DEV Community: Tropyl

What is Cryptography?

sumanbasuli — Mon, 27 Jul 2020 00:42:43 +0000

Introduction:

As a developer, you will always agree that nothing in this world (especially in tech) is 100% secure. Whether you are making the next fancy software or maybe the next big tech giant bugs and security issues will be a part of your journey.

Some problems will come that you will not be able to solve, rather you can only complicate it to protect your brand and users.

One such thing is protecting a password. And I am sure you have no solution to protect it rather than just making it complicated to read at least for humans. But if you make it unreadable then how do systems and servers verify the password, if it is right or wrong?

Now, here comes a concept called cryptography, it is just not another concept rather I would like to call it art. And the word Cryptography literally means the art of Secret Writing. So, today let's see How actually your Password is secured on your database and how servers decrypt it to verify.

Firstly, we will go through a little bit of what cryptography is, then we will dive deep into what it actually is and where and when it is used.

Purpose of Cryptography:

So if you're new to cryptography, let's talk about its purpose. When we talk about cryptography, what we're actually trying to get across or I should say its foundation comes from the fact that typically we have files and/or data, now if you want then we can to try to conceal that information by converting it using some type of key to make that particular data secret or more secure.

Now not only do we deal with data itself as a whole, but we can also do data as individual files, as well as even secure down workstations or servers by encrypting their drives. So what does cryptography bring to the table? Well, it brings first of all what we refer to as non-repudiation.

What we mean by this is that this makes it so that whoever has sent a message because we can encrypt an email or who has saved a document can't later deny having altered that document.

"It wasn't me, I swear. " No, it was you because it was encrypted with your key. It also brings to the table integrity. What we mean by this is that we have the ability to say the data actually came from the actual source that we are requesting it from.

So it's the trustworthiness of the data or resources in terms of data itself being improperly handled or any unauthorized changes. It also brings to the table authentication. Sometimes we visit websites where it's important that we authenticate that we are who we say we are, as well as we obviously want to authenticate our credit card information, right?

So it's definitely important to us within our industry. And, of course, confidentiality is another major factor as far as what cryptography can do for us.

As far as confidentiality is concerned, it's, again, we can only make certain resources available to authorized users. Now as far as how this process works or how cryptography works are on a very plain or very elementary level, the process goes like this.

It's that we have plaintext, text that is formatted, that we can read. Maybe it's a Word document, maybe it's an email. But it gets encrypted using an algorithm like DES or AES or even RSA.

After that encryption's been applied, we refer to that whole document now as ciphertext. It's completely unreadable. The file is then transmitted, and on the opposite end, it just goes through the opposite process, right?

The ciphertext uses the keys that it's aware of to do decryption to then obviously give us the plaintext that the original sender or the resource wanted us to see. See? I told you this would be easy. Next, let's talk about the types of cryptography.

Types of Cryptography:

Let's talk about the types of cryptography. There's not a whole lot talking to do because, guess what, they're only two. There's what they refer to as symmetric, as well as asymmetric.

And let me tell you the difference between the two. There're huge differences and there are some pros and cons.

When it comes to symmetric, some of the advantages that it has is it's very easy to use because both parties use the exact same key to encrypt and decrypt. You can see the flaw there, right?

It's also extremely fast because we're using the same key over and over. It's very easy to implement because, hey, I can come up with my secret key and distribute it to you. I can distribute it to my friends. I can distribute it to my family or even anyone I like.

But do you see the dilemma we have here? Once I start doing that, if I push out to 30 people, how secure is my key? Not very secure, is it? The key isn't transmitted with the data. That's one of the reasons why it's really, really fast.

All you need to do is have a copy of the key on your system. Now here're some of the downsides. Well, if the key isn't transmitted with the data, the downside is that you've got to distribute it to your parties that you want to have access to the resource.

Obviously, because we're distributing these manually, the manageability of these keys is extremely rough, as well as because the keys are rotating, there's nothing to change.

