Recon To Network Takeover

Bilal Khan


I am not responsible for any illegal actions taken by you, this guide/tutorial/blog is just for educational purposes. The content, shown in this article are permitted by the company whom I was testing.

I was requested by my friend to pentest a company in my country, as they offered good money, they allowed me to test each and every phase of their company. It was full scope Pentesting. There are always many options when there is full scope Pentesting it really depends on the pentester that he choose which way, I went for the network first and search their domains IP addresses and then I search that IP addresses on Internet Number Registry, and I was surprised they were using huge ranges of IP addresses and different types of subnets for their Infrastructure, so lets begin the hack.

Who Got Time For Scanning/Nmap

When you see such huge subnets and IP ranges, there is one thing that comes in mind, its gonna take a long, long time. Scanning is good options but when you want to hunt for bugs more quickly with such huge IP ranges and subnets all you need to do is to work smart.

Gear UP

Lets gear up our toolbox that we will need during testing you can go for the other ones but this is my gearbox, tell me if I need to add more things in there. First, we need to think of a few things here what kind of servers/services/devices etc.. we are going to face?. so here is my list when I do such Pentesting.

  1. Routersploit.
  2. Searchsploit.
  3. Metasploit.
  4. Self scripted tools.

Let's Begin.

Google Dorking The Noob Way

If you read the blogs on the internet about the Google Dorking, this is the great one I’ve found, let us consider the IP ranges and subnet as the following.

  1. N.N.80.0/20
  2. N.N.84.0/8
  3. N.N.48.0/16
  4. N.N.32.0/20
  5. N.N.0.0/12

Consider N any number in your mind, but don't change it lets do some Google Dorking on these ranges. If we type this dork site:N.N.80.0 we will get no result or very few but let's use the wild card here like this site:N.N.*.* and now we have a large number of results many of which contains internally connected routers exposed to the public we can also filter the result with specific ports like this site:N.N.*.* -intext:9000 inurl:9000 this will show the result of containing the port number 9000 but, this is not that fun at all let's combine it with other dorks like this site:N.N.*.* intext:"Wifi" and we got wifi routers you can use other dorks with it according to your choice, but what’s next? well in my case the company was using some old devices and some devices with default credentials which includes their network firewalls, routers, IP cameras and other network devices and luckily I was able to take over the max of them. below are the screenshots please help me to learn more by giving your response on this blog, Thank You.

Google Dorking
Some more Dorking
Routersploit in action
Sonic Wall N00b
H3C N00b
Aruba N00b
ABB N00b
Something Extra N00b
Planet N00b

Bilal Khan

Written by

fullStack | Dev Ops | Django | Flask | Vuejs | Angularjs | Ionic | ML | AI | Security Researcher | Pentester | Bug Hunter | Tech Writer | Eat -> Code -> Sleep |

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade