Footprinting a Company

snortfearServers

Dec 4, 2013 (3 years and 6 months ago)

102 views

Footprinting


midwestairlines.com

For this Lab I decided to do the footprinting on my employer, Midwest Airlines. I started by
going to
www.dnsstuff.com

and doing a whois lookup for
www.midwestairlines.com
. This returned
the following information:

Domain Name: MIDWESTAIRLINES.COM

Registrant: Midwest Airlines



6744 S Howell Ave



HQ
-
10



Oak Creek, WI 53154



US



Administrative Contact :



Midwest Airline
s



bill.karnowski@midwestairlines.com



6744 S Howell Ave



HQ
-
10



Oak Creek, WI 53154



US



Phone: 414
-
570
-
4202



Fax: 414
-
570
-
0631







Record expires on 11
-
Jul
-
2008



Record created on 11
-
Jul
-
2002



Database last updated on 10
-
Oct
-
2006





Domain servers in listed order:





NS1.DATARETURN.COM

64.29.222.38



NS2.DATARETURN.COM

208.39.44.68

With the Reverse IP/ Domain Search tool, located at
http://www.seologs.
com/ip
-
domains.html

I
checked the main web site (
www.midwestairlines.com
) and got the following information:

www.midwestairlines.com has address 216.178.158.24

Found 5 websites with the IP 216.178.158.24


1)

midwest
-
express.com

2) midwestairlines.com

3) midwestexpress.com

4) www1.midwestexpress.com

5) www2.midwestexpress.com

I looked up the domain for midwest
-
express.com and found it has the same registrant information
at Network Solutions.

The next thing I d
id is use Sam Spade (for Windows) to do a Dig on each of these domains
and here is what I got in return:

Dig midwestairlines.com@ns2.datareturn.com (208.39.44.68) ...

Authoritative Answer


Query for midwestairlines.com type=255 class=1


midwestairlines.co
m SOA (Zone of Authority)


Primary NS: ns1.datareturn.com


Responsible person: hostmaster@datareturn.com


serial:2007033002


refresh:900s (15 minutes)


retry:600s (10 minutes)


expire:86400s (24 hours)


mini
mum
-
ttl:3600s (60 minutes)


midwestairlines.com A (Address) 216.178.158.24


midwestairlines.com NS (Nameserver) ns2.datareturn.com


midwestairlines.com NS (Nameserver) ns1.datareturn.com


midwestairlines.com MX (Mail Exchanger) Priority: 1000 mail2.mid
westairlines.com


midwestairlines.com MX (Mail Exchanger) Priority: 10 mail.midwestairlines.com


ns1.datareturn.com A (Address) 64.29.222.38


ns2.datareturn.com A (Address) 208.39.44.68


mail.midwestairlines.com A (Address) 12.145.174.217


mail2.midwe
stairlines.com A (Address) 12.145.174.202

next …

Dig MIDWEST
-
EXPRESS.COM@dbru.br.ns.els
-
gms.att.net (199.191.128.106) ...

Authoritative Answer


Query for MIDWEST
-
EXPRESS.COM type=255 class=1


MIDWEST
-
EXPRESS.COM NS (Nameserver) dmtu.mt.ns.els
-
gms.att.net


MIDWEST
-
EXPRESS.COM NS (Nameserver) dbru.br.ns.els
-
gms.att.net


MIDWEST
-
EXPRESS.COM SOA (Zone of Authority)


Primary NS: dbru.br.ns.els
-
gms.att.net


Responsible person: rm
-
hostmaster@ems.att.com


serial:5


refresh:86400s (24

hours)


retry:10000s (20 hours)


expire:604800s (7 days)


minimum
-
ttl:86400s (24 hours)


MIDWEST
-
EXPRESS.COM A (Address) 12.145.174.196


MIDWEST
-
EXPRESS.COM MX (Mail Exchanger) Priority: 5 smtp.MIDWEST
-
EXPRESS.COM


MIDWEST
-
EXPRESS.
COM NS (Nameserver) dmtu.mt.ns.els
-
gms.att.net


MIDWEST
-
EXPRESS.COM NS (Nameserver) dbru.br.ns.els
-
gms.att.net


dmtu.mt.ns.els
-
gms.att.net A (Address) 12.127.16.70


dbru.br.ns.els
-
gms.att.net A (Address) 199.191.128.106


smtp.MIDWEST
-
EXPRESS.COM A (Add
ress) 12.145.174.217

From this information we see that each listed domain is hosted, and the DNS services are provided
by different companies. The first instance seems to be hosted by Data Return, and the second
instance seems to be hosted by AT&T. Data Re
turn lists two mail exchanges and AT&T lists only
one. The one listed by AT&T is the same as the highest priority MX listed by Data Return. Out of
curiosity I used DNSstuff to do an A record lookup on www.midwest
-
express.com and found:

One or more CNAMEs w
ere encountered. www.midwest
-
express.com is really midwestexpress.com.
[www.midwest
-
express.com
-
>www.midwestexpress.com
-
>midwestexpress.com]

All of the websites returned by seologs tools used CNAME records to point to midwestairlines.com
with the exceptio
n of midwestexpress.com, but that has the same IP address as
midwestairlines.com. Maybe this indicates the presence of some kind of load balancing.

The next tool I used was the Netcraft ‘what’s that site running?” tool. This reports uptime
and web server a
nd operating system history. Here are the results:

OS, Web Server and Hosting History for www.MidwestAirlines.com

http://www.MidwestAirlines.com was running Microsoft
-
IIS on Windows Server 2003 when last
queried at 6
-
Apr
-
2007 02:13:25 GMT


OS

Server Last changed IP address Netblock Owner

Windows Server 2003 Microsoft
-
IIS/6.0 6
-
Apr
-
2007 216.178.158.24 Data Return

Windows Server 2003 Microsoft
-
IIS/6.0 7
-
Dec
-
2006 216.173.233.203 11830 Webb Chapel Road

Win
dows Server 2003 Microsoft
-
IIS/6.0 3
-
Sep
-
2006 216.173.233.203 11830 Webb Chapel Road

Windows Server 2003 Microsoft
-
IIS/6.0 4
-
Jun
-
2006 216.173.233.203 11830 Webb Chapel Road

Windows Server 2003 Microsoft
-
IIS/6.0 13
-
Jul
-
2004 216.173.233.
203 11830 Webb Chapel Road

Windows Server 2003 Microsoft
-
IIS/6.0 15
-
Nov
-
2003 216.173.233.203 Internet Services

BSD/OS Apache/1.2.6 9
-
Jul
-
2001 192.41.13.63 Icon Developments

No uptime is currently available for www.Midwest
Airlines.com

This can allow the penetration tester to find vulnerabilities for the operating system and/or web
server.

Next I used Netcat to check the web server to see if I could get banner information. Here is
the result of that:

C:
\
Documents and Setting
s
\
Jeff>nc
-
v www.midwestairlines.com 80

midwestairlines.com [216.178.158.24] 80 (http) open

HEAD / HTTP/1.1

Host: www.midwestairlines.com


HTTP/1.1 302 Object moved

Date: Sun, 08 Apr 2007 19:09:34 GMT

Server: Microsoft
-
IIS/6.0

X
-
Powered
-
By: ASP.NET

Locatio
n: http://www.midwestairlines.com/MAWeb/

Content
-
Length: 158

Content
-
Type: text/html

Set
-
Cookie: ASPSESSIONIDQCBCCCQC=GMCAOJEADFDAJPEDCFLACFCN; path=/

Cache
-
control: private

This shows that they are running ASP.NET, which could open further avenues of atta
ck. Paros
Proxy returned the version of ASP.NET running, which could be even more helpful:

HTTP/1.1 200 OK

Date: Sun, 08 Apr 2007 15:32:34 GMT

Server: Microsoft
-
IIS/6.0

X
-
Powered
-
By: ASP.NET

X
-
AspNet
-
Version: 1.1.4322

Set
-
Cookie: ASP.NET_SessionId=yxbf2cfs
sy3qk455mal14irg; path=/

Cache
-
Control: private

Content
-
Type: text/html; charset=utf
-
8

Content
-
Length: 44527

Next I will use Netcat to check the mail servers returned by dig:

C:
\
Documents and Settings
\
Jeff>nc
-
v mail.midwestairlines.com 25

DNS fwd/rev mism
atch: mail.midwestairlines.com != smtp.midwest
-
express.com

mail.midwestairlines.com [12.145.174.217] 25 (smtp) open

220 ironport.midwestairlines.com ESMTP

help

214
-
The following commands are recognized

214
-

auth data ehlo euq_full

214
-

helo

help mail noop

214 quit rcpt rset vrfy

vrfy smith

252 ok

quit

221 ironport.midwestairlines.com


C:
\
Documents and Settings
\
Jeff>nc
-
v mail2.midwestairlines.com 25

Warning: inverse host lookup failed for 12.145.174.202: h_errno 11004: N
O_DATA

mail2.midwestairlines.com [12.145.174.202] 25 (smtp) open

220 ironport.midwestairlines.com ESMTP

help

214
-
The following commands are recognized

214
-

auth data ehlo euq_full

214
-

helo help mail noop

214 quit rcpt rse
t vrfy

vrfy jones

252 ok

quit

221 ironport.midwestairlines.com

Both servers seem to be running a mail system called Iron Port (www.ironport.com), which appears
to be a hardware appliance. The company is apparently being acquired by Cisco. The apparent
hostname given, ironport.midwestairlines.com does not resolve to anything.

Next I used Netcat to check whois.arin.net and look for any matches for either
@midwestairlines.com or @midwest
-
express.com. Here are the results:

C:
\
Documents and Settings
\
Jeff>nc
-
v whois.arin.net 43

DNS fwd/rev mismatch: whois.arin.net != host
-
252
-
44.arin.net

whois.arin.net [192.149.252.44] 43 (nicname) open

@midwestairlines.com

Adams, Timothy M (TMA122
-
ARIN) tim.adams@midwestairlines.com +1
-
414
-
570
-
4169

Yarmulnik, Alex (AYA1
7
-
ARIN) Alex.Yarmulnik@midwestairlines.com +1
-
414
-
570
-
3930


C:
\
Documents and Settings
\
Jeff>nc
-
v whois.arin.net 43

DNS fwd/rev mismatch: whois.arin.net != host
-
252
-
44.arin.net

whois.arin.net [192.149.252.44] 43 (nicname) open

@midwest
-
express.com


Name
: Rosenberg, Julie

Handle: JRO34
-
ARIN

Company: MIDWEST EXPRESS AIRLINES, INC

Address: 6744 SOUTH HOWELL AVENUE HQ1

City: OAK CREEK

StateProv: WI

PostalCode: 53154

Country: US

Comment:

RegDate: 2003
-
03
-
22

Updated: 2003
-
03
-
22

Phone: +1
-
414
-
570
-
3975 (Office)

Email: jrosenbe@midwest
-
express.com

The top results can be further expanded to show:

C:
\
Documents and Settings
\
Jeff>nc
-
v whois.arin.net 43

DNS fwd/rev mismatch: whois.arin.net != host
-
252
-
44.arin.net

whois.arin.n
et [199.43.0.144] 43 (nicname) open

! TMA122
-
ARIN


Name: Adams, Timothy M

Handle: TMA122
-
ARIN

Company: Midwest Air Group, Inc

Address: 6744 South Howell Avenue

Address: Best Care Campus West HQ
-
10

City: Oak Creek

StateProv: WI

Pos
talCode: 53154

Country: US

Comment:

RegDate: 2006
-
09
-
06

Updated: 2006
-
09
-
06

Phone: +1
-
414
-
570
-
4169 (Office)

Phone: +1
-
414
-
788
-
9397 (Mobile)

Phone: +1
-
414
-
570
-
0631 (Fax)

Email: tim.adams@midwestairlines.com


C:
\
Documents and
Settings
\
Jeff>nc whois.arin.net 43

! AYA17
-
ARIN


Name: Yarmulnik, Alex

Handle: AYA17
-
ARIN

Company: Midwest Air Group, Inc

Address: 6744 South Howell Avenue

Address: Best Care Campus West HQ
-
10

City: Oak Creek

StateProv: WI

PostalC
ode: 53154

Country: US

Comment:

RegDate: 2006
-
09
-
06

Updated: 2006
-
09
-
06

Phone: +1
-
414
-
570
-
3930 (Office)

Phone: +1
-
414
-
570
-
0631 (Fax)

Email: Alex.Yarmulnik@midwestairlines.com

So there we have potential contact info for technical p
eople for this domain. The next tool to try is
Google.

Searching Google Groups for posts containing either @midwestairlines.com or @midwest
-
express.com turned up a few results that are fairly old but possibly of interest:


From: linda.calabro@midwestairli
nes.com (LC Calabro)

Newsgroups: microsoft.public.sqlserver

Subject: Two
-
phase commit between SQL Server and Oracle

Date: 8 Sep 2003 12:23:13
-
0700

NNTP
-
Posting
-
Host: 12.145.174.220 [airplane.midwest
-
express.com]

NNTP
-
Posting
-
Date: 8 Sep 2003 19:23:14 GMT


Any information on a 2PC for distributed transactions from SQL Server

to Oracle? What middle ware is used? Any bugs, limitations,

observations, would be helpful. Thank you.


From: "Gabilini" <gabi.conklin@midwestairlines.com>

Newsgroups: comp.dcom.sys
.nortel

Subject: Adding caller ID to DID lines in MICS 1.1

Date: 16 Aug 2006 13:01:32
-
0700

NNTP
-
Posting
-
Host: 12.145.174.220 [airplane.midwest
-
express.com]

NNTP
-
Posting
-
Date: Wed, 16 Aug 2006 20:01:38 +0000 (UTC)

X
-
HTTP
-
UserAgent: Mozilla/4.0 (compatible;

MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR
2.0.50727),gzip(gfe),gzip(gfe)


I have a Norstar MICS 1.1 phone system with 4 DID lines (DID

cartridge). Request to add incoming Caller ID to all station sets.

What do I need to purchase as far as equ
ipment and how do I program

this?


From: "Jeff" <jhussing@midwest
-
express.com>

Subject: Disabling preview pane in folder options

Date: Tue, 25 Sep 2001 10:52:11
-
0700

X
-
Newsreader: Microsoft CDO for Windows 2000

X
-
MimeOLE: Produced By Microsoft MimeOLE V5
.50.4522.1200

Newsgroups: microsoft.public.windowsnt.registry

NNTP
-
Posting
-
Host: TKMSFTNGXA08 10.201.226.36

Path:
---
[end cut, intersting beginning left intact]
---
!tkmsftngp01!cpmsftngxa10!cpmsftngxa09


After getting hit with the NIMDA virus last week, we
were

told we needed to disable the preview pane in folder

options on our NT 4.0 servers for ALL users and that this

would require a registry hack. Anybody know or heard of

anything like this?


We can see by the NNTP posting host header some informatio
n on the hosts used to post these
questions. The last one even shows internal computer names I believe.

Seeing the host that was used for posting here, I was curious about the IP address so I used
DNSstuff to do an IP whois lookup. Results showed the large
r block being owned by AT&T with a
smaller block allocated to Midwest Express Airlines:

WHOIS results for !NET
-
12
-
145
-
174
-
192
-
1

OrgName: MIDWEST EXPRESS AIRLINES, INC

OrgID:
MEA
-
23

Address: 6744 SOUTH HOWELL AVENUE HQ1

City: OAK CREEK

StateProv: WI

PostalCode: 53154

Country: US


NetRange: 12.145.174.192
-

12.145.174.223

CIDR: 12.145.174.192/27

NetName: MIDWEST
-
26
-
174
-
192

NetHan
dle: NET
-
12
-
145
-
174
-
192
-
1

Parent: NET
-
12
-
0
-
0
-
0
-
1

NetType: Reassigned

Comment:

RegDate: 2003
-
03
-
22

Updated: 2003
-
03
-
22


OrgTechHandle:
JRO3
4
-
ARIN

OrgTechName: Rosenberg, Julie

OrgTechPhone: +1
-
414
-
570
-
3975

OrgTechEmail: jrosenbe@midwest
-
express.com

Using Nmap to do a quick ping scan on this range I see the following information on which hosts
are up and which resolve to a DNS name, thes
e could all be probed further:

C:
\
Documents and Settings
\
Jeff>nmap
-
sP 12.145.174.192/27


Starting Nmap 4.20 ( http://insecure.org ) at 2007
-
04
-
08 12:29 Central Daylight Time

Host 12.145.174.193 appears to be up.

Host 12.145.174.194 appears to be up.

Host
midwest
-
express.com (12.145.174.196) appears to be up.

Host 12.145.174.199 appears to be up.

Host 12.145.174.202 appears to be up.

Host 12.145.174.203 appears to be up.

Host 12.145.174.204 appears to be up.

Host 12.145.174.210 appears to be up.

Host 12.145
.174.211 appears to be up.

Host 12.145.174.213 appears to be up.

Host 12.145.174.214 appears to be up.

Host 12.145.174.218 appears to be up.

Host 12.145.174.219 appears to be up.

Host airplane.midwest
-
express.com (12.145.174.220) appears to be up.

Host aer
o6.midwest
-
express.com (12.145.174.221) appears to be up.

Host 12.145.174.222 appears to be up.

Nmap finished: 32 IP addresses (16 hosts up) scanned in 7.047 seconds

We have gathered a lot of information so far just by using DNS information and doing a bit

of Google searching. I even managed to find a complete EDGAR filing for free. The main site of
www.edgar
-
online.com

wants to charge for SEC filings, but I happened to find the Yahoo branded
version, which allo
ws you to view some filings free… yahoo.brand.edgar
-
online.com.

Summary



The web server for midwestairlines.com at IP address 64.129.249.9 is near Irving,
TX. Traceroute to this address shows no firewall or router before it dropping
packets.



The mail exch
ange at 12.145.174.217 (mail.midwestairlines.com, smtp.MIDWEST
-
EXPRESS.COM) is probably near Oak Creek, WI. But cannot be reached via
traceroute, it is blocked at 12.145.174.220 (airplane.midwest
-
express.com).



The mail exchange at 12.145.174.202 (mail2.mid
westairlines.com) is probably near
Oak Creek, WI. It can be reached by traceroute but the last hop before it is
12.145.174.220 (airplane.midwest
-
express.com), this is probably a firewall of some
sort.



Email addresses of note are:

o


bill.karnowski@midwestairlines.com

o

tim.adams@midwestairlines.com

o

Alex.Yarmulnik@midwestairlines.com

o

linda.calabro@midwestairlines.com

o

gabi.conklin@midwestairlines.com

o

jhussing@midwest
-
express.com

o

jrosenbe@midwest
-
express.com



Phone Numbers of note are:

o

414
-
570
-
0631 (Fax)

o

414
-
570
-
3930 (Office)

o

414
-
570
-
4169 (Office)

o

414
-
570
-
3975 (Office)

o

414
-
570
-
4202 (Office)

o

414
-
788
-
9397 (Mobile)



Phone line info
-

D
ID (Direct Inward Dial) Telephone Lines, Norstar Modular
Integrated Communications System (MICS)



Server and Software info: Windows Server 2003, Microsoft
-
IIS/6.0, AspNet
-
Version: 1.1.4322, Ironport.



Possible Software in use: SQL Server, Oracle, Outlook/OE
Express, Windows NT
4.0



Interesting other IP addresses: There are 16 IP addresses in the range
12.145.174.192/27 that respond to pings, plus we know that MX 12.145.174.217 is
live there even though it does not respond to pings.

This footprinting session ha
s provided much information that we can use to move on to the
next phase of doing a penetration test, enumeration. I am not going to be doing any enumeration on
these hosts, as I am sure I would get in trouble for it, but the information is there.