Information gathering is one of the most important stages of the attack. This is where we gather basic information about our target in order to be able to launch our attack later on.
Google hacking
Searching within a domain
The site: operator restricts the results to website in a given domain.
site: microsoft.com
Lets try the file operator
filetype:pdf site:microsoft.com
Whois reconnaissance
Who is a name for a TCP service, a tool and a database. Whois databases contain nameservers, registrar, and in some cases full contact information about the domain name.
whois checkpoint.com
Whois can also peform reverse lookups, rather than inputting a domain name we can input an IP address. The who is result usually include the whole network range which belongs to the organization/
Showing posts with label Information Gathering. Show all posts
Showing posts with label Information Gathering. Show all posts
Sunday, February 7, 2010
Open Service Information Gathering
Implementation of various service enumeration methods such as SNMP, SMTP, DNS etc.
#nslookup
> www.checkpoint.com
Identify mail servers belonging to an organization
> set type=mx
> checkpoint.com
identify all the dns servers authoritative for a domain
> set type=ns
> checkpoint.com
Using backtrack tool
#cd /pentest/enumeration/dnsenum/
./dnsenum.pl
SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.
SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"
Let's examine some information from a Windows host running snmp by using the
following command
snmpwalk -c public -v11
Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0
Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4
Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4
Enumerating open tcp ports
snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu
Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName
There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum
./snmpcheck-1.3.pl -t 192.168.0.110
SMTP reconnaissance
Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:
nc -v 192.168.0.10 25
#nslookup
> www.checkpoint.com
Identify mail servers belonging to an organization
> set type=mx
> checkpoint.com
identify all the dns servers authoritative for a domain
> set type=ns
> checkpoint.com
Using backtrack tool
#cd /pentest/enumeration/dnsenum/
./dnsenum.pl
SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.
SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"
Let's examine some information from a Windows host running snmp by using the
following command
snmpwalk -c public -v1
Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0
Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4
Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4
Enumerating open tcp ports
snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu
Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName
There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum
./snmpcheck-1.3.pl -t 192.168.0.110
SMTP reconnaissance
Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:
nc -v 192.168.0.10 25
Subscribe to:
Posts (Atom)