Information Gathering

You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.

The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.

Retain the information for future reference.

The Sam Spade utilities look up DNS and domain information. Frequently under revision, but one stable source is petri.co.il.

Use Maltego and Pipl to learn published information scattered across the Internet. Maltego uses nslookup, SecretSniff, Robtex. Pipl uses a different set of sources.

• Robtex Internet toolkit collects information about the domain
• showsiteinfo, siteshakedown, spyonweb and push2check reveal additional public information about the domain

Collect and document information about the company’s Internet presence. This would include:

• Internet Service Registration – The global registration and maintenance of IP address information
• Domain Name System – Local and global registration and maintenance of host naming
• Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
• Email Systems – The information contained within each email delivery process
• Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
• Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security

hpHosts consolidates a lot of information about web sites. vURL can be used to review the company’s web pages through proxies.

AS Numbers Query (http://asnumbers.net/)

Retain the information for future reference.

• Source sifting (website review) SamSpade Google Hacking Database
• Googlehacking, Googledorks (such as those found through PenTestIT), Google Advanced Search Operators
• Search engines Google Google Groups AltaVista DogPile MSN
• Securities and Exchange Commission (SEC) Edgar database
• Business information sites
• News groups, USENET Searching
• What’s that site running? netcraft.com
• web-sniffer.net View HTTP Request and Response Header
• Big Brother Network and System Monitor
• WHOIS Enumeration (Find the registry, then the registrar, then the registrant)
• TechnicalInfo.net
• DNS Enumeration
  

  Forward nslookup	nslookup hostname
  Reverse nslookup	nslookup ip_address
  Zone Transfer (should not be permitted)	#nslookup >server dns_ip_address >set type=any >ls -d target_domain >exit

• Network Reconnaissance
  • Traceroute or Tracert or Looking Glass
  • Trout
  • Neotrace
  • tcptraceroute
  • 3d traceroute

  UNIX Traceroute (UDP)	traceroute hostname/ip
  UNIX Traceroute (ICMP)	traceroute -I hostname/ip
  Windows Tracert (ICMP)	tracert hostname / ip
  Windows Trout or NeoTrace (ICMP)	Trout or NeoTrace (GUI)
  UNIX tcptraceroute (TCP)	(see man page)

What have others found? See Un1c0rn.

Does NTP report the hosts which have queried NTP? It could be used for further network enumeration.

– Border Gateway Protocol (BGP) Queries
– About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to lg.he.net or lg.level3.net and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP.
—www.arin.net (find target’s AS number)
—neptune.dti.ad.jp (query BGP via web)

1. Reconnaissance
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks

nmap (the most utilized penetration testing tool)

Metasploit framework Metasploit: A Penetration Tester’s Guide

Don’t Pick the Lock, Steal the Key – Password Auditing with Metasploit

Armitage – A GUI for Metasploit

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

SinFP3 is an operating system fingerprinting tool

Pushpin will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.  Example Usage:

python ./pushpin.py -c 42.3534688,-71.0611556 –all

For latitude and longitude, see http://itouchmap.com/latlong.html

Nessus

eEye Retina

Core Impact

netcat: an asynchronous port scanner (a load balancer can shape traffic and slow down scans; that is, has IPS functions)

For more specialized penetration testing tools, see http://wiki.remote-exploit.org/backtrack/wiki/Category

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments.

And also consider this version of the steps for penetration testing with 10 (instead of 5) steps:

http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm

http://www.ivizsecurity.com/network-penetration.html

http://www.ivizsecurity.com/application-penetration.html

Find open directories with Google by searching for ” Name Last modified Size Description”:

http://www.google.com/search?hl=en&q=%22+Name++++++++++++++++++++Last+modified+++++++Size++Description%22