As a matter of fact, if I change my key, I have to update everybody. So I have to watch out for dictionary text because these keys have a tendency to be static. And because I may be distributing my keys to several people, it's really, really hard to prove authenticity because anybody can make a change to the resource or the data.

"But, what's a better solution? " Well, the better solution is actually asymmetric.

Asymmetric is much better because of, one, it uses what they refer to as a two-key infrastructure. It's also known as public-key cryptography.

We actually have two keys. One's public, one's private. The private key we don't share with anybody except for yourself. You keep it. It's typically a part of your system or stored specifically for your account.

The public key, we can give it out all we want, put it on Facebook if you want, tweet it out if you'd like because the public key is used for encrypting the data, but the private key is the only key that can decrypt it.

So guess what? Yeah, it's a lot more convenient because I can issue out public keys like crazy. I don't care if people have it. Also, it does require or utilizes what they refer to as digital signatures.

Also, another advantage is its better security. If nobody has a copy of my private key, then they're not getting a hold of the data. Now it does have some cons to it. It is more intensive as far as CPU utilization because it has to do that encryption and decryption. But as far as slower is concerned, we're talking about a half an eyeblink versus a full eyeblink in speeds.

It also has huge issues if the private key is exposed because it's the master key, right? In fact, if the private key gets exposed, we need to regenerate a key. And so we're going to have some type of management solution in place so we can revoke keys if we need to.

When it comes to asymmetric, it is susceptible to man-in-the-middle attacks, as well as brute force attacks. And, unfortunately, if the key, the private key gets lost, you can't decrypt. And the data is no longer valid.

We can surely talk more about it some other day, for now knowing this much is enough for what Symmetric and Asymmetric encryption are.

Ciphers:

Let's talk about ciphers, no, not sippers, not chippers, not kippers. It's pronounced "sai·fuh".

When it comes to ciphers, what we're talking about here is actually an algorithm, or if you want to think of it as a defined series of steps that have to be performed for encryption and decryption.

Once a message or data has been encrypted using a cipher, it is considered unreadable unless, of course, whoever's receiving the data or message knows the secret key that's required to decrypt it.

Now, believe it or not, ciphers are used everywhere, not just in our emails and our data itself, but we also use it in other communication technologies like cell phones. This is what makes our cell phone calls more secure.

Now I know what you're thinking. "Is there only one cipher? " No, they're actually several different types of ciphers. We can actually categorize them into two different types, either classical or modern.

I know, it sounds like we're going to talk about art, but we're not. Let's first take a look at classical. When it comes to classical ciphers, there are two common ones.

The first is just referred to as a substitution cipher. Now, this is basically where a user replaces plaintext or the lettering of the plaintext with ciphertext. Examples of Classical chipers are Ceaser Chiper, ROT13, Affine Cipher, Simple Substitution Cipher, etc...
The second type of chipers include modern ciphers, they are a little bit complex and difficult to crack. And they are here to provide authenticity, security as well as the integrity of the sender. Modern chiper include Symmetric Chipers, Asymmetric Chipers, Block Chipers, Stream Chipers, etc...

I guess we can talk about Chipers on another day for now for the basics this is enough.

Basic Algorithms:

Let's take a look at some other algorithms. When it comes to some different algorithms that are out there or some additional ones, the most common that we will see are going to be:

DES
Triple DES or 3DES
AES
RC4.

1. DES:

Let's take a look at DES. Now DES is actually short for Data Encryption Standard. This bad boy was created back in the 1970s by IBM. It utilizes a 64-bit block. On top of that, it only uses a 56-bit key for encryption and decryption, which is not that great.

In fact, in 1999, this particular algorithm was cracked. What's interesting is it was cracked back in 1999. You've got to think about, first of all, were you born, as well as what was the computing power that we had back then? Not very much.

But DES itself actually provided up to 72 quadrillion possible encryption keys. And we were able to crack it.

2. 3DES:

Now obviously to cover this particular vulnerability, which could obviously be brute force attacked very easily, we came up with triple DES, or some people might call it 3DES. And if you can't figure it out, the reason why it's called triple-DES is that it's DES times three.

