Pentesters/RedTeamers often need to track their outgoing IPs for Blue Teams to be able to correlate activity and know if an attack is shceduled activity or something else.
Below is a script that will reach out, grab your public IP, and if it's different from the last entry, enter it into a log file. I use crontab to execute it at the top of every minute.
Now you can change IPs via VPN or whatever and always be able to refer to it later. The only edge case is if you change IPs multiple times within one minute, but that should be rare and accounted for in sprays.
Wednesday, November 28, 2018
Monday, November 26, 2018
A couple of methods to identify usernames that can then be used in other areas of a pentest are below. I added as many as I could think of. I limited it to ones mostly seen from the public Internet.
- WebApp login error username enumeration (custom per webapp, use python/burp)
- WebApp URL/Cookie differences (customer per webapp, use python/burp)
- Document Metadata from google dork (https://github.com/ElevenPaths/FOCA)
- Public leaks/dumps (mostly just linkedin)
- skype/Lyncsmash (https://github.com/nyxgeek/lyncsmash)
- Exposed SMB/RID Cycling (https://github.com/portcullislabs/enum4linux)
- Kerberos Username Validation (https://nmap.org/nsedoc/scripts/krb5-enum-users.html)
- OWA username enumeration (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/owa_login.rb)
- WordPress logins (https://github.com/wpscanteam/wpscan)
- Openssh username enumeration (https://www.exploit-db.com/exploits/45233)
- SMTP VRFY Username Enumeration (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smtp/smtp_enum.rb)
- SMTP EXPN Username Enumeration (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smtp/smtp_enum.rb)
- SMTP RCPT TO Username Enumeration (http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum)