target:hoster/dnsprovider of nsa.gov’s smtp server aka smtp.nsa.gov
PH1K3 strikes again ~!keep hackin like itz the 1990 all over again!~
tribute to vampire666 his pastebin :pastebin.com/u/vampire666
Greetz big up my combratz z0x,inject-anons,h1tman, sn siph0n and anon* (all anon crews)
Lets begin:
:~# fierce -dns nsa.gov
DNS Servers for nsa.gov:
dsdn-gh1-uea06.nsa.gov
dsdn-gh1-uea05.nsa.gov
Trying zone transfer first…
Testing dsdn-gh1-uea06.nsa.gov
Request timed out or transfer not allowed.
Testing dsdn-gh1-uea05.nsa.gov
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
Nope. Good.
Now performing 2280 test(s)…
65.196.127.226 careers.nsa.gov
23.36.84.226 m.nsa.gov
63.239.67.5 dsux-gh1-uea01.nsa.gov
63.239.67.1 msux-gh1-uea01.nsa.gov
63.239.67.2 msux-gh1-uea02.nsa.gov
63.239.67.4 emsm-gh1-uea02.nsa.gov
63.239.67.6 dsux-gh1-uea02.nsa.gov
63.239.67.7 dsux-gh1-uea03.nsa.gov
63.239.67.8 dsux-gh1-uea04.nsa.gov
63.239.67.9 emvm-gh1-uea08.nsa.gov
63.239.67.10 emvm-gh1-uea09.nsa.gov
63.239.67.11 dsdn-gh1-uea05.nsa.gov
63.239.67.13 mset-gh1-uea02.nsa.gov
63.239.67.10 smtp.nsa.gov <–TARGET
63.239.67.9 smtp.nsa.gov <–TARGET
23.36.84.226 http://www.nsa.gov
root@thePH1K3machine:~# dig -x 63.239.67.10
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x 63.239.67.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;10.67.239.63.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.67.239.63.in-addr.arpa. 86400 IN PTR emvm-gh1-uea09.nsa.gov.
;; AUTHORITY SECTION:
67.239.63.in-addr.arpa. 86400 IN NS romulus.ncsc.mil.
67.239.63.in-addr.arpa. 86400 IN NS svl-ans-01.inet.qwest.net.
67.239.63.in-addr.arpa. 86400 IN NS dca-ans-01.inet.qwest.net.
;; Query time: 769 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 4 20:57:47 2015
;; MSG SIZE rcvd: 173
hoster = qwest.net
Lets look at their site
damm they got alot of dns bs
Note aswell this is their backup server im sending the bytes to
after the xploit have been sent= error=The connection timed out (216.111.65.16:22)
fierce:
:~# fierce -dns qwest.net
DNS Servers for qwest.net:
authns2.qwest.net
authns1.qwest.net
scroll your shitt outa that mouse of yours
Trying zone transfer first…
Testing authns2.qwest.net
Request timed out or transfer not allowed.
Testing authns1.qwest.net
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
Nope. Good.
Now performing 2280 test(s)…
151.119.46.220 ci.qwest.net
155.70.16.46 community.qwest.net
63.150.159.139 dm01.emij.apa.qwest.net
63.150.159.134 apa2hitrack.hso.qwest.net
63.150.159.129 hdbasrv02-vip.apa.qwest.net
63.150.159.124 dh-i-124.apa.qwest.net
63.150.159.119 dh-i-119.apa.qwest.net
63.150.159.114 dh-i-114.apa.qwest.net
63.150.159.109 hostfs2k.apa.qwest.net
63.150.159.104 col1cons.apa.qwest.net
63.150.159.99 collect1.apa.qwest.net
63.150.159.94 vtl2.apa.qwest.net
63.150.159.89 db01.msi.apa.qwest.net
63.150.159.84 vtl1.apa.qwest.net
63.150.159.79 apa1-cellups6.apa.qwest.net
63.150.159.74 apa1-cellups1.apa.qwest.net
63.150.159.71 dwh.apa.qwest.net
