
-Google (for “large” domains like microsoft.com probably you will get ban from google)
-Virtual Hosts (MSN, it uses SOAP to be faster but it will not get more than 50results/ip and needs AppID)
-Web Servers
-Sorted IPs from Google and MSN
-Clusters/Load Balancers
-Host names with more than one IP Address (maybe cluster/load balancer)
-IP Addresses
-Sorted list with IP Addresses (Hosts/Vhosts)
-IP Ranges
-IP Ranges from IP addresses found
-IP Ranges from Whois Netnames found
-IP Ranges from Whois Mnt By found (Dont scan ISPs)
-Internal IP Addresses / Host names
-Sorted list with internal IP Addresses Found
-Option to scan further for Internal IP Ranges
-Domains
-Related Domains

It’s also possible to create your own Custom Scan (only IP addresses(internal?), only hosts,
more nameservers to check for zone transfers or compination of them)
—————————————-
when a hungry man comes to ask your help, do not give him a fish, rather teach him how to catch a fish

#3 SuRGeoN

SuRGeoN

    Private First Class

  • Members
  • 83 posts

Posted 02 May 2008 - 06:05 PM

Updated... a lot of bugs fixed :)

see also dnsenum (new version) -> http://www.filip.waeytens.easynet.be/

Any ideas / suggestions always welcome
when a hungry man comes to ask your help, do not give him a fish, rather teach him how to catch a fish

#4 berz3k

berz3k

    Private First Class

  • Members
  • 70 posts

Posted 06 May 2008 - 03:09 AM

Do u know what i need on the field "AppID="?

-berz3k.

#5 SuRGeoN

SuRGeoN

    Private First Class

  • Members
  • 83 posts

Posted 06 May 2008 - 04:43 AM

# For MSN queries needs your AppID. Get an AppID -> http://search.msn.com/developer // READ ->

# Because of Micro$oft maybe the link it will not work. You've to sign out from your msn
# then go here http://www.live.com and then here http://search.msn.com/developer
# Don't ask why :)

So if you want to find VHosts for every IP it's better to get this appid

Cheers
when a hungry man comes to ask your help, do not give him a fish, rather teach him how to catch a fish

#6 SuRGeoN

SuRGeoN

    Private First Class

  • Members
  • 83 posts

Posted 25 November 2008 - 09:09 AM

Now at version 3.3

CHANGES
————---
23/11/08
- Imports port scan results from nmap (xml)
Multi import feature for nmap xml files added.
Now you can select all your nmap (xml) results for the same range (web,common,fast,highports) and the tool will add/merge all the ports for every ip (imagine if you miss a port from highports you can get it from fastscan or common).
Include only hosts with open ports option added.

- MX Tests added
- Scan all the ports found open from nmap and check whether running as HTTP or HTTPs
- Scan all HTTP/HTTPs ports found for specific headers
- One more web request added for internal ips.
PROPFIND / HTTP/1.1
HOST:
Content-Length: 0

- For the rest of the ports it grabs the banner



——–
FEATURES
—————————————-
-MX Records
-List with Mail Servers (Priority)
-Check for Software Version, User enumeration, Relay (EHLO/VRFY/EXPN/MAIL FROM/RCPT TO)
-NS Records
-List with Name Servers
-Check for Version(Bind), Zone Transfers
-Subdomains
-Zone-Transfers
-Brute-Force (wordlist included(Hosts.txt))
-Google
-Virtual Hosts (MSN)
-IP Addresses
-List with IP Addresses (Hosts/Vhosts/Ports(+Banner or HTTP/HTTPs results/port)
-Internal IP Addresses
-List with internal IP addresses found (from NS Records)
-IP Ranges
-IP Ranges from IP addresses found
-IP Ranges from Whois Netnames found
-IP Ranges from Whois Mnt By found (Search manual - Dont Scan for ISP’s mnt by!!!)
-Ports
-List with Ports & IP Addresses by Port
-Webservers
-List with Webservers found (by sending http/https headers)
-Scan results for every web port (Version(Server:), OPTIONS (GET, TRACE etc), Internal IP address (GET /images) and more headers)
-Clusters/Balancers
-Host names with more than one IP Address (maybe cluster/load balancer)
-Domains
-Related domains found (from reverse lookup, virtual hosts(msn) etc)
when a hungry man comes to ask your help, do not give him a fish, rather teach him how to catch a fish




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users