Aggressive Website Technology Discovering on IP Range

bySukhendu -

 Aggressive Website Technology Discovering on IP Range



So in the previous article, we only saw how we can perform the basic stealth scan on a certain website. Another thing that we can do with Whatweb besides testing a website, is to test a range of IP addresses all at once.

previous article link

So if I open up my terminal.

And I type whatweb --help once again to list out all of the available options and scroll all the way up? Hereunder the targets, we can see that we can specify your hostnames, IP addresses, but we can also specify IP ranges, we can specify them like this or like this.


Now, to test this out, I'm going to scan my entire home network and to know what range of IP addresses should I scan for my home network, I could type down here, command Ifconfig or sudo ifconfig since. Remember, this requires route privileges.

Press, enter, enter our password.

And we can see that my IP addresses are 192.168.0.4 that found that four and what's more important than the IP address, in this case, is the netmask.

And my netmask is 255.255.255.0.

The subnet mask right here means that only the last octet of my IP address is changeable, which is

this last number.

So these first three octets or these first three numbers never change in my whole network.

This also means that the range of IP addresses that belong to my network is going to be from zero to. So basically, the range of the IP addresses that my network can have is this one eighty-two do sixty eight that one dot zero.

To 190 to that 168. Not one, not two fifty-five. This is the range of my home network. So let me scan it now for you.

It might be different based on what type of network you got, but in most home networks, the subnet the mask is going to be this one. Therefore, just the last octet will be changeable for you. Now, before I actually run the scan, I don't have any websites hosted in my home network, but I do

get some devices running. Something on Port 80 and Port 80 is in deep port that websites used to host their pages. So we should still get some results from scanning my network. Let go delete this and type what one.

And then the French, all my whole network. Let us go with to one idea to that 168 dot one-two fifty-five. So this is the range of IP addresses that I want to scan and all of them belong to my home network. And the good thing right here is that I can use whichever aggression level I want since it is my own network.

Let's test out aggression level three. To do that, we can specify dash, dash aggression, and then three. After it, we can also specify the dash of option to better output all of this, and let's press enter. You will notice we are getting some of the results, but there is a lot of this error happening on the screen now for this area right here is let me just control C, since we're not going to wait for this to finish.

And what this error is, is all of the hosts that it tried to scan but couldn't manage to. And the reason why it couldn't manage to scan these hosts is that they do not exist. I currently only have around two or three devices on my home network and all of these other IP addresses are out of use. So let me go up here to see what it found, it found the result for the IP address, 192, that 168 that found that one. And this is my router down here.

We can see all of the plugins that it managed to detect for my router. We can see an interesting plugin that is password filled, this is something that we would write down since any password that we find we can use later on in something like a brute force attack to try to guess the password and try to brute force the login credentials.

But nonetheless, this is just a router, so we're not really interested in it at the moment. This is just an example of a test of how it would look like. And since I don't have any website on my home network, it didn't really give many results. We can see right here. Here is another IP address that is active. It is 192 DOT 168 at 110. And this is an IP address on my laptop, which is currently up and running.

It detected this FTP server on it, but it got this status code of four or three forbidden so it is not allowed to visit that page. Therefore, this is as much information as it's managed to get and all the other ones down here are simply just offline.

Now, if you don't want this outputted, this text, you can use the same comment and at the end at Dash Dash, no errors, but this no errors option does is it simply just doesn't print these offline

IP addresses? Let's test it out. If I run the same comment just with no errors, you will see we are not going to get any red text anymore. It will only scan these to live IP addresses, which is my home router and the laptop. And that is basically it. That is everything that it will output. OK, so it took just a few seconds to finish, and keep in mind that since we are running level three of aggressions, can it will take a little bit more time to scan something then with level one since it is performing a deeper scan than just did level one stealthy scan. OK, so if we ran this comment and we use the aggression level three, we use that to output all the detected plugins as well as their description.

And we use no errors to not print out these offline IP addresses, but what if we, for example, wanted to save this output that we got in a file for some future references? Well, if I type the comment, what web does this help?

And I go through this health plan once again, I will get to this part, which is logging. And down here, we can see that there are a bunch of options that we can use to log our file or to save our file, so let's just go with the first one, or we can even use the second one, which is to log verbose output.

To do that, we use this option right here and then equals and then the file name that we wanted to save.

So if I go down here and another useful comment, once you have a bunch of things happening in your

terminal and buy a bunch of things, I mean, just a bunch of text printed out, what we can do to get

rid of this is run the command, clear.

This will clear our terminal so we get much cleaner.

Look, now you press our Pereiro to find the comment that we ran previously and at the end I add lock

and then dash for both equals.

And here I can call the results, for example.

If I press here, enter now, you will notice that both sides of this are putting it to the terminal.

It will also save it inside of a file.

Let's wait for this to finish to check out the file that we got.

OK, so it finished let us clear the screen once again, and if we type s right here, we will see our

results file.

Let's lower the terminal and open this file to see what it got saved and find a logit, we will see

that we got our results saved for both IP addresses, for my laptop IP address and for my route right

now, for your scan.

If you send your whole network, you will probably have more devices or less devices or you might not

get any result in case none of your devices is having an open port 80 or in case none of your devices

is running in HTP server.

So don't worry if you didn't get any device.

This is just an example to see that we can even run the ranges of IP addresses and to test out this

aggression level Triscuit since we can only do it on the websites that we own or have permission to

scan.

OK, great.

So look at all of the commands that we crafted with all of these options right here.

And this is just a part of this, what you don't need to be learning all of these comments, you can

always just from the health comment and read through its help menu to discover what you want to run.

We will be going through all of these options in what we do, since there is too much of them.

But I encourage you to play with it a little bit and see if it has any other interesting options.

Great.

In the next video, we're going to see how we can harvest or gather as much emails as possible from

just knowing a domain.

See you there.

Tags:

You might like

View all
Previous Post Next Post
Share to other apps
Copy Post Link