63.150.159.66 apagecs202.apa.qwest.net
63.150.159.61 mgtwin02.apa.qwest.net
63.150.159.56 apagecs100.apa.qwest.net
63.150.159.53 apagecx1spb.apa.qwest.net
63.150.159.48 tmart02bmc.apa.qwest.net
63.150.159.43 tsg-ws12.apa.qwest.net
63.150.159.38 co9180tsgws7.apa.qwest.net
63.150.159.33 tsg-ws2.apa.qwest.net
63.150.159.28 sec-ws13.apa.qwest.net
63.150.159.23 co9180hocws8.apa.qwest.net
63.150.159.18 coapahoc06.apa.qwest.net
63.150.159.13 css-ws6.apa.qwest.net
63.150.159.8 stme16-ups3-4.apa.qwest.net
63.150.159.4 hdbasrv01.apa.qwest.net
63.150.159.1 fw1-int.apa.qwest.net
63.150.159.2 fw2-int.apa.qwest.net
63.150.159.5 dmz-sw1.apa.qwest.net
63.150.159.6 int-sw2.apa.qwest.net
63.150.159.7 stme16-ups1-2.apa.qwest.net
63.150.159.9 4cr-dat-1.apa.qwest.net
63.150.159.10 css-ws3.apa.qwest.net
63.150.159.11 css-ws4.apa.qwest.net
63.150.159.12 css-ws5.apa.qwest.net
63.150.159.14 css-ws7.apa.qwest.net
63.150.159.16 co9180hocws1.apa.qwest.net
63.150.159.17 apa-plotter.apa.qwest.net
63.150.159.19 co9180hocws4.apa.qwest.net
63.150.159.20 co9180hocws5.apa.qwest.net
63.150.159.21 co9180hocws6.apa.qwest.net
63.150.159.22 co9180hocws7.apa.qwest.net
63.150.159.24 hoc-ws9.apa.qwest.net
63.150.159.25 hoc-ws10.apa.qwest.net
63.150.159.26 apais3.apa.qwest.net
63.150.159.27 hoc-ws12.apa.qwest.net
63.150.159.29 sto-sw1.apa.qwest.net
63.150.159.31 sanscreenrpt.hso.qwest.net
63.150.159.32 tsg-ws1.apa.qwest.net
63.150.159.34 co9180gmschustem.apa.qwest.net
63.150.159.35 tsg-ws4.apa.qwest.net
63.150.159.36 tsg-ws5.apa.qwest.net
63.150.159.37 tsg-ws6.apa.qwest.net
63.150.159.39 tsg-ws8.apa.qwest.net
63.150.159.40 coapahoc04.apa.qwest.net
63.150.159.41 tsg-ws10.apa.qwest.net
63.150.159.42 tsg-ws11.apa.qwest.net
63.150.159.44 host02.emij.apa.qwest.net
63.150.159.45 apa-hoc-printer.apa.qwest.net
63.150.159.46 apagecx1spa.apa.qwest.net
63.150.159.47 tst01bmc.apa.qwest.net
63.150.159.49 apabupswitch2.apa.qwest.net
63.150.159.54 ov2cons.qwest.net
63.150.159.55 apais4.apa.qwest.net
63.150.159.57 apagecs101.apa.qwest.net
63.150.159.58 css-spare.apa.qwest.net
63.150.159.59 apagecs102.apa.qwest.net
63.150.159.60 mgtwin01.apa.qwest.net
63.150.159.62 mgtsun01.apa.qwest.net
63.150.159.63 mgtsun02.apa.qwest.net
63.150.159.64 apagecs200.apa.qwest.net
63.150.159.65 apagecs201.apa.qwest.net
63.150.159.67 lb02.qdwh.apa.qwest.net
63.150.159.72 powermeasurement-sw1.apa.qwest.net
63.150.159.73 host27.qdwh.apa.qwest.net
63.150.159.75 apa1-cellups2.apa.qwest.net
63.150.159.76 apa1-cellups3.apa.qwest.net
63.150.159.77 apa1-cellups4.apa.qwest.net
63.150.159.78 apa1-cellups5.apa.qwest.net
63.150.159.80 hdbasrv02.apa.qwest.net
63.150.159.81 apa2-cellups1.apa.qwest.net
63.150.159.82 apa2-cellups2.apa.qwest.net
63.150.159.83 hdbasrv01-vip.apa.qwest.net
63.150.159.85 hdbasrv-scan.apa.qwest.net
63.150.159.86 hdbasrv-scan.apa.qwest.net
63.150.159.87 hdbasrv-scan.apa.qwest.net
63.150.159.88 appvip.msi.apa.qwest.net
63.150.159.90 db02.msi.apa.qwest.net
63.150.159.91 dbvip.msi.apa.qwest.net
63.150.159.92 con01bmc.apa.qwest.net
63.150.159.93 sqlvip.msi.apa.qwest.net
63.150.159.95 apaopsctr1.apa.qwest.net
63.150.159.96 apaov1.apa.qwest.net
63.150.159.97 apaov2.apa.qwest.net
63.150.159.98 vpo.apa.qwest.net
63.150.159.100 apaissql1.apa.qwest.net
63.150.159.101 wintest2.tools.apa.qwest.net
63.150.159.102 ov1cons.apa.qwest.net
63.150.159.103 ov2cons.apa.qwest.net
63.150.159.105 dm04.emij.apa.qwest.net
63.150.159.106 iscon1.apa.qwest.net
63.150.159.107 lampoc.apa.qwest.net
63.150.159.108 denali.apa.qwest.net
63.150.159.110 lampoc_vm.apa.qwest.net
63.150.159.111 apahoc.apa.qwest.net
63.150.159.112 ovcon1.apa.qwest.net
63.150.159.113 ovcon2.apa.qwest.net
63.150.159.115 dh-i-115.apa.qwest.net
63.150.159.116 dh-i-116.apa.qwest.net
63.150.159.117 dh-i-117.apa.qwest.net
63.150.159.118 dh-i-118.apa.qwest.net
63.150.159.120 dh-i-120.apa.qwest.net
63.150.159.121 dh-i-121.apa.qwest.net
63.150.159.122 dh-i-122.apa.qwest.net
63.150.159.123 dh-i-123.apa.qwest.net
63.150.159.125 apaissql2.apa.qwest.net
63.150.159.126 dh-i-126.apa.qwest.net
63.150.159.127 dh-i-127.apa.qwest.net
63.150.159.128 apajump01.apa.qwest.net
63.150.159.130 tmart01bmc.apa.qwest.net
63.150.159.131 tmartdb01bmc.apa.qwest.net
63.150.159.132 apa2esrsgw.hso.qwest.net
63.150.159.133 apa2hsodc.hso.qwest.net
63.150.159.135 clarify.apa.qwest.net
63.150.159.136 apamom.apa.qwest.net
63.150.159.137 apamom1.apa.qwest.net
63.150.159.138 apamom2.apa.qwest.net
63.150.159.140 rsm01bmc.apa.qwest.net
63.150.159.141 rsm02bmc.apa.qwest.net
63.150.159.142 compdbvip.apa.qwest.net
63.150.159.143 compsqlvip.apa.qwest.net
63.150.159.144 apagecx2spa.apa.qwest.net
63.150.159.145 apagecx2spb.apa.qwest.net
63.150.159.146 Apa2esrsgw.hso.qwest.net
63.150.159.147 rmanapa.apa.qwest.net
63.150.159.148 rmanapa-mgt.apa.qwest.net
63.150.159.149 apais.apa.qwest.net
63.150.159.150 apais1.apa.qwest.net
63.150.159.151 syslog.apa.qwest.net
63.150.159.152 apais2.apa.qwest.net
63.150.159.153 hrccweb01.apa.qwest.net
63.150.159.154 rsm05bmc.apa.qwest.net
63.150.159.155 secure1.apa.qwest.net
63.150.159.156 hic05.apa.qwest.net
63.150.159.157 bem05bmc.apa.qwest.net
63.150.159.158 ilom-mailr.apa.qwest.net
63.150.159.159 bem06bmc.apa.qwest.net
63.150.159.160 ilom-syslog.apa.qwest.net
63.150.159.161 rsm03bmc.apa.qwest.net
63.150.159.162 db-sip.apa.qwest.net
63.150.159.163 rsm04bmc.apa.qwest.net
63.150.159.164 hic-sendmail.apa.qwest.net
63.150.159.165 oobr-04.5.apa.qwest.net
63.150.159.166 apahsswgr001.apa.qwest.net
63.150.159.167 apahsswgr002.apa.qwest.net
63.150.159.168 apahsswgr004.apa.qwest.net
63.150.159.169 apahsswgr005.apa.qwest.net
63.150.159.171 apahsswgr006.apa.qwest.net
63.150.159.172 hic-sendmail.apa.qwest.net
63.150.159.173 apajump01.apa.qwest.net
63.150.159.174 dn2_owsat01.apa.qwest.net
63.150.159.175 dn2_owsat02.apa.qwest.net
63.150.159.177 hostingportal.apa.qwest.net
63.150.159.178 tmart03bmc.apa.qwest.net
63.150.159.183 apaship.apa.qwest.net
63.150.159.184 host01.stk.apa.qwest.net
63.150.159.185 vpn01.stk.apa.qwest.net
63.150.159.186 apaacsls-vip.apa.qwest.net
63.150.159.187 rsm06bmc.apa.qwest.net
63.150.159.188 rsm07bmc.apa.qwest.net
63.150.159.189 datatrax.apa.qwest.net
63.150.159.190 apawinad2.apa.qwest.net
63.150.159.191 dm03.emji.apa.qwest.net
63.150.159.194 mssow.apa.qwest.net
63.150.159.195 cphrccsan01.apa.qwest.net
63.150.159.196 apamgtrh01.apa.qwest.net
63.150.159.197 oobr-01.apa.qwest.net
63.150.159.198 hlr2-oobr-01.inet.qwest.net
63.150.159.199 critsys.apa.qwest.net
63.150.159.200 storageecc.apa.qwest.net
63.150.159.201 prod-dev2.apa.qwest.net
63.150.159.204 apa-cldvcb-01.apa.qwest.net
63.150.159.205 hw01.apa.qwest.net
63.150.159.206 hw02.apa.qwest.net
63.150.159.207 hw03.apa.qwest.net
63.150.159.208 hw04.apa.qwest.net
63.150.159.209 hw05.apa.qwest.net
63.150.159.210 hdinsight01.apa.qwest.net
63.150.159.211 hdinsight02.apa.qwest.net
63.150.159.214 momcon2.apa.qwest.net
63.150.159.215 authsrv.apa.qwest.net
63.150.159.216 distrib.apa.qwest.net
63.150.159.218 corptx.apa.qwest.net
63.150.159.219 hdbatst02.apa.qwest.net
63.150.159.220 host73.apa.qwest.net
63.150.159.221 hdbatst01.apa.qwest.net
63.150.159.222 ds01bmc.apa.qwest.net
63.150.159.223 hdbatst-vip.apa.qwest.net
63.150.159.224 apaov.apa.qwest.net
63.150.159.225 proxy01bmc.apa.qwest.net
63.150.159.226 bpmdb01bmc.apa.qwest.net
63.150.159.227 bpmapp01bmc.apa.qwest.net
63.150.159.228 con01bmc.apa.qwest.net
63.150.159.229 bpmweb01bmc.apa.qwest.net
63.150.159.230 ins.apa.qwest.net
63.150.159.231 momcon1.apa.qwest.net
63.150.159.232 smartstart.apa.qwest.net
63.150.159.233 apahsswgr003.apa.qwest.net
63.150.159.234 moxa.apa.qwest.net
63.150.159.235 apa-dbalinjump01.apa.qwest.net
63.150.159.236 apa-dbawinjump01.apa.qwest.net
63.150.159.237 apaqmoe1.apa.qwest.net
63.150.159.238 apais5.apa.qwest.net
63.150.159.239 chameleon.apa.qwest.net
63.150.159.240 proxy02bmc.apa.qwest.net
63.150.159.241 eg01.apa.qwest.net
63.150.159.242 apa1-mss-01.mss.qwest.net
63.150.159.244 apajump02.apa.qwest.net
63.150.159.245 sql-sip.apa.qwest.net
63.150.159.246 bpmdb01test.apa.qwest.net
63.150.159.248 wug01net.apa.qwest.net
63.150.159.250 htnnops-sun.apa.qwest.net
63.150.159.251 bem01bmc.apa.qwest.net
63.150.159.252 bem02bmc.apa.qwest.net
63.150.159.253 bem03bmc.apa.qwest.net
63.150.159.254 bem04bmc.apa.qwest.net
63.150.159.245 eg02.apa.qwest.net
63.150.159.228 conbmc.apa.qwest.net
63.150.159.189 dm02.emji.apa.qwest.net
63.150.159.172 hostingquotetool.apa.qwest.net
63.150.159.6 dmz-sw2.apa.qwest.net
63.150.159.5 int-sw1.apa.qwest.net
63.150.159.144 console.qwest.net
150.159.229.6 consumer.qwest.net
66.77.128.66 css.qwest.net
204.154.232.42 knowledge.qwest.net
204.154.232.38 directory.qwest.net
155.70.16.81 ecom.qwest.net
199.117.27.22 gopher.qwest.net
192.168.120.182 h.qwest.net
10.1.64.5 help.qwest.net
63.224.76.66 im.qwest.net
10.6.8.236 io.qwest.net
127.0.0.1 localhost.qwest.net
63.226.138.13 mpls-bigip-05-2.inet.qwest.net
63.226.138.8 8-138-226-63.inet.qwest.net
