Information Gathering
description
Transcript of Information Gathering
Information Gathering
2012 BackTrack Workshop
Upstate ISSA Chapter
Agenda
Intelligence Gathering Publicly Available Information Google Hacking DNS Enumeration Maltego
Intelligence Gathering
Special Forces conduct successful operations based on intelligence
The more information, the more successful the operation
Most of pentesting engagement dedicated to reporting and information gathering
Publicly Available Information
Website Analysis Whois Netcraft Mapping Physical Locations Social Media SHODAN Maltego
Website Analysis
What’s Hiding in the Code?
Whois
whois –h org.whois-servers.net issa.org
Netcraft
Netcraft
Mapping Physical Locations
Mapping Physical Locations
Social Media
Social Media
SHODAN
Google Hacking
goofile goohost gooscan metagoofil theHarvester
goofile
goohost
gooscan
gooscan
Metagoofil
Metagoofil
theHarvester
./theHarvester.py –d issa.org –l 500 –b google
DNS Enumeration
DNS Record Types Zone Transfers dnsenum fierce
DNS Record Types
SOA = Start of Authority NS = Name Server A = Address (Host) CNAME = Canonical Name (Alias) MX = Mail Exchanger SRV = Service Locator TXT = Text Data
Zone Transfer (IP Information)
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : test.com Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.10.28 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.1 DHCP Server . . . . . . . . . . . : 192.168.10.150 DNS Servers . . . . . . . . . . . : 192.168.10.150 192.168.10.151 Primary WINS Server . . . . . . . : 192.168.10.150 Secondary WINS Server . . . . . . : 192.168.10.151 Lease Obtained. . . . . . . . . . : Monday, January 03, 2012 7:46:22
PM Lease Expires . . . . . . . . . . : Tuesday, January 04, 2012 3:46:22
AM
Zone Transfer (Conduct AXFR)
D:\>nslookupDefault Server: ns1.test.comAddress: 192.168.10.150
> server 192.168.10.151Default Server: ns2.test.comAddress: 192.168.10.151
> set type=any> ls -d fluor.com
Zone Transfer (Results)
Default Server: ns1.test.comAddress: 192.168.10.10
> > [ns1.test.com] test.com. NS ns1.test.com test.com. NS ns2.test.com ns1 A 192.168.10.10 ns2 A 192.168.10.11 payroll A 192.168.10.199 server1 A 192.168.10.215 192.168.1.1 TXT "Core Switch GigabitEthernet 0/0" dnsserver CNAME ns1.test.com _kerberos._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0,
weight=100, port=88, server1.test.com _ldap._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0,
weight=100, port=389, server1.test.com
dnsenum
dnsenum
fierce
fierce
Maltego
Bookmarks
johnny.ihackstuff.com securitytube.net paterva.com