📔
eCPPTv2 Notes
  • About
  • 1-System Security
    • Architecture Fundamentals
      • Security Implementations
      • References
    • Assembler Debuggers and Tool Arsenal
      • Compiler
      • NASM
      • Tool Arsenal
      • References
    • Buffer Overflow
      • Finding Buffer Overflows
      • Exploiting Buffer Overflow
      • Security Implementations
      • References
    • Shellcoding
      • Types of Shellcode
      • Encoding of Shellcode
      • Debugging a Shellcode
      • Creating our First Shellcode
      • More Advanced Shellcode
      • Shellcode and Payload Generators
      • References
    • Cryptography and Password Cracking
      • Cryptography Hash Function
      • Public Key Infrastructure
      • Pretty Good Privacy (PGP)
      • Secure Shell (SSH)
      • Cryptographic Attack
      • Security Pitfalls
      • Windows 2000/XP/2k3/Vista/7/8 Passwords
      • References
    • MALWARE
      • Techniques Used by Malware
      • How Malware Spreads
      • Samples
      • References
  • 2-Network Security
    • Information Gathering
      • Search Engines
      • Social Media
      • Infrastructures
      • Tools
      • References
    • Scanning
      • Detect Live Hosts and Ports
      • Service and OS detection
      • Firewall/IDS Evasion
      • References
    • Enumeration
      • NetBIOS
      • SNMP
      • References
    • Sniffing and MitM Attacks
      • What is Sniffing
      • Sniffing in Action
      • Basic of ARP
      • Sniffing Tools
      • Man in the Middle Attacks
      • Attacking Tools
      • Intercepting SSL Traffic
      • References
    • Exploitation
      • Vulnerability Assessment
      • Low Hanging Fruits
      • Exploitation
      • References
    • Post Exploitation
      • Privilege Escalation and Maintaining Access
      • Pillaging / Data Harvesting
      • Mapping the internal network
      • Exploitation through Pivoting
      • References
    • Anonymity
      • Browsing Anonymously
      • Tunneling for Anonymity
      • References
    • Social Engineering
      • Types of Social Engineering
      • Samples of Social Engineering Attacks
      • Pretexting Samples
      • Tools
      • References
  • 3-Powershell for Pentesters
    • Introduction
      • Why PowerShell ?
      • References
    • PowerShell Fundamentals
      • Cmdlets
      • Modules
      • Scripts
      • Objects
      • References
    • Offensive PowerShell
      • Downloading & Execution
      • Obfuscation
      • Information Gathering & Recon
      • Post-Exploitation With Powershell
      • References
Powered by GitBook
On this page

Was this helpful?

  1. 2-Network Security
  2. Information Gathering

Infrastructures

1.4. Infrastructures

The main goal of this step is to retrieve data such as:

  • Domains

  • Netblocks or IP addresses

  • Mail servers

  • ISP's used

  • Any other technical information

In this process you could possibly retrieve information that is outside the Scope of Engangement, so be careful!

As the Scope of Engagement (SoE) for your penetration test, your customer can give you:

  1. The name of the organization (full scope test)

  2. IP addresses or net blocks to test

From this moment on, the approach heavily depends upon the SOE. In this section, we will assume the below listed cases:

  • We have the name of the organization

  • We only have specific net block(s) to test

                                                        ____ DNS    
                      _____________   Case 1       ____|            
                     |              Full scope         |____ IP            DNS Enum
                     |                                                     Whois
Scope of engagement -|                                                     Reverse Lookup
                     |                                  _____ Live Hosts   MSN Bing
                     |_____________    Case 2      ____|                   Further DNS
                                    Netblocks/IPs      |_____ Further DNS

In this process we will use the full scope engagement. This engagement is similar to how a malicious hacker would attack. Indeed the hacker only knows the target organization name at the beginning and then, he tries to derive as much information from that.

1.4.1. Domains

This process aims to collect all the hostnames related to the organization and the relative IP addresses.

This process ends when we obtain the following information:

  • Domains

  • DNS servers in use

  • Mail servers

  • IP addresses

Whois is a query/response protocol, widely used for querying an official domain registrar's database, in order to determine:

  • The owner of a domain name

  • IP address or range

  • Autonomous system

  • Technical contacts

  • Expiration date of the domain

Note: A Regional Internet Registry is an organization that manages resources such as IP addresses and Autonomous Systems for a specific region. There are 5 main RIR provides for WhoIs information:

  • AFRINIC (Africa)

  • APNIC (Asia Pacific)

  • RIPE NCC (Europe)

  • ARIN (North America)

  • LACNIC (Latin America)

A wealth of information can be obtained from WhoIs searches that will kickstart you investigation into the right direction:

  • Number Resource Records

  • Network Numbers (IP Addresses) referred to as NETs

  • Autonomous System Numbers referred to as ASNs

  • Organization records referred to as ORGs

  • Point of Contact records referred to as POCs

  • Authoritative information for Autonomous System Numbers and registered outside of the RIR being queried

Note that RIRs are not responsible of the information within the databases they maintain. The responsibility for the records validity belongs to the individual organizations. They have to keep their record information accurate and up to date.

1.4.1.1. DNS Records

DNS is a distributed database arranged hierarchically. Its purpose is to provide a means to use hostnames rather than IP addresses.

DNS is a key aspect of Information Security as it binds a hostname to an IP address and many protocols such as SSL are as safe as the DNS protocol they bind to.

DNS queries produce listings called Resource Records. This is a representation of Resource Records:

______________________________________
|         Resource Records           |
|____________________________________|
|       TTL     |   Record Class     |
|____________________________________|
|  SOA | NS | A | PTR | CNAME |  MX  |
|____________________________________|

  • Resource Records A Resource Records stars with a domain name, usually a fully qualified domain name. If anything other than a fully qualified domain name is used, the name of the zone the records is in will automatically be appended to the end of the name.

  • TTL (Time-To-Live) Recorded in Seconds, defaults to the minimum value determined in the Start Of Authority (SOA) record

  • Record Class Internet, Hesiod, or Chaos

  • SOA (State of Authority) Indicated the beginning of a zone and it should occur first in a zone file. There can only be one SOA record per zone. Defines certain values for the zone such as serial number and various expiration timeouts

  • NS (Name Server) Defines an authoritative name server for a zone. Defines and delegates authority to a name server for a child zone. NS Records are the glue that binds the distributed database together.

  • A (Address) Simply maps a hostname to an IP address. Zones with A records are called 'forward' zones.

  • PTR Maps an IP address to a hostname. Zones with PTR records are called 'reverse' zones.

  • CNAME Maps an alias hostname to an A record hostname.

  • MX Specifies a host that will accept email on behalf of a given host. The specified host has an associated priority value. A single host may have multiple MX records. The records for a specific host make up a prioritized list.

1.4.1.2. DNS Enumeration

DNS lookup is the simplest query a DNS server can receive. It asks the DNS to resolve a given hostname to the corresponding IP. You can do so with nslookup

In order to collect the highest number of domains and subdomains related to the organization, we can use different techniques.

  • DNS Lookup (and reverse DNS Lookup) 

    nslookup domainname.com

    or

    dig domainname.com +short

    Reverse DNS Lookup

    nslookup -type=PTR ipaddress

    or

    dig ipaddress PTR

  • MX Lookup Retrieve list of servers responsible for delivering emails for that domain.

    nslookup -type=MX domainname.com

    or

    dig domainname.com MX

  • Zone Transfers Zone transfers are usually misconfiguration of the remote DNS server. They should be enabled only for trusted IP addresses. When zone transfers are enabled, we can enumerate the entire DNS record for that zone. This includes all sub domains of our domain (A records)

    In order to request the entire record, we will have to ask the server that houses this records (organization's name server). This server can be found by executing:

    nslookup -type=NS domainname.com

    or

    dig domainname.com NS

    Then:

    >nslookup
>server domainname.com
>ls -d domainname.com

    or

    dig axfr @domainname.com domainname.com

1.4.1.3. IP

Once we have found the number of hostnames related to t he organization, we can move on determining their IP addresses and, potentially any Netblocks associated with the organization.

Mail servers, name servers, domains, and subdomains will all be used in this phase.

Steps:

  1. Resolve all hostnames we have in order to determine the IP addresses used

nslookup ns.targetorg.com
Server: 192.168.254.254 // DNS that will handle the query
Address: 192.168.254.254

Non-authoritative answer:
Name: targetorg.com
Address: 66.200.110.100 // IP address

  1. Is this IP address hosting only that given domain?

It is possible that more than one domain is configured on the same IP address, even if a PTR record is not set. This is a common scenario with shared hosting where hundreds of websites are configured on the same server. This is also typical in corporate network where multiple sub domains run on the same web server.

For example, you have discovered that the name server of the target organization is on 66.200.110.100. How do you determine other sub domains on the same IP?

The first technique to try is a reverse lookup. The second is asking Google or Bing.

Bing offers a query filter that returns all the websites hosted on a given IP address. We just need to use the ip filter, followed by the IP address of our target, e.g.:ip: 199.193.116.231.

Other tools:

Repeat the process until you are satisfied with the data enumerated. For larger engagement, you will have to map IP addresses and related domains using mind mapping tools.

  1. Who does this IP address belong to?

  • Netblock A netblock is a range or set of IP addresses, usually assigned to someone and has both a starting and an ending IP address. Larger netblock are given to larger organization. Example: 192.168.0.0-192.168.255.255

    This netblock can also be described as follows:

    • 192.168.0.0/16 (CIDR notation)

    • 192.168.0.0 with netmask 255.255.0.0

  • Autonomous System An Autonomous System is made of one or more netblocks under the same administrative control. Big corporations and ISP's have an autonomous system, while smaller companies will barely have a netblock.

You can find out the owner of a netblock or Autonomous System using WhoIs

1.4.2. Networks/IPs

1.4.2.1. Live Hosts

We have a list of IP addresses. Now we need to identify which of those is alive and determine each of the role played by each IP in the target organization. For example, is it a server or a workstation?

In this early phase we do not want to enumerate the services. This will be subject of next stages.

We can:

  1. Determine which IPs are alive

  2. Determine if they have an associated host name/domain

By uncovering additional domains and host names associated to these IP addresses, we will gather additional information and apply the information gathering techniques on both host names and domains that we have already studied.

There are different methods that one can use to identify live hosts. The most common is the ICMP ping sweep. It consists of ICMP ECHO requests sent to multiple hosts. If a given host is alive, it will return an ICMP ECHO reply.

Many tools allows us to do this:

  • hping

1.4.2.2. Further DNS

This steps deals with using nmap to enumerate all the DNS servers that exist in the remote network. This step can be done more than once, because each time we find a new domain or a new IP, it could give us other useful information to aid us in further investigations.

In order to determine id a DNS servers are in place in a given netblock, we should first know something more about DNS. A DNS server runs on:

  • TCP port 53

  • UDP port 53

We can increase our surface by using nmap to scan the entire network and find hosts that we have these ports open. To do this, we can use the following two commands:

nmap -sS -p53 netblocksearched
nmap -sU -p53 netblocksearched

The first can be used to run a TCP scan, while the second can be used to run a UDP scan.

Once we retrieve more DNS servers, we can perform a reverse lookup to find out if they are serving any particular domain.

Moreover, we can try zone transfer techniques on them as well as any of the techniques studied before.

1.4.2.3. Maltego

Maltego uses what it calls transformation to discover information about specific targets.

For instance you can begin with a server address and enumerate various information regarding that server, then build on that information until you have a full map of the entities entire internet presence.

PreviousSocial MediaNextTools

Last updated 4 years ago

Was this helpful?

We can use a tool (webased or cl based) called . WhoIs normally runs on TCP port 43.

WhoIs
Domain-neighbors
Domaintools
Robtex
fping
nmap