63.226.138.3 mpls-clamav-03.inet.qwest.net
63.226.138.1 mpls-clamav-01.inet.qwest.net
63.226.138.2 mpls-clamav-02.inet.qwest.net
63.226.138.4 mpls-clamav-04.inet.qwest.net
63.226.138.5 mpls-clamav-05.inet.qwest.net
63.226.138.6 mpls-sipdev-01.inet.qwest.net
63.226.138.7 7-138-226-63.inet.qwest.net
63.226.138.9 9-138-226-63.inet.qwest.net
63.226.138.10 10-138-226-63.inet.qwest.net
63.226.138.11 mpls-relay-01.inet.qwest.net
63.226.138.12 mpls-relay-02.inet.qwest.net
63.226.138.14 mpls-bigip-06-2.inet.qwest.net
63.226.138.15 mpls-relay.inet.qwest.net
63.226.138.17 mpls-smx-01.inet.qwest.net
63.226.138.18 mpls-smx-02.inet.qwest.net
63.226.138.19 mpls-mailns-03.inet.qwest.net
63.226.138.20 mpls-mailns-04.inet.qwest.net
63.226.138.21 mpls-greylist-01.inet.qwest.net
63.226.138.22 mpls-greylist-02.inet.qwest.net
63.226.138.23 mpls-greylist-03.inet.qwest.net
63.226.138.24 mpls-greylist-04.inet.qwest.net
63.226.138.25 dcc1.qwest.net
63.226.138.26 min-bl-01.inet.qwest.net
63.226.138.27 dcc3.qwest.net
63.226.138.28 min-svcs-02.inet.qwest.net
63.226.138.29 min-svcs-03.inet.qwest.net
63.226.138.18 mx.qwest.net
63.226.138.17 mx.qwest.net
207.109.18.205 mpls-mf-13.inet.qwest.net
207.109.18.200 mpls-mf-08.inet.qwest.net
207.109.18.195 mpls-mf-03.inet.qwest.net
207.109.18.193 mpls-mf-01.inet.qwest.net
207.109.18.194 mpls-mf-02.inet.qwest.net
207.109.18.196 mpls-mf-04.inet.qwest.net
207.109.18.197 mpls-mf-05.inet.qwest.net
207.109.18.198 mpls-mf-06.inet.qwest.net
207.109.18.199 mpls-mf-07.inet.qwest.net
207.109.18.201 mpls-mf-09.inet.qwest.net
207.109.18.202 mpls-mf-10.inet.qwest.net
207.109.18.203 mpls-mf-11.inet.qwest.net
207.109.18.204 mpls-mf-12.inet.qwest.net
207.109.18.206 mpls-mf-14.inet.qwest.net
207.109.18.207 mpls-mf-15.inet.qwest.net
207.109.18.208 mpls-mf-16.inet.qwest.net
207.109.18.209 mpls-smx-03.inet.qwest.net
207.109.18.210 mpls-smx-04.inet.qwest.net
207.109.18.215 mpls-bs-01.inet.qwest.net
207.109.18.210 mx.qwest.net
207.109.18.209 mx.qwest.net
204.147.80.90 www-test.qwest.net
204.147.80.91 mpls-bigip-01-launch-vlan.inet.qwest.net
204.147.80.94 http://www.qwest.net
204.147.80.95 mpls-bigip-01-launch-vlan.inet.qwest.net
204.147.80.96 mpls-fp-00.inet.qwest.net
204.147.80.97 mpls-fp-01.inet.qwest.net
204.147.80.98 mpls-fp-02.inet.qwest.net
204.147.80.99 fp.users.qwest.net
204.147.80.101 mpls-pweb-04.inet.qwest.net
204.147.80.94 my.qwest.net
204.154.232.100 nb.qwest.net
65.115.167.1 mpls-nnrp-01.inet.qwest.net
65.115.167.2 mpls-nnrp-02.inet.qwest.net
65.115.167.3 mpls-nnrp-03.inet.qwest.net
65.115.167.4 mpls-nnrp-04.inet.qwest.net
65.115.167.5 mpls-nnrp-05.inet.qwest.net
65.115.167.6 mpls-nnrp-06.inet.qwest.net
65.115.167.5 news.qwest.net
65.115.167.6 news.qwest.net
65.115.167.3 news.qwest.net
65.115.167.4 news.qwest.net
204.154.232.10 zeus.qwest.net
204.154.232.10 ns.qwest.net
216.111.65.216 tmp-sns-01.ip.qwest.net
216.111.65.217 hlr-sns-01.inet.qwest.net
216.111.65.218 radb.ip.qwest.net
216.111.65.221 concord.ip.qwest.net
………………..
ALL HERE:
