|By David Dodd||
|January 9, 2012 04:00 AM EST||
The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking.
During reconnaissance we'll gather information from public sources to learn about the target and try to find what is important to the target. How they do business, technical infrastructure, architecture, products, and configuration information. These actions may seem harmless at the time and may be overlooked by security administrators as "network noise", but don't count on it. A target with well funded resources may have people looking for such attacks knowing they can lead to subsequent access or DoS attacks. Social Engineering, which is the act of manipulating people into performing actions in divulging confidential information or to trick people to do things that are beneficial to the user, may become prevalent at this stage. But if pulled off successfully the target may not know till its too late. A disgruntled employee may have knowledge of your network infrastructure, user names & passwords, and web vulnerabilities. As a CIO you want to keep attackers from finding this information and using it against you.
nslookup maps domain names to IP addresses
(usage) $ nslookup pbnetworks.net
Dig is a service to look up information in the DNS (query a specific DNS server)
(usage) $ dig pbnetworks.net any
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50342
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pbnetworks.net. IN ANY
;; ANSWER SECTION:
pbnetworks.net. 3600 IN SOA dns1.name-services.com. info.name-services.com. 2002050701 10001 1801 604801 181
pbnetworks.net. 3600 IN A 188.8.131.52
pbnetworks.net. 3600 IN MX 10 mxin.name-services.com.
pbnetworks.net. 3600 IN NS dns3.name-services.com.
pbnetworks.net. 3600 IN NS dns1.name-services.com.
pbnetworks.net. 3600 IN NS dns2.name-services.com.
pbnetworks.net. 3600 IN NS dns5.name-services.com.
pbnetworks.net. 3600 IN NS dns4.name-services.com.
;; Query time: 83 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Wed Jul 27 15:24:20 2011
;; MSG SIZE rcvd: 222
whois look up and find Internet domain registration data
(usage) $ whois pbnetworks.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: PBNETWORKS.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Updated Date: 23-jan-2009
Creation Date: 09-oct-2000
Expiration Date: 09-oct-2012
zonetransfer mechanism for replicating DNS data across DNS servers
(usage) $ dig pbnetworks.net axfr
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net axfr
;; global options: +cmd
;; connection timed out; no servers could be reached
NOTE: This command requires a zone transfer which the server may disallow.
dnsrecon standard record enumeration for a given domain available by darkoperator
(usage) # ./dnsrecon.rb -t std -d packetstormsecurity.org
fierce queries DNS server of target and attemps to dump the SOA records
(usage) $ ./fierce.pl -dns <target> -wide -file output.txt
This is interesting to run on a larger organizations that have vast networks.
nmap -sL perform a reverse DNS lookup on every IP address in the scan & send over the network and query the DNS server each time an IP address is listed.
(usage) # nmap -sL -oG - -iR 4
traceroute sends packets to destination by increasing the TTL value of each successive set of packets sent. Unix-like systems use UDP by default (Layer 4) & Windows (Layer 3) uses ICMP.
(usage) tracert pbnetworks.net (Windows) traceroute pbnetworks.net (UNIX)
The above DNS tools will likely identify numerous systems that are directly and indirectly associated with the target. You may identify many systems that are out of scope of your initial target and you must verify their inclusion in or exclusion from your target scope. When querying DNS servers you get some interesting information indicating which machines are mail servers, intranet, etc. Here is a list of DNS record types:
NS: Nameserver record
A: Address record
HINFO: Host Information record
MX: Mail Exchange record
TXT: Text record
CNAME: Canonical Name record
SOA: Start of Authority record
RP: Responsible Person record
PTR: Point of inverse lookups record
SRV: Service location record
Two great tools that are useful for enumerating targets thru DNS service are dnsrecon & fierce. Dnsrecon written by Carlos Perez provides different methods for enumerating targets such as query for SOA, top level domain, perform zone transfer, reverse record lookup, service record enumeration, and bruteforce subdomain and host records with wordlist. Fierce written by RSnake queries your DNS for DNS servers of the target. If it finds anything it will scan up and down looking for anything else with the same domain name in it using reverse lookups. There is a search option that allows you to find non-related domain names (Figure #1) $ ./fierce.pl -dns <target> -search searchoption1,searchoption2 (Where searchoption1 & 2 are different names that the target goes by such as acme.com and acmecompany.com) Fierce has wordlist support so that you can supply your own dictionary using the -wordlist key (Figure #2) $ ./fierce.pl -dns <target> -wordlist dicfile.txt -file target.txt. This was helpful with the site listed since I don't read Korean.
Information tools on the Internet
Instead of using built-in tools like traceroute, dig, etc you can use various websites that resolve domain names. The list below offers a variety of free services in simple web form which you can type information and get responses. Some sites offer more for an additional monthly or annual fee such as better performance, unlimited searches etc.
Whois, traceroute, IP information and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Domain-based research services
Public Information regarding Internet Domain name registration services
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Europe, Middle East, Central Asia
Asia and Pacific region
Latin America and Caribbean
Providing research data and analysis on many aspects of the Internet.
Searching for metadata
Metadata is data about data that resides on documents such as e-mail, spreadsheet, or other electronic document. This type of information became popular when it was used to catch the 30-year-old case involving the Wichita, Kansas BTK killer. Metadata is information about a document such as who created a file, the date it was crated and when it was last modified. The amount of metadata depends on the properties of the file type (Microsoft, Open Office, etc). We can use a tool to help us find this metadata off websites we are doing research on called metagoofil. Metagoofil is an information gathering tool designed for extracting metadata off public documents (pdf, doc, xls, ppt, odp, ods) available in the target websites. To install metagoofil on Ubuntu you will need libextractor installed on your distribution using the apt-get cmd: $ sudo apt-get install libextractor-plugins extract.
Next edit the metagoofil.py file and have the extcommand read as: extcommand='/usr/bin/extract'. The metagoofil.py file is executable but on some systems you may not be able to issue a $ ./metagoofil.py and will be required to issue $ python metagoofil.py. Once it is up and running you will see the metagoofil options and how it is used. You can issue the following commands to search a website for useful documents (see Figure #3) $ python metagoofil.py -d warnerbros.com -f all -l 50 -o warnerbros.html -t deadfile. The -d specifies the website to search, -f specifies the file type which I selected all, -l specifies the limit the results to 50, -o specifies the output in this case html, and -t specifies the target directory to download the files. Now let's open up a web browser and look at the results of the warnerbros.html file. (see Figure #4 & #5)
Now scroll through the html page and find all the important metadata from each file that was found during the scan. At the end of the document is a list of total authors found (potential users) along with path disclosure (see Figure #5).
Searching for email accounts, user accounts, and host names
A valuable tool for social engineering and intelligence gathering is theHarvester which will get e-mail accounts, user names and hostnames/subdomins from different public sources like search engines and PGP key servers. The sources supported are google, google profiles, bing, pgp, linkedin, and exalead, new features were added as of 03/04/2011 with the release of version 2.0 which include time delays between requests, XML results export, search a domain in all sources, and virtual host verifier. To issue a search use the following syntax: ./theHarvester.py -l 100 -b all -d target.com (see Figure #6)
You can redirect the output to a text file to read later. To utilize the bing feature you will need an API key otherwise you will get an error by issuing the all command. Open up vi or your favorite editor and edit the file ~/theHarvester-ng/discovery/bingsearch.py, look for the line that says: self.bingApi=" and enter your API number" and you are good to go.
Metasploit also has the ability to search for e-mail accounts using the gather option. This option in Metasploit is located in the auxiliary options just type search gather at the msf > prompt. (see Figure #7 & #8)
msf > use gather/search_email_collector
msf > set domain sempra.com
msf > run
This function is useful within metasploit but is not as powerful as using theHarvester. For instance metasploit use of the gather tool does not allow you to search for pgp accounts. It will search for emails in Google, Bing, and Yahoo.
Network Discovery with Paterva's Maltego
Paterva's Maltego is a general-purpose reconnaissance tool that runs on Windows, Linux, and Mac OS X. We will be discussing the version that runs on Linux. It is available in tow versions one community edition which is free and the commercial version. The differences are that the community version has a max of 12 results per transform, runs slower, and no updates till the next major version.
Maltego is built on the concept of transforms, taking one piece of information and performing a lookup to determine another piece of information. Maltego's transform will perform a DNS lookup and find the IP address. Then you can apply another transform to map the IP address to an organization's name via a netblock lookup.
Followed by a whois lookup on the org name and determine their public PGP key. Next you can map that key to the names of people who have signed the key to get names of more people. The issue that presents itself once you start this search is the vast amounts of information that is available. It is difficult for the human brain to see obscure links between seemingly unrelated data. It is easy to see commonalities between pieces of information when displayed graphically. This tool can graphically display the links between pieces of data.
- Groups of people (social networks)
- Web sites
Internet infrastructure such as:
- DNS names
- IP addresses
- Documents and files
To create a new graph use either the ctrl + T keyboard command or click on the (+) button next to the application icon. Once the graph is available you can add entities and run transforms to change those entities. The palette is available once you click on the manage tab and see it listed under windows which contains a default collection of entities.(see Figure #9) The palette is where you will find all the Maltego concepts (listed above) that you can drag onto the graph and edit then run transforms on.
Select a node from the palette and drag it onto the graph, to edit the value double click on the text. Left click on the node you want to select (should see a rectangle appear around it in yellow) and you will be give a list of transforms to run. All the transforms can be displayed and a selection made by clicking on a transform name. Transforms can also be grouped logically by the user into sets. At the top is the Maltego application button that provides access to additional functionality and resources. Maltego can easily load and save graphs that are saved with an .mtgx extension.
When you right click on the entity and get a list of transforms available you can choose any one of the associated transforms or apply all by choosing “All” transforms. This will take some time to complete and generate a lot of traffic. The info pulled back from various public sources is displayed hierarchically related to your initial data point and can be viewed several ways. (see Figure #10 & #11)
Shodan add-on for Maltego which requires Maltego version 3+ and a Shodan API key. This gives you 6 transforms; searchShodan, searchExploitDB, searchMetasploit, getHostProfile, searchShodanDomain, searchShodanNetblock. (see Figure #12)
SHODAN is a search engine that lets you find specific computers (router, servers, etc) using a variety of filters. The bulk of data is taken from 'banners', which are meta-data the server sends back to the client. This is information about the server software, what options the service supports, banner message or anything else that the client would like to know before interacting with the server. You can enter into your search input box the following: SCADA city:"San Diego" country:US and this will return SCADA systems that are running in San Diego. This can be very helpful in doing penetration tests for public utilities.
Useful Google Search Directives
Google is a useful tool you can use to find vulnerable systems in your target environments. At this years BlackHat Las Vegas 2011 conference researchers warn that "You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,"Building, attacking and defending SCADA systems in the Age of Stuxnet." Among the results was one referencing a "RTU pump status" for a Remote terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password - "1234."
There are many search directives that you can use such as site, link, intitle, inurl, and the all directive. The "site:" directive allows an attacker to search for pages on just a single site or domain, narrowing down and focusing the search. The "link:" directive shows sites that link to a given web site. The "intitle:" allows you to search within a title text. The 'inurl:" directive lets us search for specific terms to be included in the URL of a given site. The "all" search directives that indicate we want pages only with all of the terms we use to search such as "allintext:", "allintitle:", and "allinurl:". There is a good book on the subject by Syngress called Google Hacking for Penetration Testers volume 2. A very good source to find many different search options is the GHDB hosted by Hackers for Charity a group that I do volunteer work for. There are a number of items to search for such as:
Advisories and Vulnerabilities (215 entries)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.
Error Messages (68 entries)
Really retarded error messages that say WAY too much!
Files containing juicy info (230 entries)
No usernames or passwords, but interesting stuff none the less.
Files containing passwords (135 entries)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!
Files containing usernames (15 entries)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..
Footholds (21 entries)
Examples of queries that can help a hacker gain a foothold into a web server
Pages containing login portals (232 entries)
These are login pages for various services. Front door of a website's more sensitive functions.
Pages containing network or vulnerability data (59 entries)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs
sensitive Directories (61 entries)
Google's collection of web sites sharing sensitive directories files contained sensitive to uber-secret!
sensitive Online Shopping Info (9 entries)
Examples of queries that can reveal online shopping info like customer data, suppliers, creditcard #'s
Various Online Devices (201 entries)
This category contains things like printers, video cameras, and all sorts of cool things found on the web
Vulnerable Files (57 entries)
HUNDREDS of vulnerable files that Google can find on websites...
Vulnerable Servers (48 entries)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.
Web Server Detection (72 entries)
These links demonstrate Google's awesome ability to profile web servers..
You can use many of the search terms above to search for a specific site you are doing reconnaissance on. A couple of other tools that implement many of the search terms contained in the GHDB are SiteDigger, Wikto, and Gooscan. SiteDigger runs on windows and generates its searches from a user-provided domain and the contents of either the GHDB or Foundstone's own FSDB of Google searches to find flawed systems. SiteDigger is now maintained by McAfee. Wikto performs Google searches using the GHDB against one or more user provided domains and runs on windows. Wikto provides several features, including a scan of the target webs servers looking for well-known vulnerable scripts. Gooscan runs on Linux and does not require a Google API key. It formulates queries for Google's regular human interface web page, and scrapes the results it gets back. The use of this tool could violate Google's terms of service.
The information in this article will be useful in preparing for your penetration test engagements. The reconnaissance phase used in many penetration tests and ethical hacking projects purpose is to gather information that will act as a firm foundation that testers will leverage for the remainder of the testing project.
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, discussed the best practices that will ensure a successful smart city journey.
Jan. 23, 2017 05:00 AM EST Reads: 2,141
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
Jan. 23, 2017 03:00 AM EST Reads: 1,017
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jan. 23, 2017 02:30 AM EST Reads: 5,014
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at Dell EMC, introduced a methodology for capturing, enriching and sharing data (and analytics) across the organization...
Jan. 23, 2017 02:30 AM EST Reads: 3,372
Manufacturers are embracing the Industrial Internet the same way consumers are leveraging Fitbits – to improve overall health and wellness. Both can provide consistent measurement, visibility, and suggest performance improvements customized to help reach goals. Fitbit users can view real-time data and make adjustments to increase their activity. In his session at @ThingsExpo, Mark Bernardo Professional Services Leader, Americas, at GE Digital, discussed how leveraging the Industrial Internet and...
Jan. 23, 2017 02:00 AM EST Reads: 6,648
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Jan. 23, 2017 01:45 AM EST Reads: 2,773
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
Jan. 23, 2017 12:00 AM EST Reads: 5,884
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
Jan. 22, 2017 11:00 PM EST Reads: 1,042
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Jan. 22, 2017 07:45 PM EST Reads: 3,874
"LinearHub provides smart video conferencing, which is the Roundee service, and we archive all the video conferences and we also provide the transcript," stated Sunghyuk Kim, CEO of LinearHub, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 22, 2017 03:15 PM EST Reads: 1,695
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
Jan. 22, 2017 02:30 PM EST Reads: 3,767
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Jan. 22, 2017 02:00 PM EST Reads: 5,302
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Jan. 22, 2017 02:00 PM EST Reads: 5,836
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
Jan. 22, 2017 01:45 PM EST Reads: 3,238
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Jan. 22, 2017 01:00 PM EST Reads: 4,398
Discover top technologies and tools all under one roof at April 24–28, 2017, at the Westin San Diego in San Diego, CA. Explore the Mobile Dev + Test and IoT Dev + Test Expo and enjoy all of these unique opportunities: The latest solutions, technologies, and tools in mobile or IoT software development and testing. Meet one-on-one with representatives from some of today's most innovative organizations
Jan. 22, 2017 12:45 PM EST Reads: 1,698
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
Jan. 22, 2017 11:45 AM EST Reads: 2,979
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Jan. 22, 2017 11:30 AM EST Reads: 3,759
The WebRTC Summit New York, to be held June 6-8, 2017, at the Javits Center in New York City, NY, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 20th International Cloud Expo and @ThingsExpo. WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web co...
Jan. 22, 2017 09:30 AM EST Reads: 3,040
"A lot of times people will come to us and have a very diverse set of requirements or very customized need and we'll help them to implement it in a fashion that you can't just buy off of the shelf," explained Nick Rose, CTO of Enzu, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jan. 22, 2017 09:30 AM EST Reads: 4,782