Reconnaissance is the phase of an attack where a red team or hacker designs a strategy based on the information they can learn about the target, as well as what the available attack surface looks like. These scans can take time to discover relationships, but Raccoon OSINT scanner coordinates multiple automated scans to produce invasively detailed reports on a target with a single command.
Data about a website like the software powering it, URL registration information, and network information such as associated IP addresses are critical for a hacker to identify which attack might be the most effective. Rather than running separate scans to gather this information, Raccoon scanner forages for available information on targeted domains with a single command.
Domain OSINT Really Fast
While using scanners like Nmap are typical for recon, the ability to discern relationships are often better left for tools like Maltego. In general, Maltego is an excellent tool for discovering relationships and digging deep, but with the Classic edition coming at a substantial price tag, not everyone has access to everything Maltego offers. The community edition comes with restrictions on how many results are returned, making it not always the ideal choice for recon.
On the flip side, Nmap can be better for learning about what ports are open or what types of services are running, allowing you to quickly discern what kind of setup might be running on the other end of a connection. Besides Nmap, there are a large number of different scanners that can be used to gather OSINT information on a target autonomously. In fact, Sn1per is another tool for recon automation that also takes the step of doing vulnerability testing.
What You'll Need
To get started, you'll need to have Kali Linux installed and fully updated (apt update). Also, I found that the installation instructions included in GitHub for Raccoon Scanner didn't work on my Kali system; Because they used Python pip, I used pip3 to install Racoon scanner instead, which worked fine. If you don't have pip3 installed, you can do so with the following apt install command.
apt update
apt install python3-pipStep 1: Install Raccoon Scanner
To install Raccoon scanner, you can simply type the following command.
pip3 install raccoon_scannerIf this doesn't work, you can also try installing it manually from the tool's GitHub page using the usual git clone method.
Step 2: View Options & Filters
To get started, you can type raccoon --help to see a list of all of the available filters. Since Priceline left me stranded in the hot Nevada desert yesterday, I wanted to use Priceline.com as a test, but after one scan, we found their website blocked our IP address for a week. Be aware Raccoon scanner can trigger this kind of defensive behavior! Because of priceline.com's reaction, we'll be using pbs.org instead.
We can indicate the target we want to use by typing a -t before the website we want to search for.
Usage: raccoon [OPTIONS]
Options:
--version Show the version and exit.
-t, --target TEXT Target to scan [required]
-d, --dns-records TEXT Comma separated DNS records to query.
Defaults to: A,MX,NS,CNAME,SOA,TXT
--tor-routing Route HTTP traffic through Tor (uses port
9050). Slows total runtime significantly
--proxy-list TEXT Path to proxy list file that would be used
for routing HTTP traffic. A proxy from the
list will be chosen at random for each
request. Slows total runtime
-c, --cookies TEXT Comma separated cookies to add to the
requests. Should be in the form of key:value
Example: PHPSESSID:12345,isMobile:false
--proxy TEXT Proxy address to route HTTP traffic through.
Slows total runtime
-w, --wordlist TEXT Path to wordlist that would be used for URL
fuzzing
-T, --threads INTEGER Number of threads to use for URL
Fuzzing/Subdomain enumeration. Default: 25
--ignored-response-codes TEXT Comma separated list of HTTP status code to
ignore for fuzzing. Defaults to:
302,400,401,402,403,404,503,504
--subdomain-list TEXT Path to subdomain list file that would be
used for enumeration
-sc, --scripts Run Nmap scan with -sC flag
-sv, --services Run Nmap scan with -sV flag
-f, --full-scan Run Nmap scan with both -sV and -sC
-p, --port TEXT Use this port range for Nmap scan instead of
the default
-fr, --follow-redirects Follow redirects when fuzzing. Default: False
(will not follow redirects)
--tls-port INTEGER Use this port for TLS queries. Default: 443
--skip-health-check Do not test for target host availability
--no-url-fuzzing Do not fuzz URLs
--no-sub-enum Do not bruteforce subdomains
--skip-nmap-scan Do not perform an Nmap scan
-q, --quiet Do not output to stdout
-o, --outdir TEXT Directory destination for scan output
--help Show this message and exit.If you want to have an increased buffer between you and your target, you can start a Tor service so that all of the scans against your target occur through a Tor relay. To do so, type tor in another terminal window to start a new Tor session, and then type --tor-routing after your target to indicate that Raccoon should connect through Tor.
root@nullbyte:~# raccoon -t priceline.com --tor-routing
_____ _____ _____ ____ ____ _ _
| __ \ /\ / ____| / ____| / __ \ / __ \ | \ | |
| |__) | / \ | | | | | | | | | | | | | \| |
| _ / / /\ \ | | | | | | | | | | | | | . ' |
| | \ \ / ____ \ | |____ | |____ | |__| | | |__| | | |\ |
|_| \_\ /_/ \_\ \_____| \_____| \____/ \____/ |_| \_|
4841434b544845504c414e4554
https://github.com/evyatarmeged/Raccoon
----------------------------------------------------------------------------
[!] Testing that Tor service is up...
[!] Validated Tor service is up. Routing traffic anonymously.
### Raccoon Scan Started ###
[#] Trying to gather information about host: priceline.com
[!] Found priceline.com to be a naked domain
[v] Writing DNS query results
[#] Setting Nmap scan to run in the background
[#] Nmap script to run: nmap -Pn priceline.com
[v] Nmap scan startedIt's worth pointing out that Tor exit notes are notoriously "dirty," meaning malicious traffic is regularly detected coming from them. Many websites will outright block traffic from Tor because they know it has a high likelihood of being malicious, leading to the scanner being unable to retrieve any results.
- Don't Miss: Scrape Target Email Addresses with TheHarvester
Step 3: Select & Scan a Target Domain
We'll do a scan on pbs.org using a Tor proxy. One thing to note is that, due to abuse, many domains blacklist Tor-based IP addresses, which means using a Tor relay may produce fewer results than using a non-"dirty" IP address. Because Tor can be used by anyone, many website operators treat Tor traffic as inherently suspicious.
To begin our scan, we can type the following.
raccoon -t pbs.org --tor-relayThis scan will run for a long time, depending on the size of the target surface area. If you are using the --tor-relay flag, this will also increase time. If you find it running too slow and don't care that the target is being scanned by your IP address, you can also do this step without the Tor relay and use a VPN or proxy.
Step 4: Navigate to the Results & Read Reports
Once the scan is complete, a folder will be created to hold the results of the scan. To find these, type the following into a terminal window to change (cd) into the root, then the scan results, then list (ls) them.
cd
cd Raccoon_scan_results
lsNow, you should see a list of every website you've run a report against. To proceed, we'll type cd pbs.org because that is the last scan we ran. Finally, we can type ls to see all of the text files available in the report. To open these, we'll use nano.
root@nullbyte:~# ls
airgeddon Documents modwifi Pictures Raccoon Templates
Desktop Downloads Music Public Racoon_scan_results 'respero.pca'
root@nullbyte:~# cd Raccoon_scan_results
root@nullbyte:~# ls
pbs.org
root@nullbyte:~/Raccoon_scan_results# cd pbs.org
root@nullbyte:~/Raccoon_scan_results/pbs.org# ls
dns_mapping.png nmap_scan.txt subdomain_fuzz.txt tls_report.txt WAF.txt
dns_records.txt robots.txt subdomains.txt url_fuzz.txt web_scan.txt
root@nullbyte:~/Raccoon_scan_results/pbs.org#Step 5: Interpret the Scan Reports
To start interpreting the results, we can begin by opening the results of the Nmap scan with nano nmap_scan.txt. With it, we can see the IP address of pbs.org, as well as all of the ports discovered. We can close this window by typing Ctrl-X.
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 02:10 PDT
Nmap scan report for pbs.org (54.225.206.152)
Host is up (0.096s latency).
Other addresses for pbs.org (not scanned): 54.225.198.196
rDNS record for 54.225.206.152: ec2-54-225-206-152.compute-1.amazonaws.com
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 9.04 secondsHere, we see that the IP address for pbs.org is 54.225.206.152 and has the expected ports 80 and 443 open to serve web traffic. We can also see a "compute-1.amazonaws.com" address under the rDNS record, giving us initial clues about the service provider used.
- Don't Miss: Use SpiderFoot for OSINT Gathering
Next, we can see a list of subdomains we've discovered beneath the main domain by typing nano subdomains.txt." This list can be used to further identification of vulnerabilities by feeding the results of a vulnerability scanner like Nikto.
[1;34m[#][0;0m Enumerating Subdomains
[93m[!][0;0m Trying to find Subdomains in SANs list
[1;32m[v][0;0m Subdomain detected: ops.pbs.org
[1;32m[v][0;0m Subdomain detected: sentry.pbs.org
[1;32m[v][0;0m Subdomain detected: www-cache.pbs.org
[1;32m[v][0;0m Subdomain detected: jaws.pbs.org
[1;32m[v][0;0m Subdomain detected: video.pbs.org
[1;32m[v][0;0m Subdomain detected: image.pbs.org
[1;32m[v][0;0m Subdomain detected: player.pbs.org
[1;32m[v][0;0m Subdomain detected: login.pbs.org
[1;32m[v][0;0m Subdomain detected: admin.pbs.org
[1;32m[v][0;0m Subdomain detected: teacherline.pbs.org
[1;32m[v][0;0m Subdomain detected: git.pbs.org
[1;32m[v][0;0m Subdomain detected: dipsy-tc.pbs.org
[1;32m[v][0;0m Subdomain detected: koth-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: heart.ops.pbs.org
[1;32m[v][0;0m Subdomain detected: account.pbs.org
[1;32m[v][0;0m Subdomain detected: weta-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-qa.pbs.org
[1;32m[v][0;0m Subdomain detected: www.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-staging.pbs.org
[1;32m[v][0;0m Subdomain detected: docs.pbs.org
[1;32m[v][0;0m Subdomain detected: projects.pbs.org
[1;32m[v][0;0m Subdomain detected: whut-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: ga.video.cdn.pbs.org
[1;32m[v][0;0m Subdomain detected: kids.pbs.org
[1;32m[v][0;0m Subdomain detected: urs.pbs.org
[93m[!][0;0m Trying to discover subdomains in Google
[1;32m[v][0;0m Detected subdomain through Google dorking: shop.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Labto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: to.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: LearningMediato.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Timeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Playto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: YouTubeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Podcaststo.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Mediumto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: KIDSto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Mediato.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: PBSKidsto.pbs.org
[93m[!][0;0m Trying to extract subdomains from DNS dumpster
[1;31m[x][0;0m Failed to query DNS dumpster for subdomains
[93m[!][0;0m Bruteforcing subdomains
[1;34m[#][0;0m Done enumerating Subdomains
[1;34m[#][0;0m Enumerating Subdomains
[93m[!][0;0m Trying to find Subdomains in SANs list
[1;32m[v][0;0m Subdomain detected: git.pbs.org
[1;32m[v][0;0m Subdomain detected: login.pbs.org
[1;32m[v][0;0m Subdomain detected: projects.pbs.org
[1;32m[v][0;0m Subdomain detected: ga.video.cdn.pbs.org
[1;32m[v][0;0m Subdomain detected: dipsy-tc.pbs.org
[1;32m[v][0;0m Subdomain detected: whut-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: heart.ops.pbs.org
[1;32m[v][0;0m Subdomain detected: player.pbs.org
[1;32m[v][0;0m Subdomain detected: jaws.pbs.org
[1;32m[v][0;0m Subdomain detected: kids.pbs.org
[1;32m[v][0;0m Subdomain detected: account.pbs.org
[1;32m[v][0;0m Subdomain detected: teacherline.pbs.org
[1;32m[v][0;0m Subdomain detected: www-cache.pbs.org
[1;32m[v][0;0m Subdomain detected: image.pbs.org
[1;32m[v][0;0m Subdomain detected: admin.pbs.org
[1;32m[v][0;0m Subdomain detected: koth-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: urs.pbs.org
[1;32m[v][0;0m Subdomain detected: ops.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-staging.pbs.org
[1;32m[v][0;0m Subdomain detected: weta-qa.svp.pbs.org
[1;32m[v][0;0m Subdomain detected: sentry.pbs.org
[1;32m[v][0;0m Subdomain detected: video.pbs.org
[1;32m[v][0;0m Subdomain detected: wnet.video-qa.pbs.org
[1;32m[v][0;0m Subdomain detected: www.pbs.org
[1;32m[v][0;0m Subdomain detected: docs.pbs.org
[93m[!][0;0m Trying to discover subdomains in Google
[1;32m[v][0;0m Detected subdomain through Google dorking: KIDSto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: PBSKidsto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Playto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Avenueto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Initiativeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: shop.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: Rewireto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: YouTubeto.pbs.org
[1;32m[v][0;0m Detected subdomain through Google dorking: to.pbs.org
[93m[!][0;0m Trying to extract subdomains from DNS dumpster
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-qa.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: fc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: sentry-poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-v6poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: source.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ocsedge.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stationexchange.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: people.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: webportal.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: itdrvpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: remoteapp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: soup.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: images.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: shares.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: adfs.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: clips.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: creativelabrequest.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tableau.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam-dev.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz01.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz02.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz03.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: 3770-anlz04.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mediasoc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: audio.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mail.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: autodiscover.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: backup.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: bvweb.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam1-ext.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dam2-ext.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dns2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: dns4.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: drlist.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: drmail.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ed-dev.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: r53-vip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: open.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: r53-api-vip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: teacherline.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: www.teacherline.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: search.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: newshour.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: producers.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: misc-redirect.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: edsearch.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: excl.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ntbvpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: freshdesk2smartbear.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ftp2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: itdr.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: listserv.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mail.public.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxgw1.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxgw2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mxout.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ntb.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mft-v6poc.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: orion.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pbsftp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: primary.vpn.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pss.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: scand01.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: techops.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: sip.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: ildbcl3.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: pbsvideodb.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mft.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: smtp1.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: smtp2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stageftp.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: stwebservices.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tlcftest.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tllinux2.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: mobile.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: tlreal.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: videoindex.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: producersworkshop.pbs.org
[1;32m[v][0;0m Found subdomain in DNS dumpster: webftp2.pbs.org
[93m[!][0;0m Bruteforcing subdomains
[1;34m[#][0;0m Done enumerating SubdomainsNext, we can take a look at the results from attempting to brute-force common subdomains with Raccoon's built-in wordlist, saved under "subdomain_fuzz.txt." If the website uses wildcards, we're likely to see a false positive for every attempt from the wordlist. Here, we see a limited response, indicating these are likely valid domains.
[1;34m[#][0;0m Reading from list: /usr/local/lib/python3.6/dist-packages/raccoon_src/wordlists/subdomains
[1;34m[301][0;0m http://beta.pbs.org redirects to https://beta.pbs.org/
[1;34m[301][0;0m http://WWW.pbs.org redirects to https://www.pbs.org/
[1;34m[301][0;0m http://blogs.pbs.org redirects to http://www.pbs.org
[1;32m[200][0;0m http://admin.pbs.org
[1;32m[200][0;0m http://webdisk.video.pbs.org
[1;31m[405][0;0m http://sentry.pbs.org
[1;34m[301][0;0m http://development.pbs.org redirects to http://www.pbs.org/development/
[1;32m[200][0;0m http://services.pbs.org
[1;34m[301][0;0m http://kids.pbs.org redirects to http://pbskids.org/
[1;34m[301][0;0m http://shop.pbs.org redirects to https://shop.pbs.org/
[1;34m[301][0;0m http://api.pbs.org redirects to http://api.pbs.org/admin/
[1;32m[200][0;0m http://autodiscover.video.pbs.org
[1;32m[200][0;0m http://log.pbs.org
[1;34m[301][0;0m http://chrome.pbs.org redirects to http://jaws.pbs.org/
[1;34m[301][0;0m http://merlin.pbs.org redirects to http://merlin.pbs.org/django-admin/
[1;34m[301][0;0m http://login.pbs.org redirects to https://account.pbs.org/
[1;34m[301][0;0m http://www.shop.pbs.org redirects to https://shop.pbs.org/
[1;32m[200][0;0m http://autoconfig.video.pbs.org
[1;34m[301][0;0m http://open.pbs.org redirects to https://open.pbs.org/
[1;32m[200][0;0m http://dev.pbs.org
[1;34m[301][0;0m http://search.pbs.org redirects to http://www.pbs.org/search/
[1;34m[301][0;0m http://cgi.pbs.org redirects to http://www.pbs.org/
[1;32m[200][0;0m http://ops.pbs.org
[1;34m[301][0;0m http://qa.pbs.org redirects to https://qa.pbs.org/
[1;34m[301][0;0m http://account.pbs.org redirects to https://account.pbs.org/
[1;34m[301][0;0m http://www.video.pbs.org redirects to http://video.pbs.org/
[1;34m[301][0;0m http://sales.pbs.org redirects to http://www.pbs.org/development/category/corporatesupport/
[1;34m[301][0;0m http://video.pbs.org redirects to http://www.pbs.org/video/
[1;34m[#][0;0m Reading from list: /usr/local/lib/python3.6/dist-packages/raccoon_src/wordlists/subdomains
[1;34m[301][0;0m http://beta.pbs.org redirects to https://beta.pbs.org/
[1;34m[301][0;0m http://api.pbs.org redirects to http://api.pbs.org/admin/
[1;34m[301][0;0m http://WWW.pbs.org redirects to https://www.pbs.org/
[1;32m[200][0;0m http://dev.pbs.org
[1;34m[301][0;0m http://account.pbs.org redirects to https://account.pbs.org/
[1;34m[301][0;0m http://video.pbs.org redirects to http://www.pbs.org/video/
[1;32m[200][0;0m http://ops.pbs.org
[1;32m[200][0;0m http://admin.pbs.org
[1;34m[301][0;0m http://search.pbs.org redirects to http://www.pbs.org/search/
[1;31m[405][0;0m http://sentry.pbs.org
[1;34m[301][0;0m http://cgi.pbs.org redirects to http://www.pbs.org/
[1;32m[200][0;0m http://services.pbs.org
[1;32m[200][0;0m http://autoconfig.video.pbs.org
[1;34m[301][0;0m http://open.pbs.org redirects to https://open.pbs.org/
[1;34m[301][0;0m http://qa.pbs.org redirects to https://qa.pbs.org/
[1;32m[200][0;0m http://log.pbs.org
[1;34m[301][0;0m http://shop.pbs.org redirects to https://shop.pbs.org/
[1;34m[301][0;0m http://login.pbs.org redirects to https://account.pbs.org/
[1;34m[301][0;0m http://www.video.pbs.org redirects to http://video.pbs.org/
[1;34m[301][0;0m http://www.shop.pbs.org redirects to https://shop.pbs.org/
[1;32m[200][0;0m http://webdisk.video.pbs.org
[1;34m[301][0;0m http://blogs.pbs.org redirects to http://www.pbs.org
[1;34m[301][0;0m http://chrome.pbs.org redirects to http://jaws.pbs.org/
[1;34m[301][0;0m http://development.pbs.org redirects to http://www.pbs.org/development/
[1;34m[301][0;0m http://sales.pbs.org redirects to http://www.pbs.org/development/category/corporatesupport/
[1;34m[301][0;0m http://kids.pbs.org redirects to http://pbskids.org/
[1;34m[301][0;0m http://merlin.pbs.org redirects to http://merlin.pbs.org/django-admin/
[1;32m[200][0;0m http://autodiscover.video.pbs.orgNext, we can examine the way the website encrypts its traffic by opening the "tls_report.txt" file.
[1;34m[#][0;0m Started collecting TLS data for pbs.org
[1;34m[#][0;0m Done collecting TLS data
[1;32m[v][0;0m Supported Ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|_ least strength: C
--------------------------------------------------------------------------------
SNI Data:
TLSv1: True
TLSv1.1: True
TLSv1.2: True
SANs:
---------------
ops.pbs.org
sentry.pbs.org
www-cache.pbs.org
jaws.pbs.org
video.pbs.org
image.pbs.org
player.pbs.org
login.pbs.org
pbs.org
admin.pbs.org
teacherline.pbs.org
git.pbs.org
dipsy-tc.pbs.org
koth-qa.svp.pbs.org
heart.ops.pbs.org
account.pbs.org
weta-qa.svp.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
wnet.video-staging.pbs.org
docs.pbs.org
projects.pbs.org
whut-qa.svp.pbs.org
ga.video.cdn.pbs.org
kids.pbs.org
urs.pbs.org
---------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f2:63:93:70:71:b1:fd:40:cc:f7:e9:dc:c3:b2:30:11:97
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Jul 5 08:31:20 2018 GMT
Not After : Oct 3 08:31:20 2018 GMT
Subject: CN = www.pbs.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:f6:7a:b6:8e:5c:da:54:50:bd:e5:d2:d7:de:
b8:a0:fb:4f:c1:61:71:85:b0:1d:8c:5b:f8:51:59:
4d:da:62:c3:bc:48:47:49:6d:72:f2:11:eb:cb:f3:
6a:de:fe:fe:e4:59:56:e2:1e:07:91:17:33:b4:38:
11:b0:47:9d:32:a0:f1:bf:2d:5e:49:b6:77:16:e2:
17:78:6e:87:7a:3a:8d:d3:d7:b8:0b:34:5a:1f:28:
27:f9:66:f3:11:0f:b1:c1:24:d1:57:f2:28:e5:76:
c6:cb:fe:87:b3:45:45:ee:e5:28:56:d1:52:80:d2:
98:3b:4a:3e:ec:bc:ab:4b:9c:cc:e7:9d:9b:73:19:
92:4c:16:b1:18:99:64:18:b1:22:eb:fa:15:09:aa:
7a:6d:d1:43:c3:fe:50:e8:d5:af:a0:09:57:01:08:
4c:d2:3d:ee:75:a1:ee:12:d2:72:c9:51:40:26:cd:
25:78:f6:eb:c9:6a:7f:da:9f:e5:a8:09:a5:3a:a8:
9e:2d:57:d5:56:9d:80:c7:e4:91:82:69:c2:4a:de:
58:2c:e8:a0:6e:3f:24:a5:74:41:94:a2:b1:47:13:
16:0e:40:02:30:7f:e7:23:1d:60:f2:c2:6f:8b:18:
b2:e0:d5:68:fe:e1:92:3a:24:1e:bb:94:59:40:f3:
6c:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
76:AD:A5:A1:7C:26:43:2E:5B:91:7F:42:72:21:FE:3C:FA:4F:48:3A
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
Timestamp : Jul 5 09:31:20.892 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:B9:61:FB:EC:BB:91:DA:DD:F3:F0:48:
D4:61:B8:CB:09:A0:7F:20:6C:B7:1F:13:7B:EE:11:5C:
4F:CF:0E:6B:63:02:21:00:EC:C2:21:16:6E:90:E0:DA:
FC:02:9A:FC:5A:3A:D0:92:38:8B:83:39:83:1D:3B:A9:
FE:58:06:2C:4D:BF:74:3B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Jul 5 09:31:20.909 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:A0:6B:4C:3D:0C:E3:35:B3:71:E1:E5:
F2:70:89:7D:CD:A4:BA:F7:16:12:48:C5:A9:E7:DA:3A:
EB:B3:E2:BB:46:02:21:00:95:29:A4:22:F5:A3:B0:66:
C7:1A:71:1C:F9:95:6A:69:85:56:8B:08:E1:C8:3C:E7:
3B:23:1D:A2:D4:5B:F3:0C
Signature Algorithm: sha256WithRSAEncryption
4f:ea:24:2f:7f:a9:a9:30:98:c4:61:b9:a2:eb:d3:93:87:43:
9d:b8:63:0a:2b:5a:cd:a4:cc:48:aa:c1:8d:35:2c:7c:8a:32:
9f:0b:f6:6f:d3:40:ab:d6:ae:df:d2:11:d5:ee:14:4f:43:64:
9d:f6:dd:77:7f:cb:39:a4:0a:db:d6:73:a5:c1:05:4c:d2:ac:
93:ea:61:ed:ac:12:19:2d:a2:20:0b:c9:8e:dc:9f:cb:f4:c8:
fd:d6:66:be:44:c4:16:ff:c8:c9:e0:0c:d6:8d:e2:13:58:24:
9b:c8:51:c7:a0:33:41:3b:32:3d:4e:29:08:84:6e:42:d5:63:
56:ba:a7:35:89:8c:2c:6c:5c:bf:8d:75:38:3b:f4:1a:cc:3d:
2d:b8:d9:07:b5:39:78:06:4e:d3:c2:1b:45:15:e4:ff:3d:50:
2e:74:0d:c4:df:2c:19:24:04:96:21:46:98:61:47:9d:eb:a1:
55:a7:c5:72:41:0b:40:f3:80:2e:17:98:27:b6:5a:58:cf:ae:
e2:d5:95:2f:b6:a9:15:7b:51:48:33:e4:a3:f2:60:3a:80:eb:
62:08:5c:08:c7:2d:9c:a2:d8:e9:3c:e4:d6:9a:f9:ae:c1:1a:
d1:d4:ec:fe:1f:8f:2e:24:cc:4e:76:26:96:22:28:9c:e5:a0:
39:73:15:de
--------------------------------------------------------------------------------
non-SNI Data:
TLSv1: True
TLSv1.1: True
TLSv1.2: True
SANs:
---------------
ops.pbs.org
sentry.pbs.org
www-cache.pbs.org
jaws.pbs.org
video.pbs.org
image.pbs.org
player.pbs.org
login.pbs.org
pbs.org
admin.pbs.org
teacherline.pbs.org
git.pbs.org
dipsy-tc.pbs.org
koth-qa.svp.pbs.org
heart.ops.pbs.org
account.pbs.org
weta-qa.svp.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
wnet.video-staging.pbs.org
docs.pbs.org
projects.pbs.org
whut-qa.svp.pbs.org
ga.video.cdn.pbs.org
kids.pbs.org
urs.pbs.org
---------------
Same as SNI Certificate
[1;34m[#][0;0m Started collecting TLS data for pbs.org
[1;34m[#][0;0m Done collecting TLS data
[1;32m[v][0;0m Supported Ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C - [1;31mWEAK[0;0m
| compressors:
| NULL
| cipher preference: server
| warnings:
[1;31m| 64-bit block cipher 3DES vulnerable to SWEET32 attack[0;0m
|_ least strength: C
--------------------------------------------------------------------------------
SNI Data:
TLSv1: True
TLSv1.1: True
TLSv1.2: True
SANs:
---------------
git.pbs.org
login.pbs.org
projects.pbs.org
ga.video.cdn.pbs.org
dipsy-tc.pbs.org
whut-qa.svp.pbs.org
heart.ops.pbs.org
player.pbs.org
jaws.pbs.org
kids.pbs.org
account.pbs.org
teacherline.pbs.org
www-cache.pbs.org
image.pbs.org
admin.pbs.org
koth-qa.svp.pbs.org
urs.pbs.org
ops.pbs.org
wnet.video-staging.pbs.org
weta-qa.svp.pbs.org
sentry.pbs.org
video.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
docs.pbs.org
pbs.org
---------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f2:63:93:70:71:b1:fd:40:cc:f7:e9:dc:c3:b2:30:11:97
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Jul 5 08:31:20 2018 GMT
Not After : Oct 3 08:31:20 2018 GMT
Subject: CN = www.pbs.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:f6:7a:b6:8e:5c:da:54:50:bd:e5:d2:d7:de:
b8:a0:fb:4f:c1:61:71:85:b0:1d:8c:5b:f8:51:59:
4d:da:62:c3:bc:48:47:49:6d:72:f2:11:eb:cb:f3:
6a:de:fe:fe:e4:59:56:e2:1e:07:91:17:33:b4:38:
11:b0:47:9d:32:a0:f1:bf:2d:5e:49:b6:77:16:e2:
17:78:6e:87:7a:3a:8d:d3:d7:b8:0b:34:5a:1f:28:
27:f9:66:f3:11:0f:b1:c1:24:d1:57:f2:28:e5:76:
c6:cb:fe:87:b3:45:45:ee:e5:28:56:d1:52:80:d2:
98:3b:4a:3e:ec:bc:ab:4b:9c:cc:e7:9d:9b:73:19:
92:4c:16:b1:18:99:64:18:b1:22:eb:fa:15:09:aa:
7a:6d:d1:43:c3:fe:50:e8:d5:af:a0:09:57:01:08:
4c:d2:3d:ee:75:a1:ee:12:d2:72:c9:51:40:26:cd:
25:78:f6:eb:c9:6a:7f:da:9f:e5:a8:09:a5:3a:a8:
9e:2d:57:d5:56:9d:80:c7:e4:91:82:69:c2:4a:de:
58:2c:e8:a0:6e:3f:24:a5:74:41:94:a2:b1:47:13:
16:0e:40:02:30:7f:e7:23:1d:60:f2:c2:6f:8b:18:
b2:e0:d5:68:fe:e1:92:3a:24:1e:bb:94:59:40:f3:
6c:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
76:AD:A5:A1:7C:26:43:2E:5B:91:7F:42:72:21:FE:3C:FA:4F:48:3A
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
Timestamp : Jul 5 09:31:20.892 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:B9:61:FB:EC:BB:91:DA:DD:F3:F0:48:
D4:61:B8:CB:09:A0:7F:20:6C:B7:1F:13:7B:EE:11:5C:
4F:CF:0E:6B:63:02:21:00:EC:C2:21:16:6E:90:E0:DA:
FC:02:9A:FC:5A:3A:D0:92:38:8B:83:39:83:1D:3B:A9:
FE:58:06:2C:4D:BF:74:3B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Jul 5 09:31:20.909 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:A0:6B:4C:3D:0C:E3:35:B3:71:E1:E5:
F2:70:89:7D:CD:A4:BA:F7:16:12:48:C5:A9:E7:DA:3A:
EB:B3:E2:BB:46:02:21:00:95:29:A4:22:F5:A3:B0:66:
C7:1A:71:1C:F9:95:6A:69:85:56:8B:08:E1:C8:3C:E7:
3B:23:1D:A2:D4:5B:F3:0C
Signature Algorithm: sha256WithRSAEncryption
4f:ea:24:2f:7f:a9:a9:30:98:c4:61:b9:a2:eb:d3:93:87:43:
9d:b8:63:0a:2b:5a:cd:a4:cc:48:aa:c1:8d:35:2c:7c:8a:32:
9f:0b:f6:6f:d3:40:ab:d6:ae:df:d2:11:d5:ee:14:4f:43:64:
9d:f6:dd:77:7f:cb:39:a4:0a:db:d6:73:a5:c1:05:4c:d2:ac:
93:ea:61:ed:ac:12:19:2d:a2:20:0b:c9:8e:dc:9f:cb:f4:c8:
fd:d6:66:be:44:c4:16:ff:c8:c9:e0:0c:d6:8d:e2:13:58:24:
9b:c8:51:c7:a0:33:41:3b:32:3d:4e:29:08:84:6e:42:d5:63:
56:ba:a7:35:89:8c:2c:6c:5c:bf:8d:75:38:3b:f4:1a:cc:3d:
2d:b8:d9:07:b5:39:78:06:4e:d3:c2:1b:45:15:e4:ff:3d:50:
2e:74:0d:c4:df:2c:19:24:04:96:21:46:98:61:47:9d:eb:a1:
55:a7:c5:72:41:0b:40:f3:80:2e:17:98:27:b6:5a:58:cf:ae:
e2:d5:95:2f:b6:a9:15:7b:51:48:33:e4:a3:f2:60:3a:80:eb:
62:08:5c:08:c7:2d:9c:a2:d8:e9:3c:e4:d6:9a:f9:ae:c1:1a:
d1:d4:ec:fe:1f:8f:2e:24:cc:4e:76:26:96:22:28:9c:e5:a0:
39:73:15:de
--------------------------------------------------------------------------------
non-SNI Data:
TLSv1: True
TLSv1.1: True
TLSv1.2: True
SANs:
---------------
git.pbs.org
login.pbs.org
projects.pbs.org
ga.video.cdn.pbs.org
dipsy-tc.pbs.org
whut-qa.svp.pbs.org
heart.ops.pbs.org
player.pbs.org
jaws.pbs.org
kids.pbs.org
account.pbs.org
teacherline.pbs.org
www-cache.pbs.org
image.pbs.org
admin.pbs.org
koth-qa.svp.pbs.org
urs.pbs.org
ops.pbs.org
wnet.video-staging.pbs.org
weta-qa.svp.pbs.org
sentry.pbs.org
video.pbs.org
wnet.video-qa.pbs.org
www.pbs.org
docs.pbs.org
pbs.org
---------------
Same as SNI CertificateThis is a lot of information! Most importantly, we have gotten a warning about a high severity vulnerability in the transportation layer security of the website. In the report, we see the following warning:
64-bit block cipher 3DES vulnerable to SWEET32 attackThis vulnerability, known as the "sweet 32" attack or CVE-2016-2183, could allow an attacker to intercept and modify traffic between a visitor to the website and the server. We reported this vulnerability to pbs.org during the course of making this article.
Next, we can take a look at the dns_records.txt file to learn more information about IP addresses.
[1;32m[v][0;0m Writing DNS query results
A
54.225.198.196
54.225.206.152
MX
10 mxgw2.pbs.org.
20 mxgw1.pbs.org.
NS
ns1.p10.dynect.net.
ns2.p10.dynect.net.
ns4.p10.dynect.net.
ns3.p10.dynect.net.
SOA
ns1.p10.dynect.net. dnssupport.verisign-grs.com. 1534492239 3600 600 604800 1800
TXT
"HOLciSiucyx9z9GJ0guhSicbiLe0Rm3WCSDQVy0AHuanMAOgr82WpdSHdFOw0HqcSaW6kuo5DAegSm0PC1ALJg=="
"detectify-verification=1583bf00b85b6570195c4ec81a2625ae"
"MS=ms58428140"
"v=spf1 include:stspg-customer.com a:listserv.pbs.org a:smtp1.pbs.org a:smtp2.pbs.org a:mxout.pbs.org a:servers.mcsv.net include:k12msg.com ip4:184.173.19.244/30 ~all"
"status-page-domain-verification=g90gln3s127q"
"facebook-domain-verification=hxcquifih7vsf9z0u39e2t2ks317j6"
[1;32m[v][0;0m Writing DNS query results
A
54.225.206.152
54.225.198.196
MX
20 mxgw1.pbs.org.
10 mxgw2.pbs.org.
NS
ns3.p10.dynect.net.
ns4.p10.dynect.net.
ns1.p10.dynect.net.
ns2.p10.dynect.net.
SOA
ns1.p10.dynect.net. dnssupport.verisign-grs.com. 1534979967 3600 600 604800 1800
TXT
"HOLciSiucyx9z9GJ0guhSicbiLe0Rm3WCSDQVy0AHuanMAOgr82WpdSHdFOw0HqcSaW6kuo5DAegSm0PC1ALJg=="
"detectify-verification=1583bf00b85b6570195c4ec81a2625ae"
"v=spf1 include:stspg-customer.com a:listserv.pbs.org a:smtp1.pbs.org a:smtp2.pbs.org a:mxout.pbs.org a:servers.mcsv.net include:k12msg.com ip4:184.173.19.244/30 ~all"
"facebook-domain-verification=hxcquifih7vsf9z0u39e2t2ks317j6"
"status-page-domain-verification=g90gln3s127q"
"MS=ms58428140"This gives us information about the email server the domain uses, the IP addresses involved in serving users, and other important domains like "dynect.net" which could lead us to information about hosting and infrastructure providers.
Next, we can take a look at the software powering the website inside the "web_scan" report. We also get information about email addresses discovered, fuzzable URLs, and HTML forms along with form methods discovered. This could help us in automating an attack against the website by studying the underlying software.
[1;34m[#][0;0m Trying to collect pbs.org web application data
[1;32m[v][0;0m CMS detected: target is using [1;32mDjango Framework[0;0m
[1;32m[v][0;0m Found robots.txt
[1;32m[v][0;0m Web server detected: [1;32mnginx[0;0m
[93m[!][0;0m 28 fuzzable URLs discovered
http://to.pbs.org/2mFOyNc?utm_source=carousel_bundle_3&utm_medium=related_link_3&utm_campaign=pbs_homepage
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=premiere_link&utm_campaign=pbs_homepage
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_shoplink
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/the-final-7d9s6z&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Great%20British%20Baking%20Show,%20The%20Final
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav
http://to.pbs.org/2m7l6fD?utm_source=carousel_bundle_3&utm_medium=related_link_2&utm_campaign=pbs_homepage
https://account.pbs.org/oauth2/social/login/google-oauth2/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_digital
https://shop.pbs.org/drama-and-arts-best-sellers?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home-show_module_20OffDramaArts_AUG18
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/trailer-g7chzs&t=The%20Miniaturist,%20Trailer
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/shields-and-brooks-1534525761&text=Check%20out%20this%20video%20from%20@PBS:%20PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-two-7elm5x&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20Two%29
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-two-7elm5x&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20Two%29
https://account.pbs.org/oauth2/register/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3Daccount%2Bvppa%26redirect_uri%3Dhttps%3A%2F%2Fwww.pbs.org%2Flogin%2F%26response_type%3Dcode%26client_id%3DLXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE%26confirmed%3D1
https://account.pbs.org/oauth2/social/login/facebook/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=related_link_1&utm_campaign=pbs_homepage
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=headline&utm_campaign=pbs_homepage
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/shields-and-brooks-1534525761&t=PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=image&utm_campaign=pbs_homepage
https://account.pbs.org/oauth2/authorize/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_shophomepage
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/the-final-7d9s6z&t=The%20Great%20British%20Baking%20Show,%20The%20Final
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/trailer-g7chzs&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Miniaturist,%20Trailer
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=short_description&utm_campaign=pbs_homepage
https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_digital
https://plus.google.com/share?url=https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 1 email addresses discovered
?subject=Check out this video from PBS: Trailer&body=I thought you might like this: https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 2 HTML forms discovered
Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
[1;34m[#][0;0m Trying to collect pbs.org web application data
[1;32m[v][0;0m CMS detected: target is using [1;32mDjango Framework[0;0m
[1;32m[v][0;0m Found robots.txt
[1;32m[v][0;0m Web server detected: [1;32mnginx[0;0m
[93m[!][0;0m 28 fuzzable URLs discovered
http://to.pbs.org/2mFOyNc?utm_source=carousel_bundle_3&utm_medium=related_link_3&utm_campaign=pbs_homepage
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&t=FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
https://plus.google.com/share?url=https://www.pbs.org/video/trailer-g7chzs
https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_digital
http://to.pbs.org/2m7l6fD?utm_source=carousel_bundle_3&utm_medium=related_link_2&utm_campaign=pbs_homepage
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/first-look-wd8rsm&text=Check%20out%20this%20video%20from%20@PBS:%20Poldark,%20First%20Look
https://shop.pbs.org/digital-downloads?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_digital
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/shields-and-brooks-1534525761&text=Check%20out%20this%20video%20from%20@PBS:%20PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/shields-and-brooks-1534525761&t=PBS%20NewsHour,%20Shields%20and%20Brooks%20on%20%E2%80%98reality%20show%E2%80%99%20rules
https://account.pbs.org/oauth2/authorize/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=short_description&utm_campaign=pbs_homepage
https://account.pbs.org/oauth2/social/login/facebook/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=headline&utm_campaign=pbs_homepage
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/first-look-wd8rsm&t=Poldark,%20First%20Look
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/trailer-g7chzs&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Miniaturist,%20Trailer
https://shop.pbs.org/pbs-best-sellers?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home-show_module_15Off6920Off9925Off150_AUG18
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=premiere_link&utm_campaign=pbs_homepage
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_shopbuttontopnav_dropdown_shophomepage
https://account.pbs.org/oauth2/social/login/google-oauth2/?scope=account+vppa&redirect_uri=https://www.pbs.org/login/&response_type=code&client_id=LXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/trailer-g7chzs&t=The%20Miniaturist,%20Trailer
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/our-man-in-tehran-part-one-p9eu3w&text=Check%20out%20this%20video%20from%20@PBS:%20FRONTLINE,%20Our%20Man%20in%20Tehran%20%28Part%20One%29
https://shop.pbs.org/?utm_source=PBS&utm_medium=Link&utm_campaign=pbs_home_footer_shoplink
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=related_link_1&utm_campaign=pbs_homepage
https://account.pbs.org/oauth2/register/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3Daccount%2Bvppa%26redirect_uri%3Dhttps%3A%2F%2Fwww.pbs.org%2Flogin%2F%26response_type%3Dcode%26client_id%3DLXLFIaXOVDsfS850bnvsxdcLKlvLStjRBoBWbFRE%26confirmed%3D1
http://www.pbs.org/value/home/?utm_source=carousel_bundle_3&utm_medium=image&utm_campaign=pbs_homepage
https://www.facebook.com/sharer/sharer.php?u=https://www.pbs.org/video/the-final-7d9s6z&t=The%20Great%20British%20Baking%20Show,%20The%20Final
https://www.twitter.com/intent/tweet?url=https://www.pbs.org/video/the-final-7d9s6z&text=Check%20out%20this%20video%20from%20@PBS:%20The%20Great%20British%20Baking%20Show,%20The%20Final
[93m[!][0;0m 1 email addresses discovered
?subject=Check out this video from PBS: Trailer&body=I thought you might like this: https://www.pbs.org/video/trailer-g7chzs
[93m[!][0;0m 2 HTML forms discovered
Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/
Form details: ID: None, Class: ['dropdown', 'nav-item--search__form', 'an-18_2'], Method: None, action: /search/You can learn more information about the web application firewall in the "WAF.txt" report, but our scan did not detect one.
Basic information about the registered domain owner can also be found under the "whois.txt" report, although many times this registration information is just for the company who registered the domain on behalf of the customer.
Recon Is an Essential Part of Any Plan
By using Raccoon scanner, a hacker can streamline an attack according to the surface area discovered in an initial scan. Because Raccoon scanner includes the ability to scan through a Tor relay, it's an exciting and subtle tool for compiling a lot of targeting data about a domain in an extremely short period of time.
For a red team or for a blue team looking to understand their publically exposed attack surface, Raccoon hits the sweet spot between Maltego and Nmap for OSINT recon on domain targets.
I hope you enjoyed this guide to using Raccoon scanner to gather OSINT data on a target domain! If you have any questions about this tutorial on Raccoon scanner or you have a comment, feel free to reach me in the comments below or on Twitter @KodyKinzie.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
1 Comment
Yo, nice post... I will look into this further. Anyways, there are defensive tactics out there that could possibly block this approach but since we all know that most companies are too lazy to update their software there are loop holes everywhere. It seems possibly that the best way to use this is to find which domains that are on the network, but I could also be wrong and assuming you didn't go over all the features. Correct?
That's that. I will review the code and maybe add this to my arsenal (I have a 'fresh' installation of Debian currently).
~Cheers!
Share Your Thoughts