|By David Dodd||
|January 9, 2012 04:00 AM EST||
The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking.
During reconnaissance we'll gather information from public sources to learn about the target and try to find what is important to the target. How they do business, technical infrastructure, architecture, products, and configuration information. These actions may seem harmless at the time and may be overlooked by security administrators as "network noise", but don't count on it. A target with well funded resources may have people looking for such attacks knowing they can lead to subsequent access or DoS attacks. Social Engineering, which is the act of manipulating people into performing actions in divulging confidential information or to trick people to do things that are beneficial to the user, may become prevalent at this stage. But if pulled off successfully the target may not know till its too late. A disgruntled employee may have knowledge of your network infrastructure, user names & passwords, and web vulnerabilities. As a CIO you want to keep attackers from finding this information and using it against you.
nslookup maps domain names to IP addresses
(usage) $ nslookup pbnetworks.net
Dig is a service to look up information in the DNS (query a specific DNS server)
(usage) $ dig pbnetworks.net any
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50342
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pbnetworks.net. IN ANY
;; ANSWER SECTION:
pbnetworks.net. 3600 IN SOA dns1.name-services.com. info.name-services.com. 2002050701 10001 1801 604801 181
pbnetworks.net. 3600 IN A 18.104.22.168
pbnetworks.net. 3600 IN MX 10 mxin.name-services.com.
pbnetworks.net. 3600 IN NS dns3.name-services.com.
pbnetworks.net. 3600 IN NS dns1.name-services.com.
pbnetworks.net. 3600 IN NS dns2.name-services.com.
pbnetworks.net. 3600 IN NS dns5.name-services.com.
pbnetworks.net. 3600 IN NS dns4.name-services.com.
;; Query time: 83 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Wed Jul 27 15:24:20 2011
;; MSG SIZE rcvd: 222
whois look up and find Internet domain registration data
(usage) $ whois pbnetworks.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: PBNETWORKS.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Updated Date: 23-jan-2009
Creation Date: 09-oct-2000
Expiration Date: 09-oct-2012
zonetransfer mechanism for replicating DNS data across DNS servers
(usage) $ dig pbnetworks.net axfr
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net axfr
;; global options: +cmd
;; connection timed out; no servers could be reached
NOTE: This command requires a zone transfer which the server may disallow.
dnsrecon standard record enumeration for a given domain available by darkoperator
(usage) # ./dnsrecon.rb -t std -d packetstormsecurity.org
fierce queries DNS server of target and attemps to dump the SOA records
(usage) $ ./fierce.pl -dns <target> -wide -file output.txt
This is interesting to run on a larger organizations that have vast networks.
nmap -sL perform a reverse DNS lookup on every IP address in the scan & send over the network and query the DNS server each time an IP address is listed.
(usage) # nmap -sL -oG - -iR 4
traceroute sends packets to destination by increasing the TTL value of each successive set of packets sent. Unix-like systems use UDP by default (Layer 4) & Windows (Layer 3) uses ICMP.
(usage) tracert pbnetworks.net (Windows) traceroute pbnetworks.net (UNIX)
The above DNS tools will likely identify numerous systems that are directly and indirectly associated with the target. You may identify many systems that are out of scope of your initial target and you must verify their inclusion in or exclusion from your target scope. When querying DNS servers you get some interesting information indicating which machines are mail servers, intranet, etc. Here is a list of DNS record types:
NS: Nameserver record
A: Address record
HINFO: Host Information record
MX: Mail Exchange record
TXT: Text record
CNAME: Canonical Name record
SOA: Start of Authority record
RP: Responsible Person record
PTR: Point of inverse lookups record
SRV: Service location record
Two great tools that are useful for enumerating targets thru DNS service are dnsrecon & fierce. Dnsrecon written by Carlos Perez provides different methods for enumerating targets such as query for SOA, top level domain, perform zone transfer, reverse record lookup, service record enumeration, and bruteforce subdomain and host records with wordlist. Fierce written by RSnake queries your DNS for DNS servers of the target. If it finds anything it will scan up and down looking for anything else with the same domain name in it using reverse lookups. There is a search option that allows you to find non-related domain names (Figure #1) $ ./fierce.pl -dns <target> -search searchoption1,searchoption2 (Where searchoption1 & 2 are different names that the target goes by such as acme.com and acmecompany.com) Fierce has wordlist support so that you can supply your own dictionary using the -wordlist key (Figure #2) $ ./fierce.pl -dns <target> -wordlist dicfile.txt -file target.txt. This was helpful with the site listed since I don't read Korean.
Information tools on the Internet
Instead of using built-in tools like traceroute, dig, etc you can use various websites that resolve domain names. The list below offers a variety of free services in simple web form which you can type information and get responses. Some sites offer more for an additional monthly or annual fee such as better performance, unlimited searches etc.
Whois, traceroute, IP information and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Domain-based research services
Public Information regarding Internet Domain name registration services
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Europe, Middle East, Central Asia
Asia and Pacific region
Latin America and Caribbean
Providing research data and analysis on many aspects of the Internet.
Searching for metadata
Metadata is data about data that resides on documents such as e-mail, spreadsheet, or other electronic document. This type of information became popular when it was used to catch the 30-year-old case involving the Wichita, Kansas BTK killer. Metadata is information about a document such as who created a file, the date it was crated and when it was last modified. The amount of metadata depends on the properties of the file type (Microsoft, Open Office, etc). We can use a tool to help us find this metadata off websites we are doing research on called metagoofil. Metagoofil is an information gathering tool designed for extracting metadata off public documents (pdf, doc, xls, ppt, odp, ods) available in the target websites. To install metagoofil on Ubuntu you will need libextractor installed on your distribution using the apt-get cmd: $ sudo apt-get install libextractor-plugins extract.
Next edit the metagoofil.py file and have the extcommand read as: extcommand='/usr/bin/extract'. The metagoofil.py file is executable but on some systems you may not be able to issue a $ ./metagoofil.py and will be required to issue $ python metagoofil.py. Once it is up and running you will see the metagoofil options and how it is used. You can issue the following commands to search a website for useful documents (see Figure #3) $ python metagoofil.py -d warnerbros.com -f all -l 50 -o warnerbros.html -t deadfile. The -d specifies the website to search, -f specifies the file type which I selected all, -l specifies the limit the results to 50, -o specifies the output in this case html, and -t specifies the target directory to download the files. Now let's open up a web browser and look at the results of the warnerbros.html file. (see Figure #4 & #5)
Now scroll through the html page and find all the important metadata from each file that was found during the scan. At the end of the document is a list of total authors found (potential users) along with path disclosure (see Figure #5).
Searching for email accounts, user accounts, and host names
A valuable tool for social engineering and intelligence gathering is theHarvester which will get e-mail accounts, user names and hostnames/subdomins from different public sources like search engines and PGP key servers. The sources supported are google, google profiles, bing, pgp, linkedin, and exalead, new features were added as of 03/04/2011 with the release of version 2.0 which include time delays between requests, XML results export, search a domain in all sources, and virtual host verifier. To issue a search use the following syntax: ./theHarvester.py -l 100 -b all -d target.com (see Figure #6)
You can redirect the output to a text file to read later. To utilize the bing feature you will need an API key otherwise you will get an error by issuing the all command. Open up vi or your favorite editor and edit the file ~/theHarvester-ng/discovery/bingsearch.py, look for the line that says: self.bingApi=" and enter your API number" and you are good to go.
Metasploit also has the ability to search for e-mail accounts using the gather option. This option in Metasploit is located in the auxiliary options just type search gather at the msf > prompt. (see Figure #7 & #8)
msf > use gather/search_email_collector
msf > set domain sempra.com
msf > run
This function is useful within metasploit but is not as powerful as using theHarvester. For instance metasploit use of the gather tool does not allow you to search for pgp accounts. It will search for emails in Google, Bing, and Yahoo.
Network Discovery with Paterva's Maltego
Paterva's Maltego is a general-purpose reconnaissance tool that runs on Windows, Linux, and Mac OS X. We will be discussing the version that runs on Linux. It is available in tow versions one community edition which is free and the commercial version. The differences are that the community version has a max of 12 results per transform, runs slower, and no updates till the next major version.
Maltego is built on the concept of transforms, taking one piece of information and performing a lookup to determine another piece of information. Maltego's transform will perform a DNS lookup and find the IP address. Then you can apply another transform to map the IP address to an organization's name via a netblock lookup.
Followed by a whois lookup on the org name and determine their public PGP key. Next you can map that key to the names of people who have signed the key to get names of more people. The issue that presents itself once you start this search is the vast amounts of information that is available. It is difficult for the human brain to see obscure links between seemingly unrelated data. It is easy to see commonalities between pieces of information when displayed graphically. This tool can graphically display the links between pieces of data.
- Groups of people (social networks)
- Web sites
Internet infrastructure such as:
- DNS names
- IP addresses
- Documents and files
To create a new graph use either the ctrl + T keyboard command or click on the (+) button next to the application icon. Once the graph is available you can add entities and run transforms to change those entities. The palette is available once you click on the manage tab and see it listed under windows which contains a default collection of entities.(see Figure #9) The palette is where you will find all the Maltego concepts (listed above) that you can drag onto the graph and edit then run transforms on.
Select a node from the palette and drag it onto the graph, to edit the value double click on the text. Left click on the node you want to select (should see a rectangle appear around it in yellow) and you will be give a list of transforms to run. All the transforms can be displayed and a selection made by clicking on a transform name. Transforms can also be grouped logically by the user into sets. At the top is the Maltego application button that provides access to additional functionality and resources. Maltego can easily load and save graphs that are saved with an .mtgx extension.
When you right click on the entity and get a list of transforms available you can choose any one of the associated transforms or apply all by choosing “All” transforms. This will take some time to complete and generate a lot of traffic. The info pulled back from various public sources is displayed hierarchically related to your initial data point and can be viewed several ways. (see Figure #10 & #11)
Shodan add-on for Maltego which requires Maltego version 3+ and a Shodan API key. This gives you 6 transforms; searchShodan, searchExploitDB, searchMetasploit, getHostProfile, searchShodanDomain, searchShodanNetblock. (see Figure #12)
SHODAN is a search engine that lets you find specific computers (router, servers, etc) using a variety of filters. The bulk of data is taken from 'banners', which are meta-data the server sends back to the client. This is information about the server software, what options the service supports, banner message or anything else that the client would like to know before interacting with the server. You can enter into your search input box the following: SCADA city:"San Diego" country:US and this will return SCADA systems that are running in San Diego. This can be very helpful in doing penetration tests for public utilities.
Useful Google Search Directives
Google is a useful tool you can use to find vulnerable systems in your target environments. At this years BlackHat Las Vegas 2011 conference researchers warn that "You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,"Building, attacking and defending SCADA systems in the Age of Stuxnet." Among the results was one referencing a "RTU pump status" for a Remote terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password - "1234."
There are many search directives that you can use such as site, link, intitle, inurl, and the all directive. The "site:" directive allows an attacker to search for pages on just a single site or domain, narrowing down and focusing the search. The "link:" directive shows sites that link to a given web site. The "intitle:" allows you to search within a title text. The 'inurl:" directive lets us search for specific terms to be included in the URL of a given site. The "all" search directives that indicate we want pages only with all of the terms we use to search such as "allintext:", "allintitle:", and "allinurl:". There is a good book on the subject by Syngress called Google Hacking for Penetration Testers volume 2. A very good source to find many different search options is the GHDB hosted by Hackers for Charity a group that I do volunteer work for. There are a number of items to search for such as:
Advisories and Vulnerabilities (215 entries)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.
Error Messages (68 entries)
Really retarded error messages that say WAY too much!
Files containing juicy info (230 entries)
No usernames or passwords, but interesting stuff none the less.
Files containing passwords (135 entries)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!
Files containing usernames (15 entries)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..
Footholds (21 entries)
Examples of queries that can help a hacker gain a foothold into a web server
Pages containing login portals (232 entries)
These are login pages for various services. Front door of a website's more sensitive functions.
Pages containing network or vulnerability data (59 entries)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs
sensitive Directories (61 entries)
Google's collection of web sites sharing sensitive directories files contained sensitive to uber-secret!
sensitive Online Shopping Info (9 entries)
Examples of queries that can reveal online shopping info like customer data, suppliers, creditcard #'s
Various Online Devices (201 entries)
This category contains things like printers, video cameras, and all sorts of cool things found on the web
Vulnerable Files (57 entries)
HUNDREDS of vulnerable files that Google can find on websites...
Vulnerable Servers (48 entries)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.
Web Server Detection (72 entries)
These links demonstrate Google's awesome ability to profile web servers..
You can use many of the search terms above to search for a specific site you are doing reconnaissance on. A couple of other tools that implement many of the search terms contained in the GHDB are SiteDigger, Wikto, and Gooscan. SiteDigger runs on windows and generates its searches from a user-provided domain and the contents of either the GHDB or Foundstone's own FSDB of Google searches to find flawed systems. SiteDigger is now maintained by McAfee. Wikto performs Google searches using the GHDB against one or more user provided domains and runs on windows. Wikto provides several features, including a scan of the target webs servers looking for well-known vulnerable scripts. Gooscan runs on Linux and does not require a Google API key. It formulates queries for Google's regular human interface web page, and scrapes the results it gets back. The use of this tool could violate Google's terms of service.
The information in this article will be useful in preparing for your penetration test engagements. The reconnaissance phase used in many penetration tests and ethical hacking projects purpose is to gather information that will act as a firm foundation that testers will leverage for the remainder of the testing project.
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2017 New York. The 20th Cloud Expo and 7th @ThingsExpo will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Internet to enable us all to im...
Dec. 9, 2016 12:30 AM EST Reads: 876
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Dec. 9, 2016 12:00 AM EST Reads: 685
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 8, 2016 09:45 PM EST Reads: 1,237
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Dec. 8, 2016 09:15 PM EST Reads: 960
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
Dec. 8, 2016 07:45 PM EST Reads: 331
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
Dec. 8, 2016 07:15 PM EST Reads: 392
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
Dec. 8, 2016 05:45 PM EST Reads: 1,726
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
Dec. 8, 2016 05:00 PM EST Reads: 1,822
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
Dec. 8, 2016 04:45 PM EST Reads: 2,256
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Dec. 8, 2016 04:45 PM EST Reads: 1,851
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Dec. 8, 2016 04:15 PM EST Reads: 2,321
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Dec. 8, 2016 03:30 PM EST Reads: 1,246
Unsecured IoT devices were used to launch crippling DDOS attacks in October 2016, targeting services such as Twitter, Spotify, and GitHub. Subsequent testimony to Congress about potential attacks on office buildings, schools, and hospitals raised the possibility for the IoT to harm and even kill people. What should be done? Does the government need to intervene? This panel at @ThingExpo New York brings together leading IoT and security experts to discuss this very serious topic.
Dec. 8, 2016 03:00 PM EST Reads: 536
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
Dec. 8, 2016 02:30 PM EST Reads: 945
"Dice has been around for the last 20 years. We have been helping tech professionals find new jobs and career opportunities," explained Manish Dixit, VP of Product and Engineering at Dice, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 8, 2016 02:15 PM EST Reads: 1,198
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 8, 2016 01:45 PM EST Reads: 800
"At ROHA we develop an app called Catcha. It was developed after we spent a year meeting with, talking to, interacting with senior citizens watching them use their smartphones and talking to them about how they use their smartphones so we could get to know their smartphone behavior," explained Dave Woods, Chief Innovation Officer at ROHA, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 8, 2016 01:45 PM EST Reads: 782
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
Dec. 8, 2016 12:45 PM EST Reads: 1,755
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, Dave McCarthy, Director of Products at Bsquare Corporation; Alan Williamson, Principal...
Dec. 8, 2016 12:00 PM EST Reads: 544
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Dec. 8, 2016 11:30 AM EST Reads: 2,352