KILLSHOT TO HACK ANY WEBSITE

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/05/29/killshot-to-hack-any-website/

The KillShot tool can crawl target web applications and find backend web technologies, identify CMS (Content Management System) in use, and scan open ports with running services. KillShot is design to scan any website and gather information using other bunch of useful tools like – whatweb, dig, fierce, wafw00f and Identifies the CMS and to find the vulnerability using CMS Exploit Scanner && WebApp Vul Scanner. You can use the killShot to scan with other popular tools and these all are the part of ethical hacking classes offered by International Institute of Cyber Security.

INSTALLATION:

• This tool is tested on kali linux 2018.2
• Open terminal and type git clone https://github.com/bahaabdelwahed/killshot

• When downloaded then type cd killshot

• Then type ruby setup.rb (if setup show any error just try to install the gems/tool manually )

• It will take some time ask some permissions in yes or no, always press y and continue installing . To Run the tool type ruby killshot.rb

• Then type help

USAGE

• We are using http://www.hackthissite.org as a target
• After help option choose site (MAKE YOUR TARGET) and enter

root@kali:~/killshot# ruby Killshot.rb
 ██╗  ██╗██╗██╗     ██╗         ███████╗██╗  ██╗ ██████╗ ████████╗
 ██║ ██╔╝██║██║     ██║         ██╔════╝██║  ██║██╔═══██╗╚══██╔══╝
 █████╔╝ ██║██║     ██║         ███████╗███████║██║   ██║   ██║
 ██╔═██╗ ██║██║     ██║         ╚════██║██╔══██║██║   ██║   ██║
 ██║  ██╗██║███████╗███████╗    ███████║██║  ██║╚██████╔╝   ██║
 ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝    ╚══════╝╚═╝  ╚═╝ ╚═════╝    ╚═╝
                                <Track my Target>       Gather information                                                            About Targets
track>>> : help
[site] MAKE YOUR TARGET
[help] show this MESSAGE
[targ] Search targets
[exit] exit the script
[uptd] Update KillShot
[anon] Run Anonymous Mode
[info] About killShot
track>>> :

• Then enter the website which you want to scan . We are using
• http://www.hackthissite.org and hit enter

       .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
    `9XXXXXXXXXXXP' `9XX'   Hide    `98v8P'  Hack   `XXP' `9XXXXXXXXXXXP'
        ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX

{0} Spider
 {1} Web technologie
 {2} WebApp Vul Scanner
 {3} Port Scanner
 {4} CMS Scanner
 {5} Fuzzers
 {6} Cms Exploit Scanner
 {7} Backdoor Generation
 {8} Linux Log Clear
 {9} Find MX/NS
 info>>> :

• Now it will show the multiple options ,you can use any one of them
• Here we are using 0 spider

info>>> : 0
  ip For www.hackthissite.org :: "137.74.187.104"
 Links And Paths  ::
 Related domains and Parameters ::
 https://www.hackthissite.org
 irc://irc.hackthissite.org:+7000/
 https://www.hackthissite.org/forums
 https://www.cafepress.com/htsstore
 https://hts.io
 

Tweets by hackthissite

 /
 https://www.hackthissite.org/TNG355Q5B85cL3PDeI88H0dLCRYaA776flCTc4MX0u136lQ4hP94cZSnOFheqEU9zT8k6WDlcG17HglFDUi0Tg7kH42bzckCR4Q2ZQ
 https://www.hackthissite.org/advertise/
 /user/login
 /register
 /user/resetpass
 https://www.hackthissite.org/donate/
 /missions/basic/
 /missions/realistic/
 /missions/application/
 /missions/programming/
 /missions/phonephreaking/
 /missions/javascript/
 /missions/forensic/
 /missions/playit/extbasic/0/
 /missions/playit/stego/0/
 irc://irc.hackthissite.org/htb
 /blogs
 /news
 /pages/articles/article.php
 /lectures
 /pages/programs/programs.php
 http://mirror.hackthissite.org/hackthiszine/

• This output will show crawled pages of target domain. It also showed the user login and register pages of the target.

• And then we are using 1 web technologie, in this option it will scan the website using WhatWeb Information, Dig and also tries zone transfer and Brute force, Trace route result and Firewall And IDS Detection.

info>>> : 1
  [+]Basic WhatWeb Information  ::
  terminated with exception (report_on_exception is true):
 Traceback (most recent call last):
         2542: from /usr/bin/whatweb:981:in block (2 levels) in <main>'         2541: from /usr/bin/whatweb:981:inloop'
2540: from /usr/bin/whatweb:988:in block (3 levels) in <main>'         2539: from /usr/share/whatweb/lib/target.rb:96:inopen'
2538: from /usr/share/whatweb/lib/target.rb:188:in open_url'         2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:inrequest'
2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:in start'         2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:indo_start'
… 2530 levels…
4: from /usr/lib/ruby/2.5.0/resolv.rb:524:in block in fetch_resource'            3: from /usr/lib/ruby/2.5.0/resolv.rb:769:insender'
2: from /usr/lib/ruby/2.5.0/resolv.rb:629:in allocate_request_id'            1: from /usr/lib/ruby/2.5.0/resolv.rb:629:insynchronize'
/usr/lib/ruby/2.5.0/resolv.rb:630:in block in allocate_request_id': stack level too deep (SystemStackError) Traceback (most recent call last):         2542: from /usr/bin/whatweb:981:inblock (2 levels) in 
'
.-------------------------SNIP---------------------------------------------
2541: from /usr/bin/whatweb:981:in loop'         2540: from /usr/bin/whatweb:988:inblock (3 levels) in '
2539: from /usr/share/whatweb/lib/target.rb:96:in open'         2538: from /usr/share/whatweb/lib/target.rb:188:inopen_url'
2537: from /usr/lib/ruby/2.5.0/net/http.rb:1455:in request'         2536: from /usr/lib/ruby/2.5.0/net/http.rb:909:instart'
2535: from /usr/lib/ruby/2.5.0/net/http.rb:920:in do_start'          ... 2530 levels...            4: from /usr/lib/ruby/2.5.0/resolv.rb:524:inblock in fetch_resource'
3: from /usr/lib/ruby/2.5.0/resolv.rb:769:in sender'            2: from /usr/lib/ruby/2.5.0/resolv.rb:629:inallocate_request_id'
1: from /usr/lib/ruby/2.5.0/resolv.rb:629:in synchronize' /usr/lib/ruby/2.5.0/resolv.rb:630:inblock in allocate_request_id': stack level too deep (SystemStackError)
[+]Host Result ::
www.hackthissite.org has address 137.74.187.100
www.hackthissite.org has address 137.74.187.103
www.hackthissite.org has address 137.74.187.104
www.hackthissite.org has address 137.74.187.102
www.hackthissite.org has address 137.74.187.101
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:102
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:103
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:101
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:104
www.hackthissite.org has IPv6 address 2001:41d0:8:ccd8:137:74:187:100
[+]Dig Result About Dns::
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7021 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;8.8.8.8. IN A ;; AUTHORITY SECTION: . 6767 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019050800 1800 900 604800 86400 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5506
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;www.hackthissite.org. IN A
;; ANSWER SECTION:
www.hackthissite.org. 2440 IN A 137.74.187.100
www.hackthissite.org. 2440 IN A 137.74.187.103
www.hackthissite.org. 2440 IN A 137.74.187.104
www.hackthissite.org. 2440 IN A 137.74.187.102
www.hackthissite.org. 2440 IN A 137.74.187.101
[+]Trying zone transfer and Brute force ::
Option w is ambiguous (wide, wordlist)
Trying zone transfer first…
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
Nope. Good.
Now performing 2280 test(s)…
Subnets found (may want to probe here using nmap or unicornscan):
Done with Fierce scan: http://ha.ckers.org/fierce/
Found 0 entries.
Have a nice day.

• This output will show the basic whatweb information of a website. Its scan detected application, web servers and other technologies. It also scan the web server HTTP headers and the HTML source of a target.
• Host result: its shows the host ip of the website and also scan IPv4 or IPv6 of a website .
• It also scan the Firewall And IDS on the target (No WAF detected by the generic detection) it means NO WAF (Web Application Firewall).
• dig tool is used for querying DNS nameservers, for information like host addresses, mail exchange, nameservers and related information. Its also find the A records of the target.

NOTE TO GET ALL THE OPTIONS DON’T NEED TO SCROLL DOWN JUST TYPE BANNERAND IT WILL SHOW THE OPTIONS

• And now we are using {3} Port Scanner this will scan whole target ports using two tools nmap and unicorn scan

NMAP SCAN:

• Then you can choose any one of them

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0

• Type 0

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0
[2] Nmap Os Scan
[3] Nmap TCP Scan
[4] Nmap UDB Scan
[5] Nmap All scan
[6] Nmap Http Option Scan
[7] Nmap Live target In Network
Scanner >>

• It will show the all option of Nmap

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>0
[2] Nmap Os Scan
[3] Nmap TCP Scan
[4] Nmap UDB Scan
[5] Nmap All scan
[6] Nmap Http Option Scan
[7] Nmap Live target In Network
Scanner >>5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-09 05:59 EDT
Nmap scan report for www.acunetix.com (54.208.84.166)
Host is up (0.24s latency).
rDNS record for 54.208.84.166: ec2-54-208-84-166.compute-1.amazonaws.com
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
|http-server-header: acunetix.com |_http-title: Did not follow redirect to https://acunetix.com/ 443/tcp open ssl/http nginx | http-robots.txt: 3 disallowed entries |/dontVisitMe/ /blog/worldsecuritynews/* /
|_http-server-header: acunetix.com
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=.acunetix.com/organizationName=Acunetix Ltd/stateOrProvinceName=ST. JULIANS/countryName=MT | Subject Alternative Name: DNS:.acunetix.com, DNS:acunetix.com
| Not valid before: 2018-10-24T00:00:00
|_Not valid after: 2020-11-18T12:00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: media device|specialized|general purpose
Running: Crestron embedded, Wago Kontakttechnik embedded, Linux 2.4.X
OS CPE: cpe:/h:crestron:mpc-m5 cpe:/h:wago_kontakttechnik:750-852 cpe:/o:linux:linux_kernel:2.4.26
OS details: Crestron MPC-M5 AV controller or Wago Kontakttechnik 750-852 PLC, Linux 2.4.26 (Slackware 10.0.0)
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 …
2 4.06 ms 115.97.136.1
3 … 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.15 seconds

• Nmap TCP Scan shows the tcp open and closed ports, working concept behind these scans is one of the very interesting part of ethical hacking classes of International Institute of Cyber Security.
• And its also shows info of load balancer on target
• It also shows the rDNS records

UNICON SCAN:

Now we are scanning with unicon scan. You have to follow all the steps to get the port scanning option and then select 1

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>

• It will show the types of scans which are available

• let select [9] TCP SYN Scan on a whole network and it will ask you for a router IP address 192.168.1.1

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>9
Your Router Ip : 192.168.1.1

• And let the scan continue

            _        _____  /        | |      / ____| /    _   _| |_ ___| (___   ___ __ _ _ __  _ __   ___ _ __
/ / | | | | / _ _ / / ` | ' | '_ / _ '|
/ _ || | || () |) | (| (| | | | | | | | / | // ,|// ,|| ||| ||__
[0] Nmap Scan
[1] Unicorn Scan
Scanner >>1
[8] Services OS
[9] TCP SYN Scan on a whole network
[01] UDP scan on the whole network
Scanner >>9
Your Router Ip : 192.168.1.1
adding 192.168.1.0/24 mode TCPscan' ports7,9,11,13,18,19,21-23,25,37,39,42,49,50,53,65,67-70,79-81,88,98,100,105-107,109-111,113,118,119,123,129,135,137-139,143,150,161-164,174,177-179,191,199-202,204,206,209,210,213,220,345,346,347,369-372,389,406,407,422,443-445,487,500,512-514,517,518,520,525,533,538,548,554,563,587,610-612,631-634,636,642,653,655,657,666,706,750-752,765,779,808,873,901,923,941,946,992-995,1001,1023-1030,1080,1210,1214,1234,1241,1334,1349,1352,1423-1425,1433,1434,1524,1525,1645,1646,1649,1701,1718,1719,1720,1723,1755,1812,1813,2048-2050,2101-2104,2140,2150,2233,2323,2345,2401,2430,2431,2432,2433,2583,2628,2776,2777,2988,2989,3050,3130,3150,3232,3306,3389,3456,3493,3542-3545,3632,3690,3801,4000,4400,4321,4567,4899,5002,5136-5139,5150,5151,5222,5269,5308,5354,5355,5422-5425,5432,5503,5555,5556,5678,6000-6007,6346,6347,6543,6544,6789,6838,6666-6670,7000-7009,7028,7100,7983,8079-8082,8088,8787,8879,9090,9101-9103,9325,9359,10000,10026,10027,10067,10080,10081,10167,10498,11201,15345,17001-17003,18753,20011,20012,21554,22273,26274,27374,27444,27573,31335-31338,31787,31789,31790,31791,32668,32767-32780,33390,47262,49301,54320,54321,57341,58008,58009,58666,59211,60000,60006,61000,61348,61466,61603,63485,63808,63809,64429,65000,65506,65530-65535' pps 300
using interface(s) eth0
----------------------------------SNIP-------------------------------------
scaning 2.56e+02 total hosts with 8.65e+04 total packets, should take a little longer than 4 Minutes, 55 Seconds
connected 192.168.1.12:34682 -> 192.168.1.10:139
TCP open 192.168.1.10:139 ttl 128
connected 192.168.1.12:19928 -> 192.168.1.5:139
TCP open 192.168.1.5:139 ttl 128
connected 192.168.1.12:57128 -> 192.168.1.3:139
TCP open 192.168.1.3:139 ttl 128
connected 192.168.1.12:40890 -> 192.168.1.4:139
TCP open 192.168.1.4:139 ttl 128
connected 192.168.1.12:63984 -> 192.168.1.3:3389
TCP open 192.168.1.3:3389 ttl 128
connected 192.168.1.12:4474 -> 192.168.1.1:23
TCP open 192.168.1.1:23 ttl 64
connected 192.168.1.12:19804 -> 192.168.1.5:445
TCP open 192.168.1.5:445 ttl 128
connected 192.168.1.12:17218 -> 192.168.1.10:445
TCP open 192.168.1.10:445 ttl 128
connected 192.168.1.12:16075 -> 192.168.1.4:445
TCP open 192.168.1.4:445 ttl 128
connected 192.168.1.12:35635 -> 192.168.1.3:445
TCP open 192.168.1.3:445 ttl 128
connected 192.168.1.12:59512 -> 192.168.1.1:53
TCP open 192.168.1.1:53 ttl 64
connected 192.168.1.12:17273 -> 192.168.1.1:80
TCP open 192.168.1.1:80 ttl 64
connected 192.168.1.12:17994 -> 192.168.1.3:554
TCP open 192.168.1.3:554 ttl 128
connected 192.168.1.12:10098 -> 192.168.1.4:554
TCP open 192.168.1.4:554 ttl 128
connected 192.168.1.12:5254 -> 192.168.1.10:135
TCP open 192.168.1.10:135 ttl 128
connected 192.168.1.12:10011 -> 192.168.1.3:135
TCP open 192.168.1.3:135 ttl 128
connected 192.168.1.12:19956 -> 192.168.1.4:135
TCP open 192.168.1.4:135 ttl 128
connected 192.168.1.12:21180 -> 192.168.1.5:135
TCP open 192.168.1.5:135 ttl 128
connected 192.168.1.12:14926 -> 192.168.1.1:443
TCP open 192.168.1.1:443 ttl 64
connected 192.168.1.12:17101 -> 192.168.1.10:443
TCP open 192.168.1.10:443 ttl 128
connected 192.168.1.12:6074 -> 192.168.1.3:443
TCP open 192.168.1.3:443 ttl 128
connected 192.168.1.12:51922 -> 192.168.1.4:443
TCP open 192.168.1.4:443 ttl 128
connected 192.168.1.12:13164 -> 192.168.1.6:22
TCP open 192.168.1.6:22 ttl 64
sender statistics 177.8 pps with 86528 packets sent total
listener statistics 2894 packets recieved 0 packets droped and 0 interface drops
TCP open telnet[ 23] from 192.168.1.1 ttl 64
TCP open domain[ 53] from 192.168.1.1 ttl 64
TCP open http[ 80] from 192.168.1.1 ttl 64
TCP open https[ 443] from 192.168.1.1 ttl 64
TCP open epmap[ 135] from 192.168.1.3 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.3 ttl 128
TCP open https[ 443] from 192.168.1.3 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.3 ttl 128
TCP open rtsp[ 554] from 192.168.1.3 ttl 128
TCP open ms-wbt-server[ 3389] from 192.168.1.3 ttl 128
TCP open epmap[ 135] from 192.168.1.4 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.4 ttl 128
TCP open https[ 443] from 192.168.1.4 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.4 ttl 128
TCP open rtsp[ 554] from 192.168.1.4 ttl 128
TCP open epmap[ 135] from 192.168.1.5 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.5 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.5 ttl 128
TCP open ssh[ 22] from 192.168.1.6 ttl 64
TCP open epmap[ 135] from 192.168.1.10 ttl 128
TCP open netbios-ssn[ 139] from 192.168.1.10 ttl 128
TCP open https[ 443] from 192.168.1.10 ttl 128
TCP open microsoft-ds[ 445] from 192.168.1.10 ttl 128

• Its scan all the TCP open ports on the target.

connected 192.168.1.12:34682 -> 192.168.1.10:139
 TCP open 192.168.1.10:139  ttl 128

• Its also scan the TCP open ports and shows the services with ports
• Sender statistics 177.8 pps with 86528 packets sent total
• For scanning its uses the local network card as shown below.

using interface(s) eth0