- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
Code:
ping cracked.to
Pinging cracked.to [104.27.10.92] with 32 bytes of data:This is showing Cloudflare, Inc. as the IPv4 address owner.
Time to try Censys and Shodan on our host of interest:
Shodan
We are already seeing an IP of 82.118.242.102
Code:
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Thu, 14 Nov 2019 10:14:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Set-Cookie: mybb[lastvisit]=1573726498; expires=Fri, 13-Nov-2020 10:14:58 GMT; path=/; domain=.cracked.to; Secure
Set-Cookie: mybb[lastactive]=157372649...We can also see the IP 51.38.181.201
Code:
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Thu, 21 Nov 2019 18:23:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: mybb[lastvisit]=1574360606; expires=Fri, 20-Nov-2020 18:23:26 GMT; path=/; domain=.cracked.to; Secure
Set-Cookie: my...Now we can cross-reference Censys:
Code:
51.38.181.201
82.118.242.102
23.95.120.193
52.143.170.157 #only mentions using cracked.to theme at bottom right
217.61.3.184 #https host claiming to be 'nulled.one' and appears to use cracked.to theme
167.86.104.214 #spotify-upgrades.co. An official service by Cracked.to
https://51.75.149.202/ #RSocks is a VPN service that links to cracked.to
https://138.197.54.96/ #mentions cracked.to about selling of Disney Plus accountshttps://23.95.120.193/ links to a "cracking.tools" website.
https://82.118.242.102/ loads the "cracked.to" website.
https://51.38.181.201/ loads the "cracked.to" website.
Now we know the two IP addresses likely behind the cracked.to website are
- 82.118.242.102
- 51.38.181.201
We can use masscan to scan all ports:
Code:
masscan 82.118.242.10 -p0-65535We can use Nmap to scan a single host somewhat quickly:
Code:
nmap -p0-65535 51.38.181.201 -T5The results I got from this are:
Code:
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp filtered smtp
443/tcp open https
445/tcp filtered microsoft-ds
9292/tcp open armtechdaemon
14071/tcp open unknownAt this point I am somewhat curious what things may look like over on cracked.to with a T4 scan, slowing scans down can sometimes yield more results like this:
Code:
xxx:~# nmap -p0-65535 51.38.181.201 -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 19:24 UTC
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp filtered smtp
443/tcp open https
445/tcp filtered microsoft-ds
9292/tcp open armtechdaemon
14071/tcp open unknownSo... here is what we have:
The T4 Nmap scan seems fast while also accurate, the Nmap scans complete in about ~4 minutes whereas the Masscan takes about ~10 minutes.
Nmap is more of a sniper rifle, whereas ZMap is a machine gun at least in my opinion.
nmap -p0-65535 82.118.242.10 -T4
Code:
Nmap scan report for 82.118.242.10
Host is up (0.11s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
1194/tcp open openvpn
56930/tcp open unknownnmap -p0-65535 51.38.181.201 -T4
Code:
Nmap scan report for ns3133517.ip-51-38-181.eu (51.38.181.201)
Host is up (0.075s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp filtered smtp
443/tcp open https
445/tcp filtered microsoft-ds
9292/tcp open armtechdaemon
14071/tcp open unknownSo now what?
Host 82.118.242.10 switched their SSH port to 56930.
http://51.38.181.201:9292/ loads "hwhat"
IP 51.38.181.201 has port 14071 reply..
Other than this information, we could attempt gathering version intel to see if anything is unpatched.
The port 14071 appears to use keys (likely wants a .pem/.ppk file for key pair auth):
Reference:
Question | DigitalOcean
Technical tutorials, Q&A, events — This is an inclusive place where developers can find or lend support and discover new ways to contribute to the community.
www.digitalocean.com
That is the beginning, that was all very easy and makes a good example.
Last edited:
