Day 1 Intelligence Gathering 1x

californiamandrillSoftware and s/w Development

Dec 13, 2013 (3 years and 5 months ago)

58 views

PENETRATION TESTING & VULNERABILITY ASSESSMENT

Copyright
2013
©
Adharv

Tech Initiative Pvt. Ltd.

Permission is granted to copy, distribute and/or modify this document under the terms of the
Adharv

License.

RECONNAISSANCE I

Krishna
Suraparaju

1

Module Objective


By

the

end

of

this

module,

you

should

be

able

to

gather

general

information

about

an

organization
.

2

Foot Printing


Information

gathering

is

one

of

the

most

important

stages

of

the

attack
.

This

is

where

we

gather

basic

information

about

our

target

in

order

to

be

able

to

launch

our

attack

later

on
.


Equation
:


more

information

=

higher

probability

of

successful

attack

3

Types of
Reconnaissance



Open

Web

Reconnaissance



Whois

Reconnaissance


DNS

Reconnaissance


SNMP

Reconnaissance


SMTP

Reconnaissance


Microsoft

Netbios

Reconnaissance


LAN

Reconnaissance


Wireless

Reconnaissance

4

Open Web
Reconnaissance



The

first

thing

we

usually

need

to

do

prior

to

an

attack

is

spend

some

time

browsing

the

web

and

looking

for

background

information

about

the

organization

we

are

about

to

attack
.


We

usually

first

need

to

browse

the

organizational

website

and

look

for

general

information

such

as

contact

information,

phone

and

fax

numbers,

emails,

company

structure

etc
.

We

also

usually

need

to

look

for

sites

which

link

to

the

target

site

or

for

organizational

emails

floating

around

the

web
.


Google

Hacking

5

Email Harvesting


Email

harvesting

is

an

effective

way

of

finding

out

possible

emails

(and

possibly

usernames)

belonging

to

an

organization
.


Search

for

company

domain



Bll
.
co
.
il


Obviously,

collecting

these

mails

manually

is

exhausting

and

can

be

automated

using

a

script
.


BT

~

#

cd

/
pentest
/enumeration/
google
/


BT

google

#

.
/goog
-
mail
.
py


Once

harvested,

these

emails

can

be

used

as

a

distribution

base

of

a

client

side

attack,

as

will

be

discussed

later

6

Back trace


Back

trace

the

emails

found

as

they

can

reveal

interesting

information

about

these

individuals
.


Specify

particular

email

address

and

search

for

more

results
.


7

Miscellaneous
Web Resources


Obviously,

there

are

other

search

engines

apart

from

Google
.

A

nice

list

of

search

engines

and

their

search

capabilities

can

be

found

here
:


http
:
//www
.
searchengineshowdown
.
com/features/


One

specific

search

function

that

can

be

discussed

is

gigablast
.
com

which

has

IP

search

capabilities
.

8

IP Search


Searching

web

content

by

IP

address

can

help

identify

load

balancers,

additional

virtual

domains

and

so

on
.



9

Netcraft


Netcraft

is

an

Internet

monitoring

company

based

in

Bradford
-
on
-
Avon,

England
.


Their

most

notable

services

are

monitoring

uptimes

and

providing

server

operating

system

detection
.


Netcraft

can

be

used

to

indirectly

find

out

information

about

web

servers

on

the

internet,

including

the

underlying

operating

system,

web

server

version,

uptime

graphs,

etc
.

10

Exercise
1


Lab

requirements
:


Internet


Netcraft

tool

bar

/

Web

site


Lab

Objectives
:


Get

Cycops

Web

server

details

using

Netcraft

11

Whois

Reconnaissance


Whois

is

a

name

for

a

TCP

service
,

a

tool

and

a

database
.


Whois

databases

contain

nameserver
,

registrar,

and

in

some

cases

full

contact

information

about

a

domain

name
.

12

About WHOIS database


Each

registrar

must

maintain

a

Whois

database

containing

all

contact

information

for

the

domains

they

'host'
.


A

central

registry

Whois

database

is

maintained

by

the

InterNIC
.


These

databases

are

usually

published

by

a

Whois

server

over

TCP

port

43

and

are

accessible

using

the

Whois

program
.

13

How to
Whois
?

14

Let's try to dig out the domain details for the checkpoint.com domain. As
usual,

we have absolutely no malicious intentions for this domain.


We've

received

the

following

information

from

the

registrar

database
.


IP

Address
:

216
.
200
.
241
.
66


Registrar
:

NETWORK

SOLUTIONS,

LLC
.


Whois

Server
:

whois
.
networksolutions
.
com


Name

Server
:

NS
4
.
CHECKPOINT
.
COM


Name

Server
:

NS
1
.
CHECKPOINT
.
COM


Expiration

Date
:

29
-
Mar
-
2007


Registrant
:

Check

Point

Software

Technologies

Ltd
.


Address
:


3
A

Jabotinsky

St
.


Ramat
-
Gan

52520


ISRAEL


IP

Address
:

216
.
200
.
241
.
66


Registrar
:

NETWORK

SOLUTIONS,

LLC
.


Whois

Server
:

whois
.
networksolutions
.
com


Domain

Name
:

CHECKPOINT
.
COM


Administrative

Contact,

Technical

Contact
:


Wilf
,

Gonen

-

gonenw@CHECKPOINT
.
COM


Check

Point

Software

Technologies

Ltd
.


Telephone

number
:

+
972
-
3
-
7534555


Fax

number
:

+
972
-
3
-
5759256

15

Whois

IP look up


we

can

input

an

IP

address
.

The

Whois

result

will

usually

include

the

whole

network

range

which

belongs

to

the

organization
.


16

Points of Interest


We

see

that

checkpoint
.
com

owns

the

IP

address

range

-

216
.
200
.
241
.
64



216
.
200
.
241
.
79
.



Notice

how

we

have

come

to

the

point

where

we

have

identified

specific

IP

addresses

belonging

to

the

organization
.


Whois

is

also

often

made

accessible

over

a

web

interface
.

The

following

are

some

of

the

most

comprehensive

Whois

web

interfaces

available
:


http
:
//www
.
completewhois
.
com/


http
:
//ripe
.
net


http
:
//whois
.
sc


17

Exercise
2


Lab

Requirements
:


BackTrack
.


Internet

connection
.


Lab

Objecticves
:


Choose

your

organization

(or

any

other

that

may

be

of

interest)

and

gather

as

much

information

as

possible

about

it

using

Google

and

other

open

web

resources
.


Try

organizing

the

details

into

the

following

categories
:


Organizational

Structure

(who's

the

boss?

Who's

the

IT

guy?)


Domain

names

they

own
.


IP

ranges

/

Server

names

they

own
.


Phone

numbers

/

Addresses
.


Emails

and

employee

names,

try

to

identify

the

job

position

of

each

employee

found
.


Rouge

/

leaked

information

(PDFs,

XLS,

PPT

etc)

found

via

Google
.


Use

Netcraft

to

identify

the

web

server

versions

of

the

organization,

if

they

exist
.


Any

other

interesting

information

you

may

find

relevant
.

18

DNS

Reconnaissance


DNS

offers

a

variety

of

information

about

public

(and

sometimes

private!)

organization

servers,

such

as

IP

addresses,

server

names

and

server

functions
.


NOTE
:

nslookup

behaves

differently

between

Linux

and

Windows
.

The

Linux

version

of

nslookup

has

depreciated

the

ls

command
.

19

Interacting with DNS server


A

DNS

server

will

usually

reveal

DNS

and

Mail

server

information

for

the

domain

which

it

is

authoritative
.



This

is

a

necessity,

as

public

requests

for

mail

server

addresses

and

DNS

server

addresses

make

up

our

basic

internet

experience
.


We

can

interact

with

a

DNS

server

using

various

DNS

clients

such

as

host,

nslookup
,

dig,

etc
.

20

Nslookup


In

this

example,

we've

connected

to

our

local

DNS

server

(
192
.
168
.
0
.
1
)

and

asked

it

to

resolve

the

A

record

for

www
.
checkpoint
.
com
.

The

DNS

server

replies

with

the

address

216
.
200
.
241
.
66
.

21

Exercise
3


Lab

Requirements
:


Windows

2003

server

with

DNS,

DHCP,

IIS,

Exchange

servers

running


Windows

XP

sp
2

with

outlook

configured


Lab

Objective
:


Identify

NS,

MX,

PTR

and

other

RR

information

22

Automating Lookups


Information

gathering

using

DNS

can

be

divided

into

3

main

techniques
:


Forward

lookup

bruteforce


Reverse

lookup

bruteforce


Zone

transfers

23

Forward lookup
bruteforce


The

idea

behind

this

method

is

to

try

to

guess

valid

names

of

organizational

servers
.

We

try

to

resolve

a

given

name
.

If

it

resolves

then

the

server

exists
.

Let's

try

a

short

example

using

the

host

command
.

24

Automate the process of Discovery


Lets

create

a

txt

file

by

name

names
.
txt


www


www
1


www
2


Vpn


Voip


Forums


Checkpoint


Firewall


Dns


Dns
1


Smtp


Pop


Mail


ftp




25

Filter


Let's

try

cleaning

up

the

output,

and

show

only

the

lines

which

contain

the

string

“has

address”
.


#!/bin/bash


for

name

in

$
(cat

names
.
txt)
;
do


host

$
name
.
checkpoint
.
com

|
grep

“has

address”


done

26

Output


The

output

of

this

script

looks

much

better

and

shows

us

only

hostnames

which

have

been

resolved
.

27

More clean


In

order

to

get

a

clean

list

of

IPs,

we

can

further

perform

some

test

manipulation

on

this

output
.

We'll

cut

the

list

and

show

only

the

IP

address

field
:


#!/bin/bash


for name in $(cat dns
-
names.txt);do


host $name.checkpoint.com |
grep

“has
address”|cut
-
d" "
-
f4


Done


Also check with
whois

on
ip

28

Reverse lookup brute force


Armed

with

these

IP

network

blocks,

we

can

now

try

the

second

method

of

DNS

information

gathering



reverse

lookup

bruteforce
.



This

method

relies

on

the

existence

of

PTR

host

records

being

configured

on

the

organizational

nameserver
.

PTR

records

are

becoming

more

widely

used

as

many

mail

systems

require

PTR

verification

before

accepting

mail
.

29

PTR Query


Using

the

host

command,

we

can

perform

a

PTR

DNS

query

on

an

IP,

and

if

that

IP

has

a

PTR

record

configured,

we

will

receive

its

FQDN
.


BT

~

#

host

216
.
200
.
241
.
69


69
.
241
.
200
.
216
.
in
-
addr
.
arpa

domain

name

pointer

gould
.
us
.
checkpoint
.
com
.


From

this

result,

we

see

that

the

IP

216
.
200
.
241
.
64

back

resolves

to

gould
.
us
.
checkpoint
.
com
.


30

DNS Zone Transfers


Basically,

a

zone

transfer

can

be

compared

to

a

“database

replication”

act

between

related

DNS

servers
.

Changes

to

zone

files

are

usually

made

on

the

Primary

DNS

server

and

are

then

replicated

by

a

zone

transfer

request

to

the

secondary

server
.

31

Zone transfer issues


Unfortunately,

many

administrators

misconfigure

their

DNS

servers

and,

as

a

result,

anyone

asking

for

a

copy

of

the

DNS

server

zone

will

receive

one
.


This

is

equivalent

to

handing

the

corporate

network

layout

to

the

hacker

on

a

silver

platter
.

All

the

names,

addresses

(and

often

functionality)

of

the

servers

are

exposed

to

prying

eyes
.

32

Attempt Zone transfer


We

can

use

the

host

or

dig

command

in

Linux

for

Zone

transfers
.


host

-
l

<domain>

<DNS

server

name>


Lets

look

host

info

of

checkpoint


BT

~

#

host

-
t

ns

checkpoint
.
com


checkpoint
.
com

name

server

ns
4
.
checkpoint
.
com
.


checkpoint
.
com

name

server

ns
1
.
checkpoint
.
com
.


33

Zone transfer


Now

that

we

have

the

DNS

server

addresses,

we

can

try

performing

the

zone

transfer
.


BT

~

#

host

-
l

checkpoint
.
com

ns
1
.
checkpoint
.
com


Using

domain

server
:


Name
:

ns
1
.
checkpoint
.
com


Address
:

194
.
29
.
32
.
197
#
53


Aliases
:


Host

checkpoint
.
com

not

found
:

5
(REFUSED)


;

Transfer

failed
.

34

Successful Zone transfer

35

DNS Enumeration



There

are

some

specialized

tools

in

BackTrack

for

DNS

enumeration
.

The

most

prominent

of

them

is

dnsenum
.
pl,

which

incorporates

all

three

mentioned

DNS

reconnaissance

techniques

into

one

tool
.


BT

~

#

cd

/
pentest
/enumeration/
dnsenum
/


BT

dnsenum

#

.
/dnsenum
.
pl


Usage
:

perl

dnsenum
.
pl

<DOMAINNAME>

<dns
.
txt>

36

Questions?

Thank You!!

37