Infrastructures
1.4. Infrastructures
The main goal of this step is to retrieve data such as:
Domains
Netblocks or IP addresses
Mail servers
ISP's used
Any other technical information
In this process you could possibly retrieve information that is outside the Scope of Engangement, so be careful!
As the Scope of Engagement (SoE) for your penetration test, your customer can give you:
The name of the organization (full scope test)
IP addresses or net blocks to test
From this moment on, the approach heavily depends upon the SOE. In this section, we will assume the below listed cases:
We have the name of the organization
We only have specific net block(s) to test
In this process we will use the full scope engagement. This engagement is similar to how a malicious hacker would attack. Indeed the hacker only knows the target organization name at the beginning and then, he tries to derive as much information from that.
1.4.1. Domains
This process aims to collect all the hostnames related to the organization and the relative IP addresses.
This process ends when we obtain the following information:
Domains
DNS servers in use
Mail servers
IP addresses
We can use a tool (webased or cl based) called WhoIs. WhoIs normally runs on TCP port 43.
Whois is a query/response protocol, widely used for querying an official domain registrar's database, in order to determine:
The owner of a domain name
IP address or range
Autonomous system
Technical contacts
Expiration date of the domain
Note: A Regional Internet Registry is an organization that manages resources such as IP addresses and Autonomous Systems for a specific region. There are 5 main RIR provides for WhoIs information:
AFRINIC (Africa)
APNIC (Asia Pacific)
RIPE NCC (Europe)
ARIN (North America)
LACNIC (Latin America)
A wealth of information can be obtained from WhoIs searches that will kickstart you investigation into the right direction:
Number Resource Records
Network Numbers (IP Addresses) referred to as NETs
Autonomous System Numbers referred to as ASNs
Organization records referred to as ORGs
Point of Contact records referred to as POCs
Authoritative information for Autonomous System Numbers and registered outside of the RIR being queried
Note that RIRs are not responsible of the information within the databases they maintain. The responsibility for the records validity belongs to the individual organizations. They have to keep their record information accurate and up to date.
1.4.1.1. DNS Records
DNS is a distributed database arranged hierarchically. Its purpose is to provide a means to use hostnames rather than IP addresses.
DNS is a key aspect of Information Security as it binds a hostname to an IP address and many protocols such as SSL are as safe as the DNS protocol they bind to.
DNS queries produce listings called Resource Records. This is a representation of Resource Records:
Resource Records A Resource Records stars with a domain name, usually a fully qualified domain name. If anything other than a fully qualified domain name is used, the name of the zone the records is in will automatically be appended to the end of the name.
TTL (Time-To-Live) Recorded in Seconds, defaults to the minimum value determined in the Start Of Authority (SOA) record
Record Class Internet, Hesiod, or Chaos
SOA (State of Authority) Indicated the beginning of a zone and it should occur first in a zone file. There can only be one SOA record per zone. Defines certain values for the zone such as serial number and various expiration timeouts
NS (Name Server) Defines an authoritative name server for a zone. Defines and delegates authority to a name server for a child zone. NS Records are the glue that binds the distributed database together.
A (Address) Simply maps a hostname to an IP address. Zones with A records are called 'forward' zones.
PTR Maps an IP address to a hostname. Zones with PTR records are called 'reverse' zones.
CNAME Maps an alias hostname to an A record hostname.
MX Specifies a host that will accept email on behalf of a given host. The specified host has an associated priority value. A single host may have multiple MX records. The records for a specific host make up a prioritized list.
1.4.1.2. DNS Enumeration
DNS lookup is the simplest query a DNS server can receive. It asks the DNS to resolve a given hostname to the corresponding IP. You can do so with nslookup
In order to collect the highest number of domains and subdomains related to the organization, we can use different techniques.
DNS Lookup (and reverse DNS Lookup)
or
Reverse DNS Lookup
or
MX Lookup Retrieve list of servers responsible for delivering emails for that domain.
or
Zone Transfers Zone transfers are usually misconfiguration of the remote DNS server. They should be enabled only for trusted IP addresses. When zone transfers are enabled, we can enumerate the entire DNS record for that zone. This includes all sub domains of our domain (A records)
In order to request the entire record, we will have to ask the server that houses this records (organization's name server). This server can be found by executing:
or
Then:
or
1.4.1.3. IP
Once we have found the number of hostnames related to t he organization, we can move on determining their IP addresses and, potentially any Netblocks associated with the organization.
Mail servers, name servers, domains, and subdomains will all be used in this phase.
Steps:
Resolve all hostnames we have in order to determine the IP addresses used
Is this IP address hosting only that given domain?
It is possible that more than one domain is configured on the same IP address, even if a PTR record is not set. This is a common scenario with shared hosting where hundreds of websites are configured on the same server. This is also typical in corporate network where multiple sub domains run on the same web server.
For example, you have discovered that the name server of the target organization is on 66.200.110.100. How do you determine other sub domains on the same IP?
The first technique to try is a reverse lookup. The second is asking Google or Bing.
Bing offers a query filter that returns all the websites hosted on a given IP address. We just need to use the ip filter, followed by the IP address of our target, e.g.:ip: 199.193.116.231.
Other tools:
Repeat the process until you are satisfied with the data enumerated. For larger engagement, you will have to map IP addresses and related domains using mind mapping tools.
Who does this IP address belong to?
Netblock A netblock is a range or set of IP addresses, usually assigned to someone and has both a starting and an ending IP address. Larger netblock are given to larger organization. Example:
192.168.0.0-192.168.255.255This netblock can also be described as follows:
192.168.0.0/16 (CIDR notation)
192.168.0.0 with netmask 255.255.0.0
Autonomous System An Autonomous System is made of one or more netblocks under the same administrative control. Big corporations and ISP's have an autonomous system, while smaller companies will barely have a netblock.
You can find out the owner of a netblock or Autonomous System using WhoIs
1.4.2. Networks/IPs
1.4.2.1. Live Hosts
We have a list of IP addresses. Now we need to identify which of those is alive and determine each of the role played by each IP in the target organization. For example, is it a server or a workstation?
In this early phase we do not want to enumerate the services. This will be subject of next stages.
We can:
Determine which IPs are alive
Determine if they have an associated host name/domain
By uncovering additional domains and host names associated to these IP addresses, we will gather additional information and apply the information gathering techniques on both host names and domains that we have already studied.
There are different methods that one can use to identify live hosts. The most common is the ICMP ping sweep. It consists of ICMP ECHO requests sent to multiple hosts. If a given host is alive, it will return an ICMP ECHO reply.
Many tools allows us to do this:
hping
1.4.2.2. Further DNS
This steps deals with using nmap to enumerate all the DNS servers that exist in the remote network. This step can be done more than once, because each time we find a new domain or a new IP, it could give us other useful information to aid us in further investigations.
In order to determine id a DNS servers are in place in a given netblock, we should first know something more about DNS. A DNS server runs on:
TCP port 53
UDP port 53
We can increase our surface by using nmap to scan the entire network and find hosts that we have these ports open. To do this, we can use the following two commands:
The first can be used to run a TCP scan, while the second can be used to run a UDP scan.
Once we retrieve more DNS servers, we can perform a reverse lookup to find out if they are serving any particular domain.
Moreover, we can try zone transfer techniques on them as well as any of the techniques studied before.
1.4.2.3. Maltego
Maltego uses what it calls transformation to discover information about specific targets.
For instance you can begin with a server address and enumerate various information regarding that server, then build on that information until you have a full map of the entities entire internet presence.
Last updated