Information Gathering
Download
Report
Transcript Information Gathering
Information Gathering
2012 BackTrack Workshop
Upstate ISSA Chapter
Agenda
Intelligence Gathering
Publicly Available Information
Google Hacking
DNS Enumeration
Maltego
Intelligence Gathering
Special Forces conduct successful
operations based on intelligence
The more information, the more
successful the operation
Most of pentesting engagement
dedicated to reporting and information
gathering
Publicly Available Information
Website Analysis
Whois
Netcraft
Mapping Physical Locations
Social Media
SHODAN
Maltego
Website Analysis
What’s Hiding in the Code?
Whois
whois –h org.whois-servers.net issa.org
Netcraft
Netcraft
Mapping Physical Locations
Mapping Physical Locations
Social Media
Social Media
SHODAN
Google Hacking
goofile
goohost
gooscan
metagoofil
theHarvester
goofile
goohost
gooscan
gooscan
Metagoofil
Metagoofil
theHarvester
./theHarvester.py –d issa.org –l 500 –b google
DNS Enumeration
DNS Record Types
Zone Transfers
dnsenum
fierce
DNS Record Types
SOA = Start of Authority
NS = Name Server
A = Address (Host)
CNAME = Canonical Name (Alias)
MX = Mail Exchanger
SRV = Service Locator
TXT = Text Data
Zone Transfer (IP Information)
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : test.com
Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.28
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.150
DNS Servers . . . . . . . . . . . : 192.168.10.150
192.168.10.151
Primary WINS Server . . . . . . . : 192.168.10.150
Secondary WINS Server . . . . . . : 192.168.10.151
Lease Obtained. . . . . . . . . . : Monday, January 03, 2012 7:46:22 PM
Lease Expires . . . . . . . . . . : Tuesday, January 04, 2012 3:46:22 AM
Zone Transfer (Conduct AXFR)
D:\>nslookup
Default Server: ns1.test.com
Address: 192.168.10.150
> server 192.168.10.151
Default Server: ns2.test.com
Address: 192.168.10.151
> set type=any
> ls -d fluor.com
Zone Transfer (Results)
Default Server: ns1.test.com
Address: 192.168.10.10
> > [ns1.test.com]
test.com.
NS ns1.test.com
test.com.
NS ns2.test.com
ns1
A 192.168.10.10
ns2
A 192.168.10.11
payroll
A 192.168.10.199
server1
A
192.168.10.215
192.168.1.1
TXT "Core Switch GigabitEthernet 0/0"
dnsserver
CNAME ns1.test.com
_kerberos._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0, weight=100,
port=88, server1.test.com
_ldap._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0, weight=100, port=389,
server1.test.com
dnsenum
dnsenum
fierce
fierce
Maltego
Bookmarks
johnny.ihackstuff.com
securitytube.net
paterva.com