|By David Dodd||
|January 9, 2012 04:00 AM EST||
The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking.
During reconnaissance we'll gather information from public sources to learn about the target and try to find what is important to the target. How they do business, technical infrastructure, architecture, products, and configuration information. These actions may seem harmless at the time and may be overlooked by security administrators as "network noise", but don't count on it. A target with well funded resources may have people looking for such attacks knowing they can lead to subsequent access or DoS attacks. Social Engineering, which is the act of manipulating people into performing actions in divulging confidential information or to trick people to do things that are beneficial to the user, may become prevalent at this stage. But if pulled off successfully the target may not know till its too late. A disgruntled employee may have knowledge of your network infrastructure, user names & passwords, and web vulnerabilities. As a CIO you want to keep attackers from finding this information and using it against you.
nslookup maps domain names to IP addresses
(usage) $ nslookup pbnetworks.net
Dig is a service to look up information in the DNS (query a specific DNS server)
(usage) $ dig pbnetworks.net any
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50342
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pbnetworks.net. IN ANY
;; ANSWER SECTION:
pbnetworks.net. 3600 IN SOA dns1.name-services.com. info.name-services.com. 2002050701 10001 1801 604801 181
pbnetworks.net. 3600 IN A 22.214.171.124
pbnetworks.net. 3600 IN MX 10 mxin.name-services.com.
pbnetworks.net. 3600 IN NS dns3.name-services.com.
pbnetworks.net. 3600 IN NS dns1.name-services.com.
pbnetworks.net. 3600 IN NS dns2.name-services.com.
pbnetworks.net. 3600 IN NS dns5.name-services.com.
pbnetworks.net. 3600 IN NS dns4.name-services.com.
;; Query time: 83 msec
;; SERVER: 126.96.36.199#53(188.8.131.52)
;; WHEN: Wed Jul 27 15:24:20 2011
;; MSG SIZE rcvd: 222
whois look up and find Internet domain registration data
(usage) $ whois pbnetworks.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: PBNETWORKS.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Updated Date: 23-jan-2009
Creation Date: 09-oct-2000
Expiration Date: 09-oct-2012
zonetransfer mechanism for replicating DNS data across DNS servers
(usage) $ dig pbnetworks.net axfr
; <<>> DiG 9.7.3-P3 <<>> pbnetworks.net axfr
;; global options: +cmd
;; connection timed out; no servers could be reached
NOTE: This command requires a zone transfer which the server may disallow.
dnsrecon standard record enumeration for a given domain available by darkoperator
(usage) # ./dnsrecon.rb -t std -d packetstormsecurity.org
fierce queries DNS server of target and attemps to dump the SOA records
(usage) $ ./fierce.pl -dns <target> -wide -file output.txt
This is interesting to run on a larger organizations that have vast networks.
nmap -sL perform a reverse DNS lookup on every IP address in the scan & send over the network and query the DNS server each time an IP address is listed.
(usage) # nmap -sL -oG - -iR 4
traceroute sends packets to destination by increasing the TTL value of each successive set of packets sent. Unix-like systems use UDP by default (Layer 4) & Windows (Layer 3) uses ICMP.
(usage) tracert pbnetworks.net (Windows) traceroute pbnetworks.net (UNIX)
The above DNS tools will likely identify numerous systems that are directly and indirectly associated with the target. You may identify many systems that are out of scope of your initial target and you must verify their inclusion in or exclusion from your target scope. When querying DNS servers you get some interesting information indicating which machines are mail servers, intranet, etc. Here is a list of DNS record types:
NS: Nameserver record
A: Address record
HINFO: Host Information record
MX: Mail Exchange record
TXT: Text record
CNAME: Canonical Name record
SOA: Start of Authority record
RP: Responsible Person record
PTR: Point of inverse lookups record
SRV: Service location record
Two great tools that are useful for enumerating targets thru DNS service are dnsrecon & fierce. Dnsrecon written by Carlos Perez provides different methods for enumerating targets such as query for SOA, top level domain, perform zone transfer, reverse record lookup, service record enumeration, and bruteforce subdomain and host records with wordlist. Fierce written by RSnake queries your DNS for DNS servers of the target. If it finds anything it will scan up and down looking for anything else with the same domain name in it using reverse lookups. There is a search option that allows you to find non-related domain names (Figure #1) $ ./fierce.pl -dns <target> -search searchoption1,searchoption2 (Where searchoption1 & 2 are different names that the target goes by such as acme.com and acmecompany.com) Fierce has wordlist support so that you can supply your own dictionary using the -wordlist key (Figure #2) $ ./fierce.pl -dns <target> -wordlist dicfile.txt -file target.txt. This was helpful with the site listed since I don't read Korean.
Information tools on the Internet
Instead of using built-in tools like traceroute, dig, etc you can use various websites that resolve domain names. The list below offers a variety of free services in simple web form which you can type information and get responses. Some sites offer more for an additional monthly or annual fee such as better performance, unlimited searches etc.
Whois, traceroute, IP information and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Find Ip Tools, DNS tools, internet tools, whois, traceroute, ping, domain name tools and more
Domain-based research services
Public Information regarding Internet Domain name registration services
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Europe, Middle East, Central Asia
Asia and Pacific region
Latin America and Caribbean
Providing research data and analysis on many aspects of the Internet.
Searching for metadata
Metadata is data about data that resides on documents such as e-mail, spreadsheet, or other electronic document. This type of information became popular when it was used to catch the 30-year-old case involving the Wichita, Kansas BTK killer. Metadata is information about a document such as who created a file, the date it was crated and when it was last modified. The amount of metadata depends on the properties of the file type (Microsoft, Open Office, etc). We can use a tool to help us find this metadata off websites we are doing research on called metagoofil. Metagoofil is an information gathering tool designed for extracting metadata off public documents (pdf, doc, xls, ppt, odp, ods) available in the target websites. To install metagoofil on Ubuntu you will need libextractor installed on your distribution using the apt-get cmd: $ sudo apt-get install libextractor-plugins extract.
Next edit the metagoofil.py file and have the extcommand read as: extcommand='/usr/bin/extract'. The metagoofil.py file is executable but on some systems you may not be able to issue a $ ./metagoofil.py and will be required to issue $ python metagoofil.py. Once it is up and running you will see the metagoofil options and how it is used. You can issue the following commands to search a website for useful documents (see Figure #3) $ python metagoofil.py -d warnerbros.com -f all -l 50 -o warnerbros.html -t deadfile. The -d specifies the website to search, -f specifies the file type which I selected all, -l specifies the limit the results to 50, -o specifies the output in this case html, and -t specifies the target directory to download the files. Now let's open up a web browser and look at the results of the warnerbros.html file. (see Figure #4 & #5)
Now scroll through the html page and find all the important metadata from each file that was found during the scan. At the end of the document is a list of total authors found (potential users) along with path disclosure (see Figure #5).
Searching for email accounts, user accounts, and host names
A valuable tool for social engineering and intelligence gathering is theHarvester which will get e-mail accounts, user names and hostnames/subdomins from different public sources like search engines and PGP key servers. The sources supported are google, google profiles, bing, pgp, linkedin, and exalead, new features were added as of 03/04/2011 with the release of version 2.0 which include time delays between requests, XML results export, search a domain in all sources, and virtual host verifier. To issue a search use the following syntax: ./theHarvester.py -l 100 -b all -d target.com (see Figure #6)
You can redirect the output to a text file to read later. To utilize the bing feature you will need an API key otherwise you will get an error by issuing the all command. Open up vi or your favorite editor and edit the file ~/theHarvester-ng/discovery/bingsearch.py, look for the line that says: self.bingApi=" and enter your API number" and you are good to go.
Metasploit also has the ability to search for e-mail accounts using the gather option. This option in Metasploit is located in the auxiliary options just type search gather at the msf > prompt. (see Figure #7 & #8)
msf > use gather/search_email_collector
msf > set domain sempra.com
msf > run
This function is useful within metasploit but is not as powerful as using theHarvester. For instance metasploit use of the gather tool does not allow you to search for pgp accounts. It will search for emails in Google, Bing, and Yahoo.
Network Discovery with Paterva's Maltego
Paterva's Maltego is a general-purpose reconnaissance tool that runs on Windows, Linux, and Mac OS X. We will be discussing the version that runs on Linux. It is available in tow versions one community edition which is free and the commercial version. The differences are that the community version has a max of 12 results per transform, runs slower, and no updates till the next major version.
Maltego is built on the concept of transforms, taking one piece of information and performing a lookup to determine another piece of information. Maltego's transform will perform a DNS lookup and find the IP address. Then you can apply another transform to map the IP address to an organization's name via a netblock lookup.
Followed by a whois lookup on the org name and determine their public PGP key. Next you can map that key to the names of people who have signed the key to get names of more people. The issue that presents itself once you start this search is the vast amounts of information that is available. It is difficult for the human brain to see obscure links between seemingly unrelated data. It is easy to see commonalities between pieces of information when displayed graphically. This tool can graphically display the links between pieces of data.
- Groups of people (social networks)
- Web sites
Internet infrastructure such as:
- DNS names
- IP addresses
- Documents and files
To create a new graph use either the ctrl + T keyboard command or click on the (+) button next to the application icon. Once the graph is available you can add entities and run transforms to change those entities. The palette is available once you click on the manage tab and see it listed under windows which contains a default collection of entities.(see Figure #9) The palette is where you will find all the Maltego concepts (listed above) that you can drag onto the graph and edit then run transforms on.
Select a node from the palette and drag it onto the graph, to edit the value double click on the text. Left click on the node you want to select (should see a rectangle appear around it in yellow) and you will be give a list of transforms to run. All the transforms can be displayed and a selection made by clicking on a transform name. Transforms can also be grouped logically by the user into sets. At the top is the Maltego application button that provides access to additional functionality and resources. Maltego can easily load and save graphs that are saved with an .mtgx extension.
When you right click on the entity and get a list of transforms available you can choose any one of the associated transforms or apply all by choosing “All” transforms. This will take some time to complete and generate a lot of traffic. The info pulled back from various public sources is displayed hierarchically related to your initial data point and can be viewed several ways. (see Figure #10 & #11)
Shodan add-on for Maltego which requires Maltego version 3+ and a Shodan API key. This gives you 6 transforms; searchShodan, searchExploitDB, searchMetasploit, getHostProfile, searchShodanDomain, searchShodanNetblock. (see Figure #12)
SHODAN is a search engine that lets you find specific computers (router, servers, etc) using a variety of filters. The bulk of data is taken from 'banners', which are meta-data the server sends back to the client. This is information about the server software, what options the service supports, banner message or anything else that the client would like to know before interacting with the server. You can enter into your search input box the following: SCADA city:"San Diego" country:US and this will return SCADA systems that are running in San Diego. This can be very helpful in doing penetration tests for public utilities.
Useful Google Search Directives
Google is a useful tool you can use to find vulnerable systems in your target environments. At this years BlackHat Las Vegas 2011 conference researchers warn that "You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,"Building, attacking and defending SCADA systems in the Age of Stuxnet." Among the results was one referencing a "RTU pump status" for a Remote terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password - "1234."
There are many search directives that you can use such as site, link, intitle, inurl, and the all directive. The "site:" directive allows an attacker to search for pages on just a single site or domain, narrowing down and focusing the search. The "link:" directive shows sites that link to a given web site. The "intitle:" allows you to search within a title text. The 'inurl:" directive lets us search for specific terms to be included in the URL of a given site. The "all" search directives that indicate we want pages only with all of the terms we use to search such as "allintext:", "allintitle:", and "allinurl:". There is a good book on the subject by Syngress called Google Hacking for Penetration Testers volume 2. A very good source to find many different search options is the GHDB hosted by Hackers for Charity a group that I do volunteer work for. There are a number of items to search for such as:
Advisories and Vulnerabilities (215 entries)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.
Error Messages (68 entries)
Really retarded error messages that say WAY too much!
Files containing juicy info (230 entries)
No usernames or passwords, but interesting stuff none the less.
Files containing passwords (135 entries)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!
Files containing usernames (15 entries)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..
Footholds (21 entries)
Examples of queries that can help a hacker gain a foothold into a web server
Pages containing login portals (232 entries)
These are login pages for various services. Front door of a website's more sensitive functions.
Pages containing network or vulnerability data (59 entries)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs
sensitive Directories (61 entries)
Google's collection of web sites sharing sensitive directories files contained sensitive to uber-secret!
sensitive Online Shopping Info (9 entries)
Examples of queries that can reveal online shopping info like customer data, suppliers, creditcard #'s
Various Online Devices (201 entries)
This category contains things like printers, video cameras, and all sorts of cool things found on the web
Vulnerable Files (57 entries)
HUNDREDS of vulnerable files that Google can find on websites...
Vulnerable Servers (48 entries)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.
Web Server Detection (72 entries)
These links demonstrate Google's awesome ability to profile web servers..
You can use many of the search terms above to search for a specific site you are doing reconnaissance on. A couple of other tools that implement many of the search terms contained in the GHDB are SiteDigger, Wikto, and Gooscan. SiteDigger runs on windows and generates its searches from a user-provided domain and the contents of either the GHDB or Foundstone's own FSDB of Google searches to find flawed systems. SiteDigger is now maintained by McAfee. Wikto performs Google searches using the GHDB against one or more user provided domains and runs on windows. Wikto provides several features, including a scan of the target webs servers looking for well-known vulnerable scripts. Gooscan runs on Linux and does not require a Google API key. It formulates queries for Google's regular human interface web page, and scrapes the results it gets back. The use of this tool could violate Google's terms of service.
The information in this article will be useful in preparing for your penetration test engagements. The reconnaissance phase used in many penetration tests and ethical hacking projects purpose is to gather information that will act as a firm foundation that testers will leverage for the remainder of the testing project.
SYS-CON Events announced today that CDS Global Cloud, an Infrastructure as a Service provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. CDS Global Cloud is an IaaS (Infrastructure as a Service) provider specializing in solutions for e-commerce, internet gaming, online education and other internet applications. With a growing number of data centers and network points around the world, ...
Oct. 26, 2016 09:45 PM EDT Reads: 3,660
Established in 1998, Calsoft is a leading software product engineering Services Company specializing in Storage, Networking, Virtualization and Cloud business verticals. Calsoft provides End-to-End Product Development, Quality Assurance Sustenance, Solution Engineering and Professional Services expertise to assist customers in achieving their product development and business goals. The company's deep domain knowledge of Storage, Virtualization, Networking and Cloud verticals helps in delivering ...
Oct. 26, 2016 09:45 PM EDT Reads: 1,129
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, will discuss how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team a...
Oct. 26, 2016 09:30 PM EDT Reads: 656
SYS-CON Events announced today that Transparent Cloud Computing (T-Cloud) Consortium will exhibit at the 19th International Cloud Expo®, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. The Transparent Cloud Computing Consortium (T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data proces...
Oct. 26, 2016 08:15 PM EDT Reads: 1,474
In the next five to ten years, millions, if not billions of things will become smarter. This smartness goes beyond connected things in our homes like the fridge, thermostat and fancy lighting, and into heavily regulated industries including aerospace, pharmaceutical/medical devices and energy. “Smartness” will embed itself within individual products that are part of our daily lives. We will engage with smart products - learning from them, informing them, and communicating with them. Smart produc...
Oct. 26, 2016 08:00 PM EDT Reads: 1,573
SYS-CON Events announced today that Enzu will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their online busine...
Oct. 26, 2016 08:00 PM EDT Reads: 1,428
WebRTC adoption has generated a wave of creative uses of communications and collaboration through websites, sales apps, customer care and business applications. As WebRTC has become more mainstream it has evolved to use cases beyond the original peer-to-peer case, which has led to a repeating requirement for interoperability with existing infrastructures. In his session at @ThingsExpo, Graham Holt, Executive Vice President of Daitan Group, will cover implementation examples that have enabled ea...
Oct. 26, 2016 07:00 PM EDT Reads: 2,352
SYS-CON Events announced today that Coalfire will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Coalfire is the trusted leader in cybersecurity risk management and compliance services. Coalfire integrates advisory and technical assessments and recommendations to the corporate directors, executives, boards, and IT organizations for global brands and organizations in the technology, cloud, health...
Oct. 26, 2016 06:30 PM EDT Reads: 1,669
In past @ThingsExpo presentations, Joseph di Paolantonio has explored how various Internet of Things (IoT) and data management and analytics (DMA) solution spaces will come together as sensor analytics ecosystems. This year, in his session at @ThingsExpo, Joseph di Paolantonio from DataArchon, will be adding the numerous Transportation areas, from autonomous vehicles to “Uber for containers.” While IoT data in any one area of Transportation will have a huge impact in that area, combining sensor...
Oct. 26, 2016 06:30 PM EDT Reads: 1,095
November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for the implementation of encryption technology to sensitive data fields without modification to schema in the database environment. With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued ...
Oct. 26, 2016 06:15 PM EDT Reads: 1,153
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
Oct. 26, 2016 05:15 PM EDT Reads: 1,290
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Oct. 26, 2016 05:00 PM EDT Reads: 9,074
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
Oct. 26, 2016 05:00 PM EDT Reads: 4,209
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
Oct. 26, 2016 04:00 PM EDT Reads: 2,128
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
Oct. 26, 2016 04:00 PM EDT Reads: 3,838
SYS-CON Events announced today that SoftNet Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. SoftNet Solutions specializes in Enterprise Solutions for Hadoop and Big Data. It offers customers the most open, robust, and value-conscious portfolio of solutions, services, and tools for the shortest route to success with Big Data. The unique differentiator is the ability to architect and ...
Oct. 26, 2016 03:30 PM EDT Reads: 1,089
SYS-CON Events announced today that Embotics, the cloud automation company, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Embotics is the cloud automation company for IT organizations and service providers that need to improve provisioning or enable self-service capabilities. With a relentless focus on delivering a premier user experience and unmatched customer support, Embotics is the fas...
Oct. 26, 2016 02:00 PM EDT Reads: 1,017
SYS-CON Events announced today that MathFreeOn will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MathFreeOn is Software as a Service (SaaS) used in Engineering and Math education. Write scripts and solve math problems online. MathFreeOn provides online courses for beginners or amateurs who have difficulties in writing scripts. In accordance with various mathematical topics, there are more tha...
Oct. 26, 2016 01:30 PM EDT Reads: 1,120
SYS-CON Events announced today that Niagara Networks will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Niagara Networks offers the highest port-density systems, and the most complete Next-Generation Network Visibility systems including Network Packet Brokers, Bypass Switches, and Network TAPs.
Oct. 26, 2016 01:15 PM EDT Reads: 1,429
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Oct. 26, 2016 01:00 PM EDT Reads: 5,036