So what it does is it goes through and does the DES algorithm three times with three different keys. The triple-DES uses what they refer to as a key bundle, which consists of keys one, two, and three, or K1, 2, and 3.

Each key is a 56-bit DES key. And each key is utilized like this. First of all, DES encrypts using K1. DES decrypts with K2. Then DES encrypts again with K3. Now as far as how these keys are used, you have a couple of different options.

The first option is that all three of the keys are completely different or independent. The other option is K1 and K3. Since they're both used for encryption, they are identical.

And, actually, you know what, there's actually a third one, which is where all three keys are the same, but that's not very secure. The most secure would be the first option, which is where all three keys are independent.

3. AES:

Next up on our list is AES. AES, which stands for Advanced Encryption Standards, is actually kind of a grownup compared to DES and triple DES.

It utilizes 128-bit block size, and its keys are actually 128, 192, or 256 bit in size. I bet you can't guess what they call each one of those, right? AES 128, AES 192, and AES 256.

Now AES is a symmetric key algorithm, those created with the help of the National Institute of Standards and Technology, and as far as government use, governments typically will use this for encrypting data that is considered unclassified.

4. RC4:

We then have what they refer to as RC4. RC4, which is actually short for Rivest Cipher 4. Some people call it Ron Rivest.

Ron is the first name of the gentleman that helped create it, but it's not. It's actually Rivest Cipher 4. Now, this particular cipher is considered a variable key size symmetric key stream cipher. And let's be honest, it's not that great because, guess what, we actually used to use this in WEP, yeah, WEP, which is the wireless security protocol that's been hacked very, very easily.

And the reason why RC4 was actually kind of open for different types of attacks is because, it had what they refer to as a bias output, and what they mean by that is because, well, this is one of the reasons is that if the third byte of the original state is 0, and the second byte is not equal to 2, then the second output byte is always 0.

Now that may seem complicated, but trust me, once we see patterns like this, we're actually able to go through and reverse engineer the particular cipher and crack it. And that's what happened to WEP. It wasn't until we came out or started using WPA2, which actually uses AES, that things got a little bit more secure in our wireless environment.

Blowfish & Twofish:

Two other algorithms that we should be familiar with, the first being what they refer to as blowfish. The blowfish algorithm was actually developed back in 1993, and I know you're thinking, "That's a long time ago. " But it's actually quite a strong symmetric block cipher that we still use today. It does use the same key to encrypt and decrypt.

It utilizes a 64-bit block, and its key is a variable key anywhere from 32 to 448 bits. This particular protocol was actually designed to replace DES and triple DES. Now it may be surprising to know that a lot of people still enjoy using AES, and I guess there's nothing really wrong with it, but just you need to know that one of the advantages of blowfish is its speed because the fact that it breaks things down into the 64-bit block versus AES, which is using 128-bit block allows for faster encryption and decryption.

Now we also have something called Twofish. Now Twofish was actually created a few years after blowfish. It was introduced to us back in 1998, and it's relatively close to the blowfish cipher.

That's why we have a similar name here, but it encrypts data at a 128-bit block just like AES. In fact, Twofish is very similar to AES because it supports a 256-bit, as well as a 192 or uses a single key. Now another reason why both these particular ciphers are extremely popular is because they haven't been patented.

They're open. In fact, Twofish was the algorithm that was one of the top five finalists to replace DES for the US government.

Standards and Protocols:

Let's now talk about standards and protocols. One of the most common standards that we see out there is something referred to as DSA. DSA is short for the Digital Signature Algorithm. That makes sense, right? It's actually a federal information processing standard for creating digital signatures.

Now how this signature standard works is it actually creates a 320-bit digital signature, but the signature is also accompanied with anything from 512- to our private and public key technology or process. Again, a private key is going to be used by the person signing the document or the information, and the public key is actually utilized then to make sure that the signature is unique or actually from the source that it says it's from.

