begood Posted May 23, 2010 Report Share Posted May 23, 2010 A pentest must be planned and prepared by several preliminary actions to obtain the most comprehensive inventory of resources hardware, software and even human target network. It is to recover the maximum information on the network architecture, operating systems, applications and users. This step should not be limited to port scanning or fingerprinting. Indeed, lots of informations can be gathered through passive means, without any access to the target, for example using DNS servers or search engines as Google. We must therefore distinguish passive - footprinting - and active recognition.The aim of footprinting is to passivly gather intelligence about web, mail, DNS, directory servers and look for IP addresses, domain names, network protocols, active services, operating systems, softwares and users. It is then followed by a phase of active recognition. This one completes knowledge of the audited network by active operations directly on the target system. It includes network scans, with specialized softwares as NMAP, to find IP addresses, open ports and softwares running on the servers. This is related as port scanning and fingerprinting.The purpose of this article is to present methods for passive recognition (footprinting). It also presents a practical implementation of footprinting. For teaching, we analyse the domain Owasp.org, using a full range of existing tools. We also use two scripts Python for multithreaded DNS search dnsdic and dnsbf. The point is most of the tools we present are complementary and useful for a deep recognition.What is footprinting? Footprinting is a security auditing technique, aimed at gathering intelligence about the infrastructure of a target network, only from information which access is free and autorized. It is the first component of the information gathering step of a pentest, before port scanning and fingerprinting.More precisely, the aim of footprinting is to find IP addresses, network address ranges and subdomains names. During the footprinting process conduct, some services (mail, web, DNS) provided by servers can be discovered. With these informations, a pentester is then able to further focus his research.Footprinting is based on several techniques, based on DNS and search engines:- DNS query: with a domain name, you obtain the associated IP. Any field of the DNS response can be exploited: A, MX, etc. ,- reverse DNS query: with an IP or an IP addresses range, you obain domain names,- dictionnary DNS. With a domain name, you make DNS queries on usual subdomains names and top level domains. For example, from "mysite.com", you look for "smtp.mysite.com", "pop.mysite.com", etc. and then "mysite.fr", "mysite.org", etc.,- attempt to transfer DNS zone: sometimes, the zone database of a misconfigured DNS server can be downloaded,- website spiding: we gather any subdomain name met during the visit of all internal links in the website,- recovery of old DNS entries: old DNS entries are sometimes listed by specialized websites,- WhoIs database: you obtain the informations legaly provided for teh domain name rental,- search engines queries,- X509 certificates queries,- robots.txt of the website analysis,Tools - robtex website which provides graphical informations from DNS and WhoIs,- dig: Linux command aimed at finding IP address associated with a domain name,- dnsbf: script for reverse DNS search in a whole subnet,- dnsdic and its dictionnary: script for DNS dictionnary bruteforce search for subdomains names,- dnsmap: (backtrack) Script for gathering IP addresses form a domain name,- dnsrecon: (backtrack) script for top level domain names search. For example, fo Owasp, we find owasp.org, owasp.net, owasp.fr, etc.- DNSWalk (backtrack) - The dnswalk DNS database debugger | Get The dnswalk DNS database debugger at SourceForge.net,- Burp Suite PortSwigger.net - Burp Suite (java needed)- http://dnshistory.org - old DNS entries,- subdomainer.pl: (Edge-Security) script for subdomains names gathering with search engines,- Metagoofil.py (backtrack) from Edge-Security. Script for information gathering in documents (pdf,doc...) referenced by Google. Metagoofil needs extract ($ sudo apt-get install extract). Moreover, il is installed by default in /usr/bin. Modify the scrit to use the executable from this directory,- FoxyProxy (https://addons.mozilla.org/fr/firefox/addon/2464), Firefox extension useful with Burp Suite,- Maltego (backtrack) - graphical footprinting tool - http://www.paterva.com/- Hostmap.rb: hostmap | Get hostmap at SourceForge.net remarkable script, wrritten in Ruby, that conducts iterative queries on DNS, search engines and cryptographic key servers,- Fierce (backtrack) - Fierce Domain Scan - script perl for Linux to conduct DNS search,ResultsWhile you're reading this article, you'll find the following informations:Owasp.org is a website hosted by Fast.net. Its NDS servers are hosted by Secure.net, a BtoB US company with the US armies as customer.domain namesThe following domain names are linked to the IP address 216.48.3.18 owasp.orgesapi.orgwebscarab.netwebscarab.comwebscarab.orgwebgoat.orgowasp.asiaowasp.cg,188.165.42.228owasp.chowasp.com.twowasp.cz,81.0.246.60owasp.fr,216.48.3.18owasp.de,78.46.49.201owasp.dkowasp.gr,69.93.193.98owasp.hu,193.142.209.99owasp.ir,213.175.221.136owasp.kr,222.231.8.226owasp.infoowasp.lt,79.98.25.1owasp.my,202.190.179.45owasp.mp,75.101.130.205owasp.netowasp.nlowasp.org.twowasp.pw,70.87.29.150owasp.pl,91.210.130.50owasp.ph,203.119.6.249owasp.ru,193.232.159.1owasp.rw,94.23.192.35owasp.twowasp.ws,64.70.19.33owasp.st,195.178.160.40owasp.es,213.186.33.5owasp.se,212.97.132.112owasp.ch,88.191.227.205owasp.twowasp.tk,193.33.61.2owasp.tk,209.172.59.196owasp.tk,94.103.151.195owasp.tk,217.119.57.22owasp.tv,64.99.80.30owasp.vn,72.52.194.126IP addressesevery IP address of the Owasp network belongs to the subnet 216.48.3.0/24. The IP allocated to Owasp are:216.48.3.18216.48.3.19216.48.3.20216.48.3.22216.48.3.23216.48.3.26216.48.3.30The following address is interesting, because it points on websites owned by the creator of Owasp:66.255.82.14Any of the further subdomains have the IP 216.48.3.18 excepted:forums.owasp.org 216.48.3.19stage.owasp.org 216.48.3.20lists.owasp.org 216.48.3.22voip.owasp.org 216.48.3.22forums.owasp.net 216.48.3.23ads.owasp.org 216.48.3.26ml1lists.owasp.org 216.48.3.30docs.owasp.org hébergé par googlemail.owasp.org hébergé par googlegroups.owasp.org hébergé par googlecalendar.owasp.org hébergé par googlemail.owasp.net 66.255.82.14subdomainsowasp.orgml1.owasp.orgOWASPwww2.owasp.orglists.owasp.org 216.48.3.22ads.owasp.org 216.48.3.26_adsp._domainkey.owasp.orgjobs.owasp.orgregistration.owasp.org_policy._domainkey.owasp.org_domainkey.owasp.orges.owasp.org austin.owasp.orgbeta.owasp.orgblogs.owasp.orgforum.owasp.orgold.owasp.orgww.owasp.orglocalhost.owasp.orggoogle6912a08c3a8ccdf0b.owasp.orgns.owasp.orgdocs.owasp.orgcalendar.owasp.orgaustin.owasp.orggateway.owasp.orgsecure.owasp.orgintranet.owasp.orgextranet.owasp.orgweb.owasp.orgwebmail.owasp.orgftp.owasp.orgstage.owasp.orgowasp.netforums.owasp.net 216.48.3.23OWASPmail.owasp.net 66.255.82.14owasp.twmail.owasp.tw_domainkey.owasp.twOWASPowasp.frFrance - OWASPmail.esapi.org 216.48.3.18Category:OWASP Enterprise Security API - OWASP 216.48.3.18webscarab.net 216.48.3.18ftp.webscarab.netCategory:OWASP WebScarab Project - OWASPpop.webscarab.netsmtp.webscarab.netimap.webscarab.netwebscarab.comCategory:OWASP WebScarab Project - OWASPimap.webscarab.comftp.webscarab.comwebscarab.orgwebgoat.orgCategory:OWASP WebGoat Project - OWASPimap.webgoat.orgnews.webgoat.orgsmtp.webgoat.orgftp.webgoat.orgpop.webgoat.orgDNS serversThe DNS server used are (excepted owasp.tw, owasp.org.tw, owasp.fr and more generaly any site situated outside of USA):ns1.secure.net 192.220.124.10 (USA)ns2.secure.net 192.220.125.10For example,for owasp.tw:ns1.eurodns.com 80.92.65.2 (Luxembourg)ns2.eurodns.com 80.92.67.140for owasp.fra.dns.gandi.fr 217.70.179.40 (France)b.dns.gandi.fr 217.70.184.40for owasp.org.tw:csn1.net-chinese.com.tw 202.153.205.76 (Taiwan)csn2.net-chinese.com.tw 202.130.187.243people in chargeEvery domain names (except owasp.fr and owasp.org.tw) were filed by:Laurence Caseyowasp.fr was filed by Sébastien Gioria (0623040051) for Doing Soft companyowasp.org.tw by Wayne Huang Armorize technologies Incadministratorshttp://www.owasp.org/index.php?title=Special%3AListUsers&group=sysopSimple DNS queriesrobtex.comUse robtex website, and search owasp.org in its dns search engine: Domain Name Server records -> owasp.org www.owasp.org is available on 216.48.3.18. It belongs to the subnet 216.48.2.0/23. This means that the address range available is:216.48.2.0 to 216.48.3.255.digRq: You can also find the IP address with $ dig owasp.org Websites Category:OWASP Enterprise Security API - OWASP, Category:OWASP WebScarab Project - OWASP and OWASP point to the same IP addressThe owasp.org DNS server is hosted by secure.netIts mail server is hosted by google.googleA few google searches tell you:google -> esapi.orggoogle -> owasp.netgoogle -> webscarab.netgoogle -> secure.net esapi.org and webscarab.net are both Owasp projectssecure.net is owned by Secure Network Systems, a US company which develops profestional softwares for hysical access control (airorts, etc.) with US army as customer.Finding the IP 216.48.3.18 with robtex gives you: robtex.com/dns -> 216.48.3.18 Finding owasp.* with robtex gives you- owasp.net- owasp.de- owasp.czreverse DNS query on an IP address rangednsbf.py Owasp is hosted by Fastnet (http://www.fast.net/) in USA.Here, this information is not really relevant, because Owasp probably rents there its servers. Sometimes, such a query could conduct to find other servers hold by the same company.Let's use the Python script dnsbf.py on the IP address range: 216.48.2.0/23.$ ./dnsbf.py 216.48.2.0/23****************************************** under GNU 3.0 licence ** v0.2 02/13/2010 ** using dns, find hostnames in a subnet ******************************************begin search...216.48.2.34 clarendon.my-vresume.com216.48.2.10 mail.nvafamilypractice.com216.48.4.251 ns1.croem.net216.48.4.107 mail1.gulfstreamacademy.com216.48.3.69 mail.nationalstrategiesinc.com216.48.4.20 encirclepayments.com216.48.3.90 mail.wssa.com216.48.4.21 mail.encirclepayments.com216.48.4.170 mail.wilhelminamiami.com216.48.5.55 mail.eliteislandresorts.com216.48.5.181 ns4.viomedia.com216.48.3.10 mail.jandrroofing.com216.48.4.194 amarinelli.com216.48.2.74 mail.ppamedicalbilling.com216.48.5.244 mail.terragroup.com216.48.2.75 mail.hirestrategy.com216.48.4.18 wxesrv01s.interpath216.48.5.182 ns4.maquilon.com216.48.4.253 mail.e-progroup.com216.48.2.200 mailgate.catapulttechnology.com216.48.4.162 mail.malloylaw.com216.48.4.72 mail.amtel-security.com216.48.2.194 fw.catapulttechnology.com216.48.3.82 mail.wssa.com216.48.3.92 freightoffice.wssa.com216.48.3.29 mail.empiregroup.us216.48.4.186 mail.marlinshowcase.com216.48.2.3 smtp.advantagehomes.org216.48.5.164 mailserver.federalmillwork.com216.48.2.90 mail2.bgsb.net216.48.3.122 mail3.bulletinnews.com216.48.3.98 Mail.jamesmyersco.com216.48.2.204 smtp.catapulttechnology.com216.48.4.187 marlinshowcase.com216.48.2.39 SMTP.edoptions.com216.48.4.154 mail.krmlegal.com216.48.5.162 mailserver.federalmillwork.com216.48.4.106 gaamail.gulfstreamacademy.com216.48.5.251 mail.eastridgerc.com216.48.4.247 mail.croem.netend of search1023 ip tested, 40 names found, in 25 s$dictionary DNS queries It may be interesting to look for Owasp.net available subdomains (for example, mail.owasp.net)dnsdic.py Let's use the Python script dnsdic.pydnsdic.py needs a dictionary file.We take the file dns.txt from dnsenum1.1 [3] written by jer001 [2].By the way, we can not resist the pleasure of quoting an excellent source of dictionaries: Passwords - Skull Security$ ./dnsdic.py -f ./dns.txt owasp.net**************************************************** under GNU 3.0 licence ** v0.1 02/14/2010 ** dns dictionnary search of hostnames in a subnet ****************************************************begin search...forums.owasp.net [] ['216.48.3.23']owasp.net ['www.owasp.net'] ['216.48.3.18']end of search95 names tested, 2 hostnames found, in 6.032436 s Nous trouvons un serveur qui n'avait pas été détecté par la recherche reversedns: forums.owasp.net $ ./dnsdic.py -f dns.txt webscarab.net**************************************************** under GNU 3.0 licence ** v0.1 02/14/2010 ** dns dictionnary search of hostnames in a subnet ****************************************************begin search...webscarab.net ['ftp.webscarab.net'] ['216.48.3.18']webscarab.net ['www.webscarab.net'] ['216.48.3.18']webscarab.net ['pop.webscarab.net'] ['216.48.3.18']webscarab.net ['smtp.webscarab.net'] ['216.48.3.18']end of search95 names tested, 4 hostnames found, in 8.064246 s $ ./dnsdic.py -f dns.txt esapi.org**************************************************** under GNU 3.0 licence ** v0.1 02/14/2010 ** dns dictionnary search of hostnames in a subnet ****************************************************begin search...esapi.org ['mail.esapi.org'] ['216.48.3.18']esapi.org ['www.esapi.org'] ['216.48.3.18']end of search95 names tested, 2 hostnames found, in 2.036982 s dnsdic.py does not give any result with owasp.org. Indeed, casting an eye to robtex results, you note that owasp.org is referenced by *.owasp.org . Any DNS request on an Owasp subdomain sends the main IP address as result.And what about mail.owasp.net? We find an additional IP: 66.255.82.14. Still with robtex, a query with this IP gives:robtex.com/dns -> mail.owasp.netrobtex.com/dns -> 66.255.28.14 It appears that Mr Casey hosts friends websites...dnsmapdnsmap is available with backtrack. It provides the IP addresses associated with a domain name. root@bt:/pentest/enumeration/dns/dnsmap# ./dnsmap owasp.orgdnsmap 0.24 - DNS Network Mapper by pagvac (gnucitizen.org)[+] warning: the target domain might use wildcards. dnsmap will try to filter out false positives[+] searching (sub)domains for owasp.org using built-in wordlistforums.owasp.orgIP address #1: 216.48.3.19groups.owasp.orgIP address #1: 74.125.47.121localhost.owasp.orgIP address #1: 127.0.0.1[+] warning: target domain might be vulnerable to "same site" scripting (http://snipurl.com/etbcv)mail.owasp.orgIP address #1: 74.125.47.121[+] 4 (sub)domains and 4 IP address(es) found[+] completion time: 50 second(s) dnsrecon dnsrecon provides top level domain names associated with a domain name. For example, with Owas, you find Owasp.org, Owasp.net, Owasp.frroot@bt:/pentest/enumeration/dnsrecon# ruby dnsrecon.rb -tld owaspowasp.org,216.48.3.18,Aowasp.net,216.48.3.18,Aowasp.cg,188.165.42.228,Aowasp.cz,81.0.246.60,Aowasp.fr,216.48.3.18,Aowasp.de,78.46.49.201,Aowasp.gr,69.93.193.98,Aowasp.hu,193.142.209.99,Aowasp.ir,213.175.221.136,Aowasp.kr,222.231.8.226,Aowasp.lt,79.98.25.1,Aowasp.my,202.190.179.45,Aowasp.mp,75.101.130.205,Aowasp.pw,70.87.29.150,Aowasp.pl,91.210.130.50,Aowasp.ph,203.119.6.249,Aowasp.ru,193.232.159.1,Aowasp.rw,94.23.192.35,Aowasp.ws,64.70.19.33,Aowasp.st,195.178.160.40,Aowasp.es,213.186.33.5,Aowasp.se,212.97.132.112,Aowasp.ch,88.191.227.205,Aowasp.tw,216.48.3.18,Aowasp.tk,193.33.61.2,Aowasp.tk,209.172.59.196,Aowasp.tk,94.103.151.195,Aowasp.tk,217.119.57.22,Aowasp.tv,64.99.80.30,Aowasp.vn,72.52.194.126,A Attempt to transfer DNS zonesometimes, the zone database of a misconfigured DNS server can be downloaded DNSWalk root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk owasp.org.Checking owasp.org.Getting zone transfer of owasp.org. from ns1.secure.net...done.SOA=ns1.secure.net contact=hostmaster.secure.netWARN: owasp.org A 216.48.3.18: no PTR recordWARN: ads.owasp.org A 216.48.3.26: no PTR recordWARN: calendar.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)WARN: docs.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)WARN: es.owasp.org A 216.48.3.18: no PTR recordWARN: forums.owasp.org A 216.48.3.19: no PTR recordWARN: groups.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)WARN: lists.owasp.org A 216.48.3.22: no PTR recordWARN: mail.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)WARN: ml1lists.owasp.org A 216.48.3.30: no PTR recordWARN: stage.owasp.org A 216.48.3.20: no PTR recordWARN: voip.owasp.org A 216.48.3.22: no PTR record0 failures, 12 warnings, 0 errors.The attempt fails. Neverthess, DNSWalk uses other techniques described in this article and gives:216.48.3.19 forums.owasp.org216.48.3.30 ml1lists.owasp.org216.48.3.20 stage.owasp.orgOld DNS entriesdnshistory.orgLet's use http://dnshistory.org/ . This site keeps old DNS entries. Here, no result...Website spidingBurp SuiteUse Burp Suite. This tool configures a proxy on your computer and visits every internal links of a website. A traceroute to ads.owasp.org gives the IP address 216.48.3.26 $ traceroute ads.owasp.org Informations about administrators OWasp publishes a list of people who can administrate its Wiki:http://www.owasp.org/index.php?title=Special%3AListUsers&group=sysopAholmes ? (Created on 27 September 2006 at 14:51) Alison.McNamee ? (Created on 26 November 2007 at 22:22) Aspectmichelle ? (Created on 24 August 2007 at 15:10) Brennan ? (Created on 13 June 2006 at 00:07) Dinis.cruz ? Dwichers ? Esheridan ? (Created on 31 July 2006 at 20:09) Jason Li ? (Created on 17 April 2007 at 20:16) Jcmax ? Jeff Williams ? Jeremy Ferragamo ? KateHartmann ? (Created on 12 May 2008 at 14:01) KirstenS ? (Created on 16 May 2008 at 11:38) Laurence Casey ? OWASP ? (Created on 23 June 2006 at 16:50) Paulo Coimbra ? (Created on 4 July 2008 at 00:22) RoganDawes ? Sdeleersnyder Weilin Zhong ? Wichers ? WikiSysop ? X509 certificatesSometimes, people publish their public key on X509 servers. That can provide email informations. cf following hostmap.rbWhoisThe WhoIs database. $ whois owasp.orgCreated On:21-Sep-2001 17:00:36 UTCLast Updated On:15-Feb-2005 15:45:17 UTCExpiration Date:21-Sep-2013 17:00:36 UTCSponsoring Registrar:Register.com Inc. (R71-LROR)Registrant ID:546CEF135F727823Registrant Name:Laurence CaseyRegistrant Organization:OWASP FoundationRegistrant Street1:9175 Guilford Rd Suite 300Registrant City:ColumbiaRegistrant Country:USRegistrant Phone:+1.3016044882Registrant Email:larry.casey@owasp.org $ whois owasp.orgOrganisation Address. UNITED STATESAdmin Name........... Laurence Casey Search engines Simple querygoogle -> site:owasp.org no relevant information.subdomainer.pyLet's use Subdomainer.py from Edge-Security [4]: $ python ./subdomainer.py -d owasp.org -l 10 -m yahoo**************************************Subdomainer Ver. 1.3b **Coded by Christian Martorella **Edge-Security Research **laramies2k@yahoo.com.ar **************************************Searching for owasp.org in yahoo=======================================Total results: 1998Limit: 10Searching results: 0Subdomains founded:====================lists.owasp.orgTotal results: 2Going for extra check: ====> 216.48.3.18lists.owasp.org ====> 216.48.3.22 You find a new subdomain: lists.owasp.orgMetaGoofil.py Now, let's use the tool MetaGoofil.py (Edge-Security) [7].Metagoofil.py is a script aimed at seeking informations in meta datas in documents referenced by search engines (pdf,doc...) . It needs extract ($ sudo apt-get install extract). It is aslo installed by default in /usr/bin. You need to modify the script to use this directory.$ python ./metagoofil.py -d owasp.org -l 100 -f all -o tmp.html -t tmp-files**************************************MetaGooFil Ver. 1.4a **Coded by Christian Martorella **Edge-Security Research **cmartorella@edge-security.com **************************************[+] Command extract found, proceeding with leeching[+] Searching in owasp.org for: pdf[+] Total results in google: 496[+] Limit: 800[+] Searching results: 0[+] Searching results: 20[+] Searching results: 40(...)[+] Searching in owasp.org for: doc[+] Total results in google: 86(...)[+] Searching in owasp.org for: xls[+] Total results in google: 6(...)[+] Searching in owasp.org for: ppt[+] Total results in google: 417(...)[+] Searching in owasp.org for: sdw[+] Total results in google: 0[+] Searching in owasp.org for: mdb[+] Total results in google: 0[+] Searching in owasp.org for: sdc[+] Total results in google: 0[+] Searching in owasp.org for: odp[+] Total results in google: 1(...)Usernames found:================Paths found:============2005PaperTemplate\\Program Files\Microsoft Office\Templates\1033\Normal\Professional Report\OWASP Presentation Template\OWASP Attacking J2EE\Flow\[+] Process finished Les recherches dans owasp.org ne donne rien. $ python ./metagoofil.py -d owasp.net -l 800 -f all -o tmp.html -t tmp-files$ python ./metagoofil.py -d forums.owasp.net -l 800 -f all -o tmp.html -t tmp-files$ python ./metagoofil.py -d esapi.org -l 800 -f all -o tmp.html -t tmp-files$ python ./metagoofil.py -d webscarab.net -l 800 -f all -o tmp.html -t tmp-files La recherche dans lists.owasp.org:$ python ./metagoofil.py -d lists.owasp.org -l 800 -f all -o tmp.html -t tmp-files(...)Usernames found:================Paths found:============Normal\owasp melbourne \OWASP Presentation Template\[+] Process finished ShodanShodan is a website which lists configuration informations and website vulnerabilities.http://www.shodanhq.com/?q=owasp.org216.48.3.20Linux recent 2.4Added on 23.07.2009United StatesHTTP/1.1 301 Moved PermanentlyDate: Fri, 24 Jul 2009 03:15:20 GMTServer: Apache/2.2.9 (Fedora)X-Powered-By: PHP/5.2.6Vary: Accept-Encoding,CookieX-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki1134Token;string-contains=wiki1134LoggedOut;string-contains=wiki1134_sessionExpires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: private, must-revalidate, max-age=0Last-modified: Fri, 24 Jul 2009 03:15:21 GMTLocation: Main - OWASP...216.48.3.26Linux recent 2.4Added on 21.07.2009United StatesHTTP/1.1 302 FoundDate: Tue, 21 Jul 2009 08:08:41 GMTServer: Apache/2.2.9 (Fedora)X-Powered-By: PHP/5.2.6Location: http://ads.owasp.org/www/admin/index.phpConnection: closeContent-Type: text/html; charset=UTF-8216.48.3.18Linux recent 2.4Added on 21.07.2009United StatesHTTP/1.1 301 Moved PermanentlyDate: Tue, 21 Jul 2009 08:08:29 GMTServer: Apache/2.2.9 (Fedora)X-Powered-By: PHP/5.2.6Vary: Accept-Encoding,CookieX-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki15Token;string-contