Jump to content
begood

tutorial footprinting - passive information gathering before a pentest

Recommended Posts

Posted

A pentest must be planned and prepared by several preliminary actions to obtain the most comprehensive inventory of resources hardware, software and even human target network. It is to recover the maximum information on the network architecture, operating systems, applications and users. This step should not be limited to port scanning or fingerprinting. Indeed, lots of informations can be gathered through passive means, without any access to the target, for example using DNS servers or search engines as Google. We must therefore distinguish passive - footprinting - and active recognition.

The aim of footprinting is to passivly gather intelligence about web, mail, DNS, directory servers and look for IP addresses, domain names, network protocols, active services, operating systems, softwares and users. It is then followed by a phase of active recognition. This one completes knowledge of the audited network by active operations directly on the target system. It includes network scans, with specialized softwares as NMAP, to find IP addresses, open ports and softwares running on the servers. This is related as port scanning and fingerprinting.

The purpose of this article is to present methods for passive recognition (footprinting). It also presents a practical implementation of footprinting. For teaching, we analyse the domain Owasp.org, using a full range of existing tools. We also use two scripts Python for multithreaded DNS search dnsdic and dnsbf. The point is most of the tools we present are complementary and useful for a deep recognition.

What is footprinting?

Footprinting is a security auditing technique, aimed at gathering intelligence about the infrastructure of a target network, only from information which access is free and autorized. It is the first component of the information gathering step of a pentest, before port scanning and fingerprinting.

More precisely, the aim of footprinting is to find IP addresses, network address ranges and subdomains names. During the footprinting process conduct, some services (mail, web, DNS) provided by servers can be discovered. With these informations, a pentester is then able to further focus his research.

Footprinting is based on several techniques, based on DNS and search engines:

- DNS query: with a domain name, you obtain the associated IP. Any field of the DNS response can be exploited: A, MX, etc. ,

- reverse DNS query: with an IP or an IP addresses range, you obain domain names,

- dictionnary DNS. With a domain name, you make DNS queries on usual subdomains names and top level domains. For example, from "mysite.com", you look for "smtp.mysite.com", "pop.mysite.com", etc. and then "mysite.fr", "mysite.org", etc.,

- attempt to transfer DNS zone: sometimes, the zone database of a misconfigured DNS server can be downloaded,

- website spiding: we gather any subdomain name met during the visit of all internal links in the website,

- recovery of old DNS entries: old DNS entries are sometimes listed by specialized websites,

- WhoIs database: you obtain the informations legaly provided for teh domain name rental,

- search engines queries,

- X509 certificates queries,

- robots.txt of the website analysis,

Tools

- robtex website which provides graphical informations from DNS and WhoIs,

- dig: Linux command aimed at finding IP address associated with a domain name,

- dnsbf: script for reverse DNS search in a whole subnet,

- dnsdic and its dictionnary: script for DNS dictionnary bruteforce search for subdomains names,

- dnsmap: (backtrack) Script for gathering IP addresses form a domain name,

- dnsrecon: (backtrack) script for top level domain names search. For example, fo Owasp, we find owasp.org, owasp.net, owasp.fr, etc.

- DNSWalk (backtrack) - The dnswalk DNS database debugger | Get The dnswalk DNS database debugger at SourceForge.net,

- Burp Suite PortSwigger.net - Burp Suite (java needed)

- http://dnshistory.org - old DNS entries,

- subdomainer.pl: (Edge-Security) script for subdomains names gathering with search engines,

- Metagoofil.py (backtrack) from Edge-Security. Script for information gathering in documents (pdf,doc...) referenced by Google. Metagoofil needs extract ($ sudo apt-get install extract). Moreover, il is installed by default in /usr/bin. Modify the scrit to use the executable from this directory,

- FoxyProxy (https://addons.mozilla.org/fr/firefox/addon/2464), Firefox extension useful with Burp Suite,

- Maltego (backtrack) - graphical footprinting tool - http://www.paterva.com/

- Hostmap.rb: hostmap | Get hostmap at SourceForge.net remarkable script, wrritten in Ruby, that conducts iterative queries on DNS, search engines and cryptographic key servers,

- Fierce (backtrack) - Fierce Domain Scan - script perl for Linux to conduct DNS search,

Results

While you're reading this article, you'll find the following informations:

Owasp.org is a website hosted by Fast.net. Its NDS servers are hosted by Secure.net, a BtoB US company with the US armies as customer.

domain names

The following domain names are linked to the IP address 216.48.3.18

owasp.org

esapi.org

webscarab.net

webscarab.com

webscarab.org

webgoat.org

owasp.asia

owasp.cg,188.165.42.228

owasp.ch

owasp.com.tw

owasp.cz,81.0.246.60

owasp.fr,216.48.3.18

owasp.de,78.46.49.201

owasp.dk

owasp.gr,69.93.193.98

owasp.hu,193.142.209.99

owasp.ir,213.175.221.136

owasp.kr,222.231.8.226

owasp.info

owasp.lt,79.98.25.1

owasp.my,202.190.179.45

owasp.mp,75.101.130.205

owasp.net

owasp.nl

owasp.org.tw

owasp.pw,70.87.29.150

owasp.pl,91.210.130.50

owasp.ph,203.119.6.249

owasp.ru,193.232.159.1

owasp.rw,94.23.192.35

owasp.tw

owasp.ws,64.70.19.33

owasp.st,195.178.160.40

owasp.es,213.186.33.5

owasp.se,212.97.132.112

owasp.ch,88.191.227.205

owasp.tw

owasp.tk,193.33.61.2

owasp.tk,209.172.59.196

owasp.tk,94.103.151.195

owasp.tk,217.119.57.22

owasp.tv,64.99.80.30

owasp.vn,72.52.194.126

IP addresses

every IP address of the Owasp network belongs to the subnet 216.48.3.0/24. The IP allocated to Owasp are:

216.48.3.18

216.48.3.19

216.48.3.20

216.48.3.22

216.48.3.23

216.48.3.26

216.48.3.30

The following address is interesting, because it points on websites owned by the creator of Owasp:

66.255.82.14

Any of the further subdomains have the IP 216.48.3.18 excepted:

forums.owasp.org 216.48.3.19

stage.owasp.org 216.48.3.20

lists.owasp.org 216.48.3.22

voip.owasp.org 216.48.3.22

forums.owasp.net 216.48.3.23

ads.owasp.org 216.48.3.26

ml1lists.owasp.org 216.48.3.30

docs.owasp.org hébergé par google

mail.owasp.org hébergé par google

groups.owasp.org hébergé par google

calendar.owasp.org hébergé par google

mail.owasp.net 66.255.82.14

subdomains

owasp.org

ml1.owasp.org

OWASP

www2.owasp.org

lists.owasp.org 216.48.3.22

ads.owasp.org 216.48.3.26

_adsp._domainkey.owasp.org

jobs.owasp.org

registration.owasp.org

_policy._domainkey.owasp.org

_domainkey.owasp.org

es.owasp.org

austin.owasp.org

beta.owasp.org

blogs.owasp.org

forum.owasp.org

old.owasp.org

ww.owasp.org

localhost.owasp.org

google6912a08c3a8ccdf0b.owasp.org

ns.owasp.org

docs.owasp.org

calendar.owasp.org

austin.owasp.org

gateway.owasp.org

secure.owasp.org

intranet.owasp.org

extranet.owasp.org

web.owasp.org

webmail.owasp.org

ftp.owasp.org

stage.owasp.org

owasp.net

forums.owasp.net 216.48.3.23

OWASP

mail.owasp.net 66.255.82.14

owasp.tw

mail.owasp.tw

_domainkey.owasp.tw

OWASP

owasp.fr

France - OWASP

mail.esapi.org 216.48.3.18

Category:OWASP Enterprise Security API - OWASP 216.48.3.18

webscarab.net 216.48.3.18

ftp.webscarab.net

Category:OWASP WebScarab Project - OWASP

pop.webscarab.net

smtp.webscarab.net

imap.webscarab.net

webscarab.com

Category:OWASP WebScarab Project - OWASP

imap.webscarab.com

ftp.webscarab.com

webscarab.org

webgoat.org

Category:OWASP WebGoat Project - OWASP

imap.webgoat.org

news.webgoat.org

smtp.webgoat.org

ftp.webgoat.org

pop.webgoat.org

DNS servers

The DNS server used are (excepted owasp.tw, owasp.org.tw, owasp.fr and more generaly any site situated outside of USA):

ns1.secure.net 192.220.124.10 (USA)

ns2.secure.net 192.220.125.10

For example,

for owasp.tw:

ns1.eurodns.com 80.92.65.2 (Luxembourg)

ns2.eurodns.com 80.92.67.140

for owasp.fr

a.dns.gandi.fr 217.70.179.40 (France)

b.dns.gandi.fr 217.70.184.40

for owasp.org.tw:

csn1.net-chinese.com.tw 202.153.205.76 (Taiwan)

csn2.net-chinese.com.tw 202.130.187.243

people in charge

Every domain names (except owasp.fr and owasp.org.tw) were filed by:

Laurence Casey

owasp.fr was filed by Sébastien Gioria (0623040051) for Doing Soft company

owasp.org.tw by Wayne Huang Armorize technologies Inc

administrators

http://www.owasp.org/index.php?title=Special%3AListUsers&group=sysop

Simple DNS queries

robtex.com

Use robtex website, and search owasp.org in its dns search engine: Domain Name Server records -> owasp.org

File?id=dg23j87b_327cpmndcz_b

www.owasp.org is available on 216.48.3.18. It belongs to the subnet 216.48.2.0/23. This means that the address range available is:

216.48.2.0 to 216.48.3.255.

dig

Rq: You can also find the IP address with

$ dig owasp.org

Websites Category:OWASP Enterprise Security API - OWASP, Category:OWASP WebScarab Project - OWASP and OWASP point to the same IP address

The owasp.org DNS server is hosted by secure.net

Its mail server is hosted by google.

google

A few google searches tell you:

google -> esapi.org

google -> owasp.net

google -> webscarab.net

google -> secure.net

esapi.org and webscarab.net are both Owasp projects

secure.net is owned by Secure Network Systems, a US company which develops profestional softwares for hysical access control (airorts, etc.) with US army as customer.

Finding the IP 216.48.3.18 with robtex gives you: robtex.com/dns -> 216.48.3.18

File?id=dg23j87b_328pk76wbg5_b

Finding owasp.* with robtex gives you

- owasp.net

- owasp.de

- owasp.cz

reverse DNS query on an IP address range

dnsbf.py

Owasp is hosted by Fastnet (http://www.fast.net/) in USA.

Here, this information is not really relevant, because Owasp probably rents there its servers. Sometimes, such a query could conduct to find other servers hold by the same company.

Let's use the Python script dnsbf.py on the IP address range: 216.48.2.0/23.

$ ./dnsbf.py  216.48.2.0/23

*****************************************
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

216.48.2.34 clarendon.my-vresume.com
216.48.2.10 mail.nvafamilypractice.com
216.48.4.251 ns1.croem.net
216.48.4.107 mail1.gulfstreamacademy.com
216.48.3.69 mail.nationalstrategiesinc.com
216.48.4.20 encirclepayments.com
216.48.3.90 mail.wssa.com
216.48.4.21 mail.encirclepayments.com
216.48.4.170 mail.wilhelminamiami.com
216.48.5.55 mail.eliteislandresorts.com
216.48.5.181 ns4.viomedia.com
216.48.3.10 mail.jandrroofing.com
216.48.4.194 amarinelli.com
216.48.2.74 mail.ppamedicalbilling.com
216.48.5.244 mail.terragroup.com
216.48.2.75 mail.hirestrategy.com
216.48.4.18 wxesrv01s.interpath
216.48.5.182 ns4.maquilon.com
216.48.4.253 mail.e-progroup.com
216.48.2.200 mailgate.catapulttechnology.com
216.48.4.162 mail.malloylaw.com
216.48.4.72 mail.amtel-security.com
216.48.2.194 fw.catapulttechnology.com
216.48.3.82 mail.wssa.com
216.48.3.92 freightoffice.wssa.com
216.48.3.29 mail.empiregroup.us
216.48.4.186 mail.marlinshowcase.com
216.48.2.3 smtp.advantagehomes.org
216.48.5.164 mailserver.federalmillwork.com
216.48.2.90 mail2.bgsb.net
216.48.3.122 mail3.bulletinnews.com
216.48.3.98 Mail.jamesmyersco.com
216.48.2.204 smtp.catapulttechnology.com
216.48.4.187 marlinshowcase.com
216.48.2.39 SMTP.edoptions.com
216.48.4.154 mail.krmlegal.com
216.48.5.162 mailserver.federalmillwork.com
216.48.4.106 gaamail.gulfstreamacademy.com
216.48.5.251 mail.eastridgerc.com
216.48.4.247 mail.croem.net

end of search
1023 ip tested, 40 names found, in 25 s
$

dictionary DNS queries

It may be interesting to look for Owasp.net available subdomains (for example, mail.owasp.net)

dnsdic.py

Let's use the Python script dnsdic.py

dnsdic.py needs a dictionary file.

We take the file dns.txt from dnsenum1.1 [3] written by jer001 [2].

By the way, we can not resist the pleasure of quoting an excellent source of dictionaries: Passwords - Skull Security

dnsdic.py does not give any result with owasp.org. Indeed, casting an eye to robtex results, you note that owasp.org is referenced by *.owasp.org . Any DNS request on an Owasp subdomain sends the main IP address as result.

And what about mail.owasp.net? We find an additional IP: 66.255.82.14. Still with robtex, a query with this IP gives:

robtex.com/dns -> mail.owasp.net

robtex.com/dns -> 66.255.28.14

It appears that Mr Casey hosts friends websites...

dnsmap

dnsmap is available with backtrack. It provides the IP addresses associated with a domain name.

root@bt:/pentest/enumeration/dns/dnsmap# ./dnsmap owasp.org

dnsmap 0.24 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] warning: the target domain might use wildcards. dnsmap will try to filter out false positives

[+] searching (sub)domains for owasp.org using built-in wordlist

forums.owasp.org

IP address #1: 216.48.3.19

groups.owasp.org

IP address #1: 74.125.47.121

localhost.owasp.org

IP address #1: 127.0.0.1

[+] warning: target domain might be vulnerable to "same site" scripting (
)

mail.owasp.org

IP address #1: 74.125.47.121

[+] 4 (sub)domains and 4 IP address(es) found

[+] completion time: 50 second(s)

dnsrecon

dnsrecon provides top level domain names associated with a domain name. For example, with Owas, you find Owasp.org, Owasp.net, Owasp.fr

Attempt to transfer DNS zone

sometimes, the zone database of a misconfigured DNS server can be downloaded

DNSWalk

The attempt fails. Neverthess, DNSWalk uses other techniques described in this article and gives:

216.48.3.19 forums.owasp.org

216.48.3.30 ml1lists.owasp.org

216.48.3.20 stage.owasp.org

Old DNS entries

dnshistory.org

Let's use http://dnshistory.org/ . This site keeps old DNS entries. Here, no result...

Website spiding

Burp Suite

Use Burp Suite. This tool configures a proxy on your computer and visits every internal links of a website.

File?id=dg23j87b_329cp5p7nk8_b

A traceroute to ads.owasp.org gives the IP address 216.48.3.26

Informations about administrators

OWasp publishes a list of people who can administrate its Wiki:

http://www.owasp.org/index.php?title=Special%3AListUsers&group=sysop

Aholmes ? (Created on 27 September 2006 at 14:51)

Alison.McNamee ? (Created on 26 November 2007 at 22:22)

Aspectmichelle ? (Created on 24 August 2007 at 15:10)

Brennan ? (Created on 13 June 2006 at 00:07)

Dinis.cruz ?

Dwichers ?

Esheridan ? (Created on 31 July 2006 at 20:09)

Jason Li ? (Created on 17 April 2007 at 20:16)

Jcmax ?

Jeff Williams ?

Jeremy Ferragamo ?

KateHartmann ? (Created on 12 May 2008 at 14:01)

KirstenS ? (Created on 16 May 2008 at 11:38)

Laurence Casey ?

OWASP ? (Created on 23 June 2006 at 16:50)

Paulo Coimbra ? (Created on 4 July 2008 at 00:22)

RoganDawes ?

Sdeleersnyder

Weilin Zhong ?

Wichers ?

WikiSysop ?

X509 certificates

Sometimes, people publish their public key on X509 servers. That can provide email informations. cf following hostmap.rb

Whois

The WhoIs database.

Search engines

Simple query

google -> site:owasp.org

no relevant information.

subdomainer.py

Let's use Subdomainer.py from Edge-Security [4]:

You find a new subdomain: lists.owasp.org

MetaGoofil.py

Now, let's use the tool MetaGoofil.py (Edge-Security) [7].

Metagoofil.py is a script aimed at seeking informations in meta datas in documents referenced by search engines (pdf,doc...) . It needs extract ($ sudo apt-get install extract). It is aslo installed by default in /usr/bin. You need to modify the script to use this directory.

Shodan

Shodan is a website which lists configuration informations and website vulnerabilities.

http://www.shodanhq.com/?q=owasp.org

216.48.3.20

Linux recent 2.4

Added on 23.07.2009

United States

HTTP/1.1 301 Moved Permanently

Date: Fri, 24 Jul 2009 03:15:20 GMT

Server: Apache/2.2.9 (Fedora)

X-Powered-By: PHP/5.2.6

Vary: Accept-Encoding,Cookie

X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki1134Token;string-contains=wiki1134LoggedOut;string-contains=wiki1134_session

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Cache-Control: private, must-revalidate, max-age=0

Last-modified: Fri, 24 Jul 2009 03:15:21 GMT

Location:

You obtain the following informations:

3 Ips: 216.48.3.18, 216.48.3.20, 216.48.3.26 (already known),

The Apache version at 07.23.2009: 2.2.9 (Fedora),

The PHP engine versionthe 07.23.2009: 5.2.6

These informations are a bit too old to be relevant.

Web robots

Admins put sometimes informations in their sitemap or robots file to tell robots engine where to go, and... where not to go, which can be interesting for you.

in firefox ->

in firefox ->

OWASP has no Robots.txt or sitemap.xml file.

Mix of techniques

Some tools use a panel of all the techniques below.

Maltego

Maltego is a powerful graphical tool for footprinting. It can organize the results of its searches.

Download the community edition from http://www.paterva.com/

Start it on some Ips and the domain name owasp.org:

owasp.org

216.48.3.18

216.48.3.22

216.48.3.23

216.48.3.26

Here is the result:

File?id=dg23j87b_330dsksqzfx_b

Some elements can be added. You can see that Maltego does not find immediatly every results you found before.

DNS MX - mail servers:

owasp.com.tw

DNS zone transfert

localhost.owasp.org

google6912a08c3a8ccdf0b.owasp.org

ns.owasp.org

docs.owasp.org

calendar.owasp.org

austin.owasp.org

DNS bruteforce

gateway.owasp.org

secure.owasp.org

intranet.owasp.org

extranet.owasp.org

web.owasp.org

webmail.owasp.org

ftp.owasp.org

sharedIP

voip.owasp.org

domains linked to owasp.org

owasp.net

owasp.tw

owasp.com.tw

owasp.org.tw

owasp.fr

owasp.nl

owasp.pl

owasp.cz

owasp.it

owasp.dk

owasp.de

owasp.info

owasp.ch

owasp.asia

hostmap.rb

Let's use another (great) tool: hostmap.rb

hostmap conducts iteratives searches with DNS, search engines and X509 servers.

$ ruby hostmap.rb -t 216.48.3.18

hostmap 0.2.1 codename fissatina

Coded by Alessandro `jekil` Tanasi

[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org

[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org

[20:49] Found new hostname _adsp._domainkey.owasp.org

[20:49] Found new domain _domainkey.owasp.org

[20:49] Found new domain owasp.net

[20:49] Found new hostname

[20:49] Found new hostname owasp.net

[20:49] Found new domain owasp.org

[20:49] Found new hostname _domainkey.owasp.org

[20:49] Found new hostname owasp.org

[20:49] Found new hostname

[20:49] Found new hostname _policy._domainkey.owasp.org

[20:49] Found new hostname

[20:49] Found new domain owasp.fr

[20:49] Found new hostname owasp.fr

[20:49] Found new hostname

[20:49] Found new domain webscarab.com

[20:49] Found new hostname webscarab.com

[20:49] Found new hostname news.webgoat.org

[20:49] Found new domain webgoat.org

[20:49] Found new hostname webgoat.org

[20:49] Found new hostname austin.owasp.org

[20:49] Found new hostname ww.owasp.org

[20:49] Found new hostname jobs.owasp.org

[20:49] Found new hostname registration.owasp.org

[20:49] Found new hostname old.owasp.org

[20:49] Found new hostname ml1.owasp.org

[20:49] Found new hostname smtp.webgoat.org

[20:49] Found new hostname pop.webgoat.org

[20:49] Found new hostname

[20:49] Found new hostname forum.owasp.org

[20:49] Found new hostname es.owasp.org

[20:49] Found new hostname blogs.owasp.org

[20:49] Found new hostname beta.owasp.org

[20:49] Found new hostname imap.webgoat.org

[20:49] Found new hostname ftp.webgoat.org

[20:49] Found new hostname www2.owasp.org

[20:49] Found new hostname

[20:49] Found new domain owasp.org.tw

[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:52] Found new mail server aspmx3.googlemail.com

[20:52] Found new nameserver ns2.secure.net

[20:52] Detected a wildward domain: owasp.org

[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:52] Found new nameserver ns1.secure.net

[20:52] Found new mail server aspmx.l.google.com

[20:52] Found new mail server aspmx.l.google.com

[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:52] Found new mail server alt1.aspmx.l.google.com

[20:52] Detected a wildward domain: _domainkey.owasp.org

[20:52] Found new mail server alt1.aspmx.l.google.com

[20:52] Found new mail server aspmx4.googlemail.com

[20:52] Found new mail server aspmx5.googlemail.com

[20:52] Found new mail server aspmx5.googlemail.com

[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:52] Found new nameserver c.dns.gandi.net

[20:52] Found new mail server alt2.aspmx.l.google.com

[20:52] Found new mail server spool.mail.gandi.net

[20:52] Found new mail server aspmx2.googlemail.com

[20:53] Found new nameserver a.dns.gandi.net

[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:53] Found new mail server webscarab.com

[20:53] Found new mail server webscarab.com

[20:53] Found new mail server fb.mail.gandi.net

[20:53] Found new nameserver b.dns.gandi.net

[20:53] Found new mail server fb.mail.gandi.net

[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:53] Found new mail server webgoat.org

[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[20:53] Found new nameserver cns1.net-chinese.com.tw

[20:53] Found new nameserver cns2.net-chinese.com.tw

[20:56] Found new domain owasp.tw

[20:56] Found new domain webscarab.org

[20:56] Found new hostname owasp.tw

[20:56] Found new domain webscarab.net

[20:56] Found new domain webscarab.net

[20:56] Found new hostname webscarab.org

[20:56] Found new domain _domainkey.owasp.tw

[20:56] Found new hostname webscarab.net

[20:56] Found new hostname webscarab.net

[20:56] Found new hostname _domainkey.owasp.tw

[21:02] Found new hostname imap.webscarab.com

[21:02] Found new hostname ftp.webscarab.com

[21:02] Found new hostname imap.webscarab.com

[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com

[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com

[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com

[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com

[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com

[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[21:03] Detected a wildward domain: owasp.tw

[21:03] Found new nameserver ns1.eurodns.com

[21:03] Found new mail server mail.owasp.tw

[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[21:03] Found new nameserver ns2.eurodns.com

[21:03] Found new mail server snowball.spidynamics.com

[21:03] Found new nameserver ns1.inflow.net

[21:03] Found new hostname mail.owasp.tw

[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[21:03] Found new nameserver ns4.inflow.net

[21:03] Found new mail server atl-mr01.spidynamics.com

[21:03] Found new mail server webscarab.net

[21:03] Found new nameserver ns2.inflow.net

[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[21:03] Found new nameserver ns3.inflow.net

[21:03] Found new nameserver ns5.inflow.net

[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.

[21:03] Detected a wildward domain: _domainkey.owasp.tw

[21:03] Found new nameserver ns6.inflow.net

[21:13] Found new hostname pop.webscarab.net

[21:13] Found new hostname pop.webscarab.net

[21:13] Found new hostname smtp.webscarab.net

[21:13] Found new hostname smtp.webscarab.net

[21:13] Found new hostname smtp.webscarab.net

[21:13] Found new hostname ftp.webscarab.net

[21:13] Found new hostname ftp.webscarab.net

[21:13] Found new hostname ftp.webscarab.net

[21:13] Found new hostname imap.webscarab.net

[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net

[21:13] Found new hostname imap.webscarab.net

[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net

[21:13] Found new hostname imap.webscarab.net

[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net

Results for 216.48.3.18

Served by name server (probably)

ns6.inflow.net

ns1.eurodns.com

c.dns.gandi.net

ns4.inflow.net

ns5.inflow.net

ns3.inflow.net

ns2.inflow.net

b.dns.gandi.net

ns1.inflow.net

a.dns.gandi.net

ns2.eurodns.com

ns2.secure.net

cns1.net-chinese.com.tw

ns1.secure.net

cns2.net-chinese.com.tw

Served by mail exchange (probably)

atl-mr01.spidynamics.com

aspmx2.googlemail.com

aspmx.l.google.com

mail.owasp.tw

webscarab.com

alt2.aspmx.l.google.com

aspmx3.googlemail.com

aspmx4.googlemail.com

snowball.spidynamics.com

webgoat.org

fb.mail.gandi.net

aspmx5.googlemail.com

alt1.aspmx.l.google.com

webscarab.net

spool.mail.gandi.net

Hostnames:

_adsp._domainkey.owasp.org

pop.webscarab.net

imap.webgoat.org

mail.owasp.tw

jobs.owasp.org

webscarab.com

imap.webscarab.com

www2.owasp.org

registration.owasp.org

news.webgoat.org

_policy._domainkey.owasp.org

owasp.org

smtp.webscarab.net

_domainkey.owasp.tw

smtp.webgoat.org

_domainkey.owasp.org

ftp.webscarab.net

webscarab.org

ftp.webgoat.org

es.owasp.org

austin.owasp.org

owasp.fr

owasp.tw

beta.owasp.org

webgoat.org

owasp.net

blogs.owasp.org

ftp.webscarab.com

webscarab.net

forum.owasp.org

ml1.owasp.org

old.owasp.org

imap.webscarab.net

pop.webgoat.org

ww.owasp.org

Fierce

Fierce (http://ha.ckers.org/fierce/) is a DNS search tool written in PERL for Linux.

root@bt:/pentest/enumeration/fierce# cat ~/tmp.txt

Now logging to /root/tmp.txt

DNS Servers for owasp.org:

ns1.secure.net

ns2.secure.net

Trying zone transfer first...

Testing ns1.secure.net

Whoah, it worked - misconfigured DNS server found:

owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. (

2007080369 ; Serial

86400 ; Refresh

7200 ; Retry

2592000 ; Expire

86400 ) ; Minimum TTL

owasp.org. 86400 IN A 216.48.3.18

owasp.org. 86400 IN NS ns1.secure.net.

owasp.org. 86400 IN NS ns2.secure.net.

owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.

owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.

owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.

owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.

owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.

owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.

owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.

owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"

*.owasp.org. 86400 IN CNAME owasp.org.

ads.owasp.org. 86400 IN A 216.48.3.26

austin.owasp.org. 86400 IN CNAME owasp.org.

calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.

docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.

es.owasp.org. 86400 IN A 216.48.3.18

forums.owasp.org. 86400 IN A 216.48.3.19

google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.

groups.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.

jobs.owasp.org. 86400 IN CNAME owasp.org.

lists.owasp.org. 86400 IN A 216.48.3.22

lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.

localhost.owasp.org. 86400 IN A 127.0.0.1

mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.

ml1lists.owasp.org. 86400 IN A 216.48.3.30

registration.owasp.org. 86400 IN CNAME owasp.org.

stage.owasp.org. 86400 IN A 216.48.3.20

voip.owasp.org. 86400 IN A 216.48.3.22

. 86400 IN CNAME owasp.org.

Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...

** Found 94784227069.owasp.org at 216.48.3.18.

** High probability of wildcard DNS.

Now performing 1896 test(s)...

216.48.3.26 ads.owasp.org

216.48.3.19 forums.owasp.org

216.48.3.22 lists.owasp.org

127.0.0.1 localhost.owasp.org

216.48.3.20 stage.owasp.org

216.48.3.22 voip.owasp.org

Subnets found (may want to probe here using nmap or unicornscan):

127.0.0.0-255 : 1 hostnames found.

216.48.3.0-255 : 5 hostnames found.

Done with Fierce scan:

Found 1895 entries.

Have a nice day.

Foca 2

http://www.informatica64.com/DownloadFOCA/

Foca 2 is a Windows tool which uses both search engines and DNS. It has a nice graphic interface and provides a useful spider of the website. It finds meta data from documents,, subdomains, IPs and can map the domain servers.

File?id=dg23j87b_331g9tp5kdd_b

Conclusion

In this article, you could work on every footprinting techniques, using a whole set of tools.

References

1) OWasp testing guide Category:OWASP Testing Project - OWASP

2) Mission Security - Jer001 - look for subdomains - MISSION: Security: [PENTESTING] [DNS] Look for subdomains, par jer001 - BLOG Sécurité des SI

3) Filip Wayetens - dnsenum1.1 - .:[ packet storm ]:. - http://packetstormsecurity.org/

4) outils Sensepost - SensePost - SensePost SDH Labs

5) Sensepost footprinting whitepaper - http://www.sensepost.com/restricted/BH_footprint2002_paper.pdf

6) Mission Security - Jer001 - MISSION: Security: [Pentesting] [Discovery phase] When relevant information is available ... on the Internet!, par jer001 - BLOG Sécurité des SI

7) outils Edge Security - Edge-Security - Penetration testing Tools

8) Alessandro 'Jekil' Tanasi - hostmap.rb - Browse hostmap Files on SourceForge.net

infond: tutorial footprinting - passive information gathering before a pentest

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...