Now another standard or signature that's out there is referred to as RSA. RSA are the initials of the creators. Hey, you know what, the R is actually the same Ron Rivest from RC4, as well as two other gentlemen, let's see, the last name is Shamir and the other gentleman is Alderman. Now, this also uses a public key encryption system, and it uses two large prime numbers as its basis.

Now we see RSA as a standard in a lot of our operating systems today. Microsoft, Apple, Novell, I think they still have an operating system, Sun Microsystems, as well as being utilized in networking cards, smartcards, even what we refer to as hardware secured phones. Now, this may make your brain hurt a little bit(that's why I have included some videos for you to watch), but let me give you a brief synopsis of how this actually works.

First of all, two large prime numbers are actually taken, and we're going to call them a and b. These are the two prime numbers, and their product is determined by obviously saying that c is equal to a times b, and c they refer to is the modulus.

RSA then chooses another number so that it is less than c and relatively prime to a-1 times b-1. And what this does is it makes sure that e and a-1 times b-1 have no common factors with each other except for, obviously, 1.

I know, it keeps getting better because then RSA chooses another number, f, and it does it so that ef-1 is divisible by a-1 times b-1. Now some of you algebra folks are following right along.

But wait, there's more. The values of e and f are referred to as the public and private exponents. In using those exponents, the public key is paired, c, and e, to create that public key and the private key is created by pairing c and f together.

Now the reason why this is so secure or extremely secure is that it's considered to be extremely difficult to obtain the private key, c, and f, from the public key, c and e. Now, obviously, if someone is able to factor c into a and b, then that person could actually decipher the private key, but the odds of somebody trying to get a hold of those two prime numbers that are taken by random.

So, again, a lot more secure for us. Now that's just a highlight of RSA and how it operates. If you want to get more detailed into it, I'd actually recommend jumping online and getting more depth into RSA.

And then we also have what they refer to as the Diffie-Hellman protocol. It's a cryptography protocol that is or creates a method of securing the exchange of your cryptography keys over a public channel. It was actually one of the first public-key protocols that were created back in.

There is another one called ECC, which stands for Elliptic Curve Cryptography but it is too complicated to talk here if you want to know more about it here is an awesome article by Cloudflare.

Hashes:

Let's talk about hashes. So hashes or when it comes to hashes, what we're trying to do here is we're going to come up with a way to verify that a particular document hasn't changed. And how we do that is we take the document, and we assign what they refer to as a digital signature associated with it.

And that signature actually is represented by a hexadecimal code that basically says that the document, the default for this document or even an executable or an email, if it is equal to this number, then we know that it's legit, and it's been signed, and nobody has changed it.

But if somehow the document or the executable is changed, that hash value won't work or it won't calculate out correctly.

There are different kinds of Hashes like:

MD5
SHA-1
SHA-2
Keccak and SHA-3
SHA-256

But unfortunately, we are not going to talk about them here, rather we will discuss in-depth about these any other day.

Hashes designed for Messages:

So now that we've got our hands on these different types of ciphers, there are some that are, in particular, designed for messages.

1. HMAC:

We first start off with what they refer to as HMAC, which is short for the Hash-based Message Authentication Code. Now, this particular algorithm includes the embedding of the hash functions like SHA-1 or MD5.

Now where its strength comes from is dependent upon the embedded hash function, key size, and the size of the hash output. Now how HMAC operates is there're actually two different stages. Now in those stages, there's a secret key that's created.

There's one for an inner and one for an outer. The first pass of the algorithm actually produces an internal hash derived from the message and the inner key. The second pass includes the final HMAC code derived from the inner hash result and the outer key.

Now HMAC itself doesn't actually encrypt the message. But what it does do is it takes the message whether it's encrypted or not, and it has to be sent alongside the HMAC hash. This way here both parties can verify using the secret key that the message is coming from who it says it's coming from, or its authenticity is correct.

2. CHAP:

CHAP, which is short for Change Handshake Authentication Protocol, is an authentication mechanism that we use via PPP and a three-way handshake.

Now one of the cool things about CHAP is it actually provides a way to protect yourself against what we refer to as replay attacks. Now the downside is that CHAP uses that shared key thing where both the client and the server have to know the plaintext of the secret.

Now the funny thing here is Microsoft actually came out with their own version of CHAP that was called MS-CHAP that doesn't require either the sender or the receiver to know the plaintext, and it doesn't transmit it, but it's also been hacked.

3. EAP:

Next, we have EAP, which is short for Extensible Authentication Protocol. This particular protocol was originally designed for point-to-point communications. It is actually used as an alternative to CHAP, as well as PAP.

I didn't put PAP up here because it's so outdated. But EAP itself is actually more secure and supports different authentication mechanisms such as using either one-time passwords, passwords, just standard passwords, as well as smart tokens. So, for example, a security card or a digital certificate or even public-key encryption could be utilized as well.

Conclusion:

So in this article, we went through and kind of got an introduction to cryptography, right? We talked about the purpose of cryptography. We also went through and talked about the different types of cryptography that are out there. We also talked about ciphers or sippers or siffers and these are, again, just different types of algorithms that are using cryptography. Some of them are old school. Some are more up to date, give you better security. We then talked about DES and AES. When we talked about DES, we also talked about triple DES and how there're some issues with those. Then, of course, with AES, it's one of our more secured standards that are out there. We then went through and talked about some of the other algorithms that are available to us. We talked about RC4, as well as blowfish and twofish. Then we got into some of the standards and protocols, things like the digital signatures themselves, DSA, as well as RSA. And, of course, we then also talked about the Diffie-Hellman protocol. And, of course, we then got into hashes and what hashes are or what they represent for us. So that's it for today. I hope we will meet again with another article. Till then have a nice day...

Information Gathering with "theHarvester"

sumanbasuli — Mon, 20 Jul 2020 16:22:22 +0000

This is the first tool in the Red Team Tools series that I will be talking to you today.

In this post, you will learn how to gather both technical and helpful information about your target using theHarvester tool. In a red team engagement, one of the most important steps of the whole project is gathering information about your client, and that's because the information that you collect in here will be really useful during the exploitation phase of your engagement.

For example, if you do a really good information gathering job, you may find not‑so‑secure servers open to the internet, which can be way easier to exploit than the main company website.

So, in this article, we'll cover theHarvester, which will help you to automate the information gathering so you can find tons of interesting information about your target.

We start by showing how to use theHarvester to find subdomains and IP addresses that could be interesting for an exploitation phase. Then we also cover how to use the tool to find information about the people that work in the company, such as email addresses, Twitter accounts, and even LinkedIn profiles.

Important Note:

All the targets used in this post are from publicly available bug bounty platforms like HackerOne, Bugcrowd, and Intigriti. So they are all open for performing recon or running theHarvester. Before proceeding make sure you have legal rights or written consent of doing recon or running theHarvester on your target.

Understanding Information Gathering and theHarvester:

Imagine you are doing a bug hunting about WordPress and Intigriti. Your first step is getting information about your target.

So, did you know that you can gather tons of information about your target just by doing some searches on the internet? Yes, that's right. Without sending a single packet to our target we can gather tons of valuable information.

For example, we can use search engines such as Google, Yahoo, and Bing to get information about WordPress and Intigriti. In just a few seconds we can do a few searches and find subdomains that we could attack later.

Sometimes the main website of a company is secure, but their other systems may not be such as the email server or the HR applications.

Also, we can use the same search engines to find email addresses related to this company. As you may know, Google indexes data from several websites so you can find email addresses even if they're posted on a different website.

And more than that, we can use those search engines to find sensitive files that may be exposed to the public. For example, you may find metric diagrams or even database backups that may be useful later in the red team engagement.

And also, we can use sites such as LinkedIn to find more information about the employees of a company. In a few minutes, we can quickly find the name of key people in the company, which can be useful for social engineering attacks.

And the best part about this is that we can search as much as we want because it's not illegal to search for data that is exposed to the internet. And also your target will never know that you're searching for their information.

Installing the tool:

Before proceeding make sure you have a working Linux environment maybe Kali Linux, Ubuntu, or any other Linux distro running on Vmware, Virtualbox, or Hyper-v or even WSL 1/2 will work. But for this post, we will use Kali Linux as our Linux Distro.

If anytime you feel that you are not able to follow the article the above acsiinema will help.

The easiest way of installing theHarvester in 2020 is to just paste this command on your terminal, but unfortunately, it doesn't work every time and for every system. (If you are using Kali Linux it is Preinstalled, and you skip this step.)

sudo apt-get install theharvester

If this command didn't work for you then there is a way, a long way... let's see:

First make sure you have git installed, which nowadays comes installed by default on major Linux distros. Anyway If it not installed then you can follow this article from Linuxize.

Firstly make sure all your packages are on the latest version:

sudo apt update && sudo apt upgrade -y

After performing all the updates and upgrades not get into a directory like tools or something you prefer, I will be using tools

mkdir tools
cd tools

Once you are in the directory we will clone the git repo of theHarvester

git clone https://github.com/laramies/theHarvester

once the repo is cloned we can get into the folder

cd theHarvester

Now we need to install pip assuming that you have python3 installed.

sudo apt install python3-pip

Now we need to install the required packages for theHarvester to work

python3 -m pip install -r requirements/base.txt

Once the required packages are installed after that we are ready to start our tool.

python3 theHarvester.py

If the tool doesn't start for you, you can see the above asciinema. To get the full walkthrough of installing the tool and you can also copy commands from there as well.

DNS, Subdomains, and IP Addresses:

Now since our tool installed properly we can get into actually using it.

So, if you want to follow along with you can start your theHarvester. And now for this section, our target will be wordpress.org domain. We will gather emails, subdomains, and IP addresses about it.

To do so we will run this command:

python3 theHarvester.py \
    -d wordpress.org \
    -l 500 \
    -b google,bing,yahoo,duckduckgo

And after this cli has automatically grabbed the available email address on the internet and the subdomain you will see a full list something like this.

[*] Target: wordpress.org

        Searching 0 results.
[*] Searching Bing.
        Searching 0 results.
[*] Searching Duckduckgo.
        Searching 100 results.
        Searching 200 results.
        Searching 300 results.
        Searching 400 results.
        Searching 500 results.
[*] Searching Google.

[*] No IPs found.

[*] No emails found.

[*] Hosts found: 227
---------------------
af.wordpress.org:198.143.164.252
am.wordpress.org:198.143.164.252
...
...
zh-sg.wordpress.org:198.143.164.252
zul.wordpress.org:198.143.164.252

Here we are using -d, -l, -b flags. By the way, do you know what these mean?

-d flag is used to search domain names, the official docs also say that you can even enter company name instead of the domain name. But entering domain name works great.

-l flag Limits the number of results to work with (bing goes from 50 to 50 results, google 100 to 100, and PGP doesn't use this option).

-b flag is used as a data source like from where to query the data in our case we used google, bing, yahoo, and DuckDuckGo. You might use Baidu, Linkedin, or maybe Twitter(we will use these two in the next section).

One more thing you may be asking were the emails, unfortunately, the domain we used didn't have any email exposed in search engines. But in the next section, you will see that the domain we used there have 2 emails.

Email Addresses, Linkedin Profiles, and Twitter handles:

In the previous section, we looked at a very basic feature of theHarvester which listed the available domains, emails, and IP addresses from specific Data Sources.

Now previously we used search engines as our data source. But now we will be using Linkedin, twitter as our data sources.

But before proceeding make sure your IP is proxied either through tor (using torghost) or maybe you can use any VPN, because probably your IP is banned by google for running the above automated request.

Nothing to worry, only your CLI cannot access google.com you can.

Now, first, we will change our domain to demonstrate who you can also find emails using this tool.

python3 theHarvester.py -d intigriti.com -l 500 -b google,bing, yahoo,duckduckgo

I can't show you the output, but you can test yourself and see the result.

Now let's use Linkedin as our data source:

python3 theHarvester.py \
    -d intigriti.com \
    -l 500 \
    -b linkedin

after the tool has found all the available users it will give an output something like this. Not like this but something like this (Because I can't make the names public LOL... if you are too crazy to know, check yourself).

[*] Searching Linkedin.

[*] Users found: 277
---------------------
A*****a S****a - Cyber Security Researcher
A***s A****f - Event Manager
...
...
s****a j**n - Accountant
xxxx yyyyy - security

Now I guess u got it just change the data sources and you will get your preferred results. I am not going to show you every result and every command, I am leaving it up to you to test other sources like twitter.

Bonus Tips:

You may think that this is what the tool can do right? Nope...

It is way more powerful, I am not showing you each and everything because this series is not just spoon-feeding you with all the techniques and methods of using a tool, rather just to make you familiar with the tool and telling you the rest so you can explore yourself the rest.

Go ahead and run theHarvester with the -h flag and you should see something like this:

*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 3.1.0                                         *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
******************************************************************* 


usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-g] [-p] [-s] [-v] [-e DNS_SERVER] [-t DNS_TLD] [-n] [-c] [-f FILENAME] [-b SOURCE]

theHarvester is used to gather open-source intelligence (OSINT) on a company or domain.

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        company name or domain to search
  -l LIMIT, --limit LIMIT
                        limit the number of search results, default=500
  -S START, --start START
                        start with result number X, default=0
  -g, --google-dork     use Google Dorks for Google search
  -p, --port-scan       scan the detected hosts and check for Takeovers (21,22,80,443,8080)
  -s, --shodan          use Shodan to query discovered hosts
  -v, --virtual-host    verify host name via DNS resolution and search for virtual hosts
  -e DNS_SERVER, --dns-server DNS_SERVER
                        DNS server to use for lookup
  -t DNS_TLD, --dns-tld DNS_TLD
                        perform a DNS TLD expansion discovery, default False
  -n, --dns-lookup      enable DNS server lookup, default False
  -c, --dns-brute       perform a DNS brute force on the domain
  -f FILENAME, --filename FILENAME                                                                                                                                      
                        save the results to an HTML and/or XML file
  -b SOURCE, --source SOURCE
                        baidu, bing, bingapi, certspotter, crtsh, dnsdumpster, dogpile, duckduckgo, github-code, google, hunter, intelx, linkedin, linkedin_links,
                        netcraft, otx, securityTrails, spyse(disabled for now), threatcrowd, trello, twitter, vhost, virustotal, yahoo, all

carefully read these flags and test yourself what this tool can do and cannot do.

Conclusion:

Awesome. I hope you enjoyed the demos, but before we go I want to leave you with more information about this amazing tool.

First, I do recommend you learn more about theHarvester. This tool can easily be expanded for your needs. For example, you can create new modules that will automate specific searches for you. And trust me, it'd save you a lot of time.

And also, you can integrate theHarvester with other tools that you may use. Also, since theHarvester is a common line tool it can automate several searches. For example, it can create batch scripts that do dozens of searches at once.

So, go check out the GitHub page for this tool. In there you'll find tons of interesting information and even a wiki, which will teach you how to use the tool and how to customize it.

Also, you may be wondering what you can do to protect your company from this kind of information gathering attack.

Well, the first suggestion is to use theHarvester against your own company so then you can see what is available to the world. You may find really interesting things. For example, I found that my email address was on the About page of an old website that I used to have.

And that explains why I used to receive tons of spam email. And once you find information that is available to the internet you can try to reduce your footprint on the internet. For example, you can ensure that your DNS records are not revealing any sensitive information.

Or you can try to delete your email address from all the pages you can find. Or you can even make sure that you decommission old websites so then they are not available for hackers.

So that's it. I hope you liked our demos and that now you have a new tool in your belt for your next red team engagement. Any queries or suggestions, let me know in the comments. So, I'll see you later in another article in this series.

What is an API

sumanbasuli — Sun, 12 Jul 2020 04:21:33 +0000

Have you ever shopped at a place that promised lower prices, by cutting out the middleman? Although this might make things easier in the real world by not having to deal with that cheesy storefront and high-pressure salesman. But that middleman is actually very important in the computer world.
The Wikipedia definition for API goes like this: “ An Application Programming Interface (API) is a set of functions, procedures, methods, or classes used by computer programs to request services from the operating system, software libraries, or any other service providers running on the computer.”

But Anyone hardly can understand this right?

So, let’s dive deep into this:

What Actually is an API:

Let’s consider software as a club sandwich-like stack of different programs some of which sit between whatever program you’re interacting with directly and the hardware itself. Because without these layers programmers and developers would have to code differently for every single hardware configuration on the planet which would be impossible.

Other layers sit between two different pieces of other software and help them talk to each other without needing to have tons of code in common.

These software layers help standardize the coding process so that programs can interface with lots of different stuff easily and while you might be most familiar with a layer called a Device driver, which translates program instructions and talks directly to your hardware. Another layer called an application programming interface or API can be just as important.

But if a driver is already there then to serve as the link between your hardware and programs then what does the API actually do?

We’ll think of it like this: Windows, Mac OS, and Linux all provide a graphical interface. Your buttons, checkboxes, menus, etc that are easy to click on. Without that, you’d be left tediously typing commands for everything you want to do.

Like back in the days when DOS ruled the world, or if you’re a BASH fan than yesterday, similarly an API provides a simpler way for developers to interact with other kinds of software.

A really good example of this is social media plugins that you see on certain websites. Such as a News article that embeds tweets, or a page that for better or for worse let people leave Facebook comments.

Both Twitter and Facebook have their own APIs that they make available to web developers, making it easy for them to bake Twitter and Facebook features into their own pages.

Without these APIs, these social media giants would have to share code directly with owners of other sites which would be tedious difficult and possibly give away certain trade secrets.

So, I think now that you have got some initial ideas of what an API is, let’s see how this works and functions in the real world.

How API Works?

Previously you read that API makes the life of developers and Enterprises make it easier but how actually they work?

Think API as a messenger how takes your request and tells the system what you want to do and then returns the response back to you.

Like if you want to share this particular in your favorite social media then you just simply click the button. And a popup opens and your message gets shared.

This is not that easy…

When you press the button you are requesting your social media let’s say Facebook to share this particular post. Then An Facebook API Takes your response and delivers it to the Facebook servers.

Then the Facebook servers return with a share this article response and then a popup opens and this article gets shared.

If you still cannot understand How API works then let’s takes another example.

Think you are sitting in a restaurant and you have a menu of choices to order from and the kitchen is the part of the system that will prepare your order and deliver the food back to you. But here’s something missing right?

Yes, the connection between your table and the kitchen. Here comes the waiter or API which makes your life easier by connecting your order to the kitchen and then taking and delivering the food back to your table.

Types of APIs:

Picking the right type of API is very essential for any project. So, let’s see there how many types of APIs and their use cases.

1. Web APIs:

Web APIs or Web-based APIs or Web Services APIs are most commonly used in websites. They are mainly based on hypertext residents Web Services standards like REST, SOAP, XML-RPC, and JSON-RPC.

2. Source-Code APIs:

Source code APIs offer libraries of objects, classes, etc. Source code APIs are often used in development projects to create a composite application. The calls are made according to the standards of the application environment such as J2EE or .NET.

3. Legacy APIs:

A variety of legacy approaches to application interfaces employ flat files, remote object protocols, operating system interfaces, hardware APIs, communication protocols, message queues, and other means.

Referring to these as the legacy is not meant to be a pejorative, but rather a way of grouping a variety of long-standing and established, albeit somewhat older protocols together. A good example of Legacy API is CORBA or Common Object Request Broker Architecture.

Conclusion:

I think this article has given you some ideas on what is an API and how it works. If you have felt that this article has helped you then please share it with the world. And if you have any query feel free to let me know in the comments. I reply to every single one.