|By David Dodd||
|January 9, 2012 04:00 AM EST||
The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking.
During reconnaissance we'll gather information from public sources to learn about the target and try to find what is important to the target. How they do business, technical infrastructure, architecture, products, and configuration information. These actions may seem harmless at the time and may be overlooked by security administrators as "network noise", but don't count on it. A target with well funded resources may have people looking for such attacks knowing they can lead to subsequent access or DoS attacks. Social Engineering, which is the act of manipulating people into performing actions in divulging confidential information or to trick people to do things that are beneficial to the user, may become prevalent at this stage. But if pulled off successfully the target may not know till its too late. A disgruntled employee may have knowledge of your network infrastructure, user names & passwords, and web vulnerabilities. As a CIO you want to keep attackers from finding this information and using it against you.
nslookup maps domain names to IP addresses
(usage) $ nslookup pbnetworks.net
Dig is a service to look up information in the DNS (query a specific DNS server)
(usage) $ dig pbnetworks.net any
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50342
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pbnetworks.net. IN ANY
;; ANSWER SECTION:
pbnetworks.net. 3600 IN SOA dns1.name-services.com. info.name-services.com. 2002050701 10001 1801 604801 181
pbnetworks.net. 3600 IN A 184.108.40.206
pbnetworks.net. 3600 IN MX 10 mxin.name-services.com.
pbnetworks.net. 3600 IN NS dns3.name-services.com.
pbnetworks.net. 3600 IN NS dns1.name-services.com.
pbnetworks.net. 3600 IN NS dns2.name-services.com.
pbnetworks.net. 3600 IN NS dns5.name-services.com.
pbnetworks.net. 3600 IN NS dns4.name-services.com.
;; Query time: 83 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Wed Jul 27 15:24:20 2011
;; MSG SIZE rcvd: 222
whois look up and find Internet domain registration data
(usage) $ whois pbnetworks.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: PBNETWORKS.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Updated Date: 23-jan-2009
Creation Date: 09-oct-2000
Expiration Date: 09-oct-2012
zonetransfer mechanism for replicating DNS data across DNS servers
(usage) $ dig pbnetworks.net axfr
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net axfr
;; global options: +cmd
;; connection timed out; no servers could be reached
NOTE: This command requires a zone transfer which the server may disallow.
dnsrecon standard record enumeration for a given domain available by darkoperator
(usage) # ./dnsrecon.rb -t std -d packetstormsecurity.org
fierce queries DNS server of target and attemps to dump the SOA records
(usage) $ ./fierce.pl -dns <target> -wide -file output.txt
This is interesting to run on a larger organizations that have vast networks.
nmap -sL perform a reverse DNS lookup on every IP address in the scan & send over the network and query the DNS server each time an IP address is listed.
(usage) # nmap -sL -oG - -iR 4
traceroute sends packets to destination by increasing the TTL value of each successive set of packets sent. Unix-like systems use UDP by default (Layer 4) & Windows (Layer 3) uses ICMP.
(usage) tracert pbnetworks.net (Windows) traceroute pbnetworks.net (UNIX)
The above DNS tools will likely identify numerous systems that are directly and indirectly associated with the target. You may identify many systems that are out of scope of your initial target and you must verify their inclusion in or exclusion from your target scope. When querying DNS servers you get some interesting information indicating which machines are mail servers, intranet, etc. Here is a list of DNS record types:
NS: Nameserver record
A: Address record
HINFO: Host Information record
MX: Mail Exchange record
TXT: Text record
CNAME: Canonical Name record
SOA: Start of Authority record
RP: Responsible Person record
PTR: Point of inverse lookups record
SRV: Service location record
Two great tools that are useful for enumerating targets thru DNS service are dnsrecon & fierce. Dnsrecon written by Carlos Perez provides different methods for enumerating targets such as query for SOA, top level domain, perform zone transfer, reverse record lookup, service record enumeration, and bruteforce subdomain and host records with wordlist. Fierce written by RSnake queries your DNS for DNS servers of the target. If it finds anything it will scan up and down looking for anything else with the same domain name in it using reverse lookups. There is a search option that allows you to find non-related domain names (Figure #1) $ ./fierce.pl -dns <target> -search searchoption1,searchoption2 (Where searchoption1 & 2 are different names that the target goes by such as acme.com and acmecompany.com) Fierce has wordlist support so that you can supply your own dictionary using the -wordlist key (Figure #2) $ ./fierce.pl -dns <target> -wordlist dicfile.txt -file target.txt. This was helpful with the site listed since I don't read Korean.
Information tools on the Internet
Instead of using built-in tools like traceroute, dig, etc you can use various websites that resolve domain names. The list below offers a variety of free services in simple web form which you can type information and get responses. Some sites offer more for an additional monthly or annual fee such as better performance, unlimited searches etc.
Whois, traceroute, IP information and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Domain-based research services
Public Information regarding Internet Domain name registration services
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Europe, Middle East, Central Asia
Asia and Pacific region
Latin America and Caribbean
Providing research data and analysis on many aspects of the Internet.
Searching for metadata
Metadata is data about data that resides on documents such as e-mail, spreadsheet, or other electronic document. This type of information became popular when it was used to catch the 30-year-old case involving the Wichita, Kansas BTK killer. Metadata is information about a document such as who created a file, the date it was crated and when it was last modified. The amount of metadata depends on the properties of the file type (Microsoft, Open Office, etc). We can use a tool to help us find this metadata off websites we are doing research on called metagoofil. Metagoofil is an information gathering tool designed for extracting metadata off public documents (pdf, doc, xls, ppt, odp, ods) available in the target websites. To install metagoofil on Ubuntu you will need libextractor installed on your distribution using the apt-get cmd: $ sudo apt-get install libextractor-plugins extract.
Next edit the metagoofil.py file and have the extcommand read as: extcommand='/usr/bin/extract'. The metagoofil.py file is executable but on some systems you may not be able to issue a $ ./metagoofil.py and will be required to issue $ python metagoofil.py. Once it is up and running you will see the metagoofil options and how it is used. You can issue the following commands to search a website for useful documents (see Figure #3) $ python metagoofil.py -d warnerbros.com -f all -l 50 -o warnerbros.html -t deadfile. The -d specifies the website to search, -f specifies the file type which I selected all, -l specifies the limit the results to 50, -o specifies the output in this case html, and -t specifies the target directory to download the files. Now let's open up a web browser and look at the results of the warnerbros.html file. (see Figure #4 & #5)
Now scroll through the html page and find all the important metadata from each file that was found during the scan. At the end of the document is a list of total authors found (potential users) along with path disclosure (see Figure #5).
Searching for email accounts, user accounts, and host names
A valuable tool for social engineering and intelligence gathering is theHarvester which will get e-mail accounts, user names and hostnames/subdomins from different public sources like search engines and PGP key servers. The sources supported are google, google profiles, bing, pgp, linkedin, and exalead, new features were added as of 03/04/2011 with the release of version 2.0 which include time delays between requests, XML results export, search a domain in all sources, and virtual host verifier. To issue a search use the following syntax: ./theHarvester.py -l 100 -b all -d target.com (see Figure #6)
You can redirect the output to a text file to read later. To utilize the bing feature you will need an API key otherwise you will get an error by issuing the all command. Open up vi or your favorite editor and edit the file ~/theHarvester-ng/discovery/bingsearch.py, look for the line that says: self.bingApi=" and enter your API number" and you are good to go.
Metasploit also has the ability to search for e-mail accounts using the gather option. This option in Metasploit is located in the auxiliary options just type search gather at the msf > prompt. (see Figure #7 & #8)
msf > use gather/search_email_collector
msf > set domain sempra.com
msf > run
This function is useful within metasploit but is not as powerful as using theHarvester. For instance metasploit use of the gather tool does not allow you to search for pgp accounts. It will search for emails in Google, Bing, and Yahoo.
Network Discovery with Paterva's Maltego
Paterva's Maltego is a general-purpose reconnaissance tool that runs on Windows, Linux, and Mac OS X. We will be discussing the version that runs on Linux. It is available in tow versions one community edition which is free and the commercial version. The differences are that the community version has a max of 12 results per transform, runs slower, and no updates till the next major version.
Maltego is built on the concept of transforms, taking one piece of information and performing a lookup to determine another piece of information. Maltego's transform will perform a DNS lookup and find the IP address. Then you can apply another transform to map the IP address to an organization's name via a netblock lookup.
Followed by a whois lookup on the org name and determine their public PGP key. Next you can map that key to the names of people who have signed the key to get names of more people. The issue that presents itself once you start this search is the vast amounts of information that is available. It is difficult for the human brain to see obscure links between seemingly unrelated data. It is easy to see commonalities between pieces of information when displayed graphically. This tool can graphically display the links between pieces of data.
- Groups of people (social networks)
- Web sites
Internet infrastructure such as:
- DNS names
- IP addresses
- Documents and files
To create a new graph use either the ctrl + T keyboard command or click on the (+) button next to the application icon. Once the graph is available you can add entities and run transforms to change those entities. The palette is available once you click on the manage tab and see it listed under windows which contains a default collection of entities.(see Figure #9) The palette is where you will find all the Maltego concepts (listed above) that you can drag onto the graph and edit then run transforms on.
Select a node from the palette and drag it onto the graph, to edit the value double click on the text. Left click on the node you want to select (should see a rectangle appear around it in yellow) and you will be give a list of transforms to run. All the transforms can be displayed and a selection made by clicking on a transform name. Transforms can also be grouped logically by the user into sets. At the top is the Maltego application button that provides access to additional functionality and resources. Maltego can easily load and save graphs that are saved with an .mtgx extension.
When you right click on the entity and get a list of transforms available you can choose any one of the associated transforms or apply all by choosing “All” transforms. This will take some time to complete and generate a lot of traffic. The info pulled back from various public sources is displayed hierarchically related to your initial data point and can be viewed several ways. (see Figure #10 & #11)
Shodan add-on for Maltego which requires Maltego version 3+ and a Shodan API key. This gives you 6 transforms; searchShodan, searchExploitDB, searchMetasploit, getHostProfile, searchShodanDomain, searchShodanNetblock. (see Figure #12)
SHODAN is a search engine that lets you find specific computers (router, servers, etc) using a variety of filters. The bulk of data is taken from 'banners', which are meta-data the server sends back to the client. This is information about the server software, what options the service supports, banner message or anything else that the client would like to know before interacting with the server. You can enter into your search input box the following: SCADA city:"San Diego" country:US and this will return SCADA systems that are running in San Diego. This can be very helpful in doing penetration tests for public utilities.
Useful Google Search Directives
Google is a useful tool you can use to find vulnerable systems in your target environments. At this years BlackHat Las Vegas 2011 conference researchers warn that "You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,"Building, attacking and defending SCADA systems in the Age of Stuxnet." Among the results was one referencing a "RTU pump status" for a Remote terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password - "1234."
There are many search directives that you can use such as site, link, intitle, inurl, and the all directive. The "site:" directive allows an attacker to search for pages on just a single site or domain, narrowing down and focusing the search. The "link:" directive shows sites that link to a given web site. The "intitle:" allows you to search within a title text. The 'inurl:" directive lets us search for specific terms to be included in the URL of a given site. The "all" search directives that indicate we want pages only with all of the terms we use to search such as "allintext:", "allintitle:", and "allinurl:". There is a good book on the subject by Syngress called Google Hacking for Penetration Testers volume 2. A very good source to find many different search options is the GHDB hosted by Hackers for Charity a group that I do volunteer work for. There are a number of items to search for such as:
Advisories and Vulnerabilities (215 entries)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.
Error Messages (68 entries)
Really retarded error messages that say WAY too much!
Files containing juicy info (230 entries)
No usernames or passwords, but interesting stuff none the less.
Files containing passwords (135 entries)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!
Files containing usernames (15 entries)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..
Footholds (21 entries)
Examples of queries that can help a hacker gain a foothold into a web server
Pages containing login portals (232 entries)
These are login pages for various services. Front door of a website's more sensitive functions.
Pages containing network or vulnerability data (59 entries)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs
sensitive Directories (61 entries)
Google's collection of web sites sharing sensitive directories files contained sensitive to uber-secret!
sensitive Online Shopping Info (9 entries)
Examples of queries that can reveal online shopping info like customer data, suppliers, creditcard #'s
Various Online Devices (201 entries)
This category contains things like printers, video cameras, and all sorts of cool things found on the web
Vulnerable Files (57 entries)
HUNDREDS of vulnerable files that Google can find on websites...
Vulnerable Servers (48 entries)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.
Web Server Detection (72 entries)
These links demonstrate Google's awesome ability to profile web servers..
You can use many of the search terms above to search for a specific site you are doing reconnaissance on. A couple of other tools that implement many of the search terms contained in the GHDB are SiteDigger, Wikto, and Gooscan. SiteDigger runs on windows and generates its searches from a user-provided domain and the contents of either the GHDB or Foundstone's own FSDB of Google searches to find flawed systems. SiteDigger is now maintained by McAfee. Wikto performs Google searches using the GHDB against one or more user provided domains and runs on windows. Wikto provides several features, including a scan of the target webs servers looking for well-known vulnerable scripts. Gooscan runs on Linux and does not require a Google API key. It formulates queries for Google's regular human interface web page, and scrapes the results it gets back. The use of this tool could violate Google's terms of service.
The information in this article will be useful in preparing for your penetration test engagements. The reconnaissance phase used in many penetration tests and ethical hacking projects purpose is to gather information that will act as a firm foundation that testers will leverage for the remainder of the testing project.
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus inter...
May. 1, 2016 12:00 AM EDT Reads: 1,050
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
Apr. 30, 2016 10:45 PM EDT Reads: 664
So, you bought into the current machine learning craze and went on to collect millions/billions of records from this promising new data source. Now, what do you do with them? Too often, the abundance of data quickly turns into an abundance of problems. How do you extract that "magic essence" from your data without falling into the common pitfalls? In her session at @ThingsExpo, Natalia Ponomareva, Software Engineer at Google, will provide tips on how to be successful in large scale machine lear...
Apr. 30, 2016 10:00 PM EDT Reads: 1,087
In his session at @ThingsExpo, Chris Klein, CEO and Co-founder of Rachio, will discuss next generation communities that are using IoT to create more sustainable, intelligent communities. One example is Sterling Ranch, a 10,000 home development that – with the help of Siemens – will integrate IoT technology into the community to provide residents with energy and water savings as well as intelligent security. Everything from stop lights to sprinkler systems to building infrastructures will run ef...
Apr. 30, 2016 05:30 PM EDT Reads: 710
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Apr. 30, 2016 04:45 PM EDT Reads: 1,053
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, will discuss how research has demonstrated the value of Machine Learning in delivering next generation analytics to im...
Apr. 30, 2016 04:15 PM EDT Reads: 1,666
There is an ever-growing explosion of new devices that are connected to the Internet using “cloud” solutions. This rapid growth is creating a massive new demand for efficient access to data. And it’s not just about connecting to that data anymore. This new demand is bringing new issues and challenges and it is important for companies to scale for the coming growth. And with that scaling comes the need for greater security, gathering and data analysis, storage, connectivity and, of course, the...
Apr. 30, 2016 03:15 PM EDT Reads: 757
This is not a small hotel event. It is also not a big vendor party where politicians and entertainers are more important than real content. This is Cloud Expo, the world's longest-running conference and exhibition focused on Cloud Computing and all that it entails. If you want serious presentations and valuable insight about Cloud Computing for three straight days, then register now for Cloud Expo.
Apr. 30, 2016 02:30 PM EDT Reads: 1,710
IoT device adoption is growing at staggering rates, and with it comes opportunity for developers to meet consumer demand for an ever more connected world. Wireless communication is the key part of the encompassing components of any IoT device. Wireless connectivity enhances the device utility at the expense of ease of use and deployment challenges. Since connectivity is fundamental for IoT device development, engineers must understand how to overcome the hurdles inherent in incorporating multipl...
Apr. 30, 2016 02:15 PM EDT Reads: 1,453
SYS-CON Events announced today that Stratoscale, the software company developing the next generation data center operating system, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Stratoscale is revolutionizing the data center with a zero-to-cloud-in-minutes solution. With Stratoscale’s hardware-agnostic, Software Defined Data Center (SDDC) solution to store everything, run anything and scale everywhere...
Apr. 30, 2016 01:15 PM EDT Reads: 1,531
The increasing popularity of the Internet of Things necessitates that our physical and cognitive relationship with wearable technology will change rapidly in the near future. This advent means logging has become a thing of the past. Before, it was on us to track our own data, but now that data is automatically available. What does this mean for mHealth and the "connected" body? In her session at @ThingsExpo, Lisa Calkins, CEO and co-founder of Amadeus Consulting, will discuss the impact of wea...
Apr. 30, 2016 01:15 PM EDT Reads: 664
Angular 2 is a complete re-write of the popular framework AngularJS. Programming in Angular 2 is greatly simplified – now it's a component-based well-performing framework. This immersive one-day workshop at 18th Cloud Expo, led by Yakov Fain, a Java Champion and a co-founder of the IT consultancy Farata Systems and the product company SuranceBay, will provide you with everything you wanted to know about Angular 2.
Apr. 30, 2016 12:45 PM EDT Reads: 1,700
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
Apr. 30, 2016 12:00 PM EDT Reads: 2,294
You deployed your app with the Bluemix PaaS and it's gaining some serious traction, so it's time to make some tweaks. Did you design your application in a way that it can scale in the cloud? Were you even thinking about the cloud when you built the app? If not, chances are your app is going to break. Check out this webcast to learn various techniques for designing applications that will scale successfully in Bluemix, for the confidence you need to take your apps to the next level and beyond.
Apr. 30, 2016 11:30 AM EDT Reads: 1,466
We’ve worked with dozens of early adopters across numerous industries and will debunk common misperceptions, which starts with understanding that many of the connected products we’ll use over the next 5 years are already products, they’re just not yet connected. With an IoT product, time-in-market provides much more essential feedback than ever before. Innovation comes from what you do with the data that the connected product provides in order to enhance the customer experience and optimize busi...
Apr. 30, 2016 11:15 AM EDT Reads: 887
SYS-CON Events announced today that Ericsson has been named “Gold Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. Ericsson is a world leader in the rapidly changing environment of communications technology – providing equipment, software and services to enable transformation through mobility. Some 40 percent of global mobile traffic runs through networks we have supplied. More than 1 billion subscribers around the world re...
Apr. 30, 2016 11:00 AM EDT Reads: 875
Increasing IoT connectivity is forcing enterprises to find elegant solutions to organize and visualize all incoming data from these connected devices with re-configurable dashboard widgets to effectively allow rapid decision-making for everything from immediate actions in tactical situations to strategic analysis and reporting. In his session at 18th Cloud Expo, Shikhir Singh, Senior Developer Relations Manager at Sencha, will discuss how to create HTML5 dashboards that interact with IoT devic...
Apr. 30, 2016 11:00 AM EDT Reads: 920
Artificial Intelligence has the potential to massively disrupt IoT. In his session at 18th Cloud Expo, AJ Abdallat, CEO of Beyond AI, will discuss what the five main drivers are in Artificial Intelligence that could shape the future of the Internet of Things. AJ Abdallat is CEO of Beyond AI. He has over 20 years of management experience in the fields of artificial intelligence, sensors, instruments, devices and software for telecommunications, life sciences, environmental monitoring, process...
Apr. 30, 2016 11:00 AM EDT Reads: 891
Digital payments using wearable devices such as smart watches, fitness trackers, and payment wristbands are an increasing area of focus for industry participants, and consumer acceptance from early trials and deployments has encouraged some of the biggest names in technology and banking to continue their push to drive growth in this nascent market. Wearable payment systems may utilize near field communication (NFC), radio frequency identification (RFID), or quick response (QR) codes and barcodes...
Apr. 30, 2016 10:00 AM EDT Reads: 716
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry's single source for the cloud. Fusion's advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
Apr. 30, 2016 09:45 AM EDT Reads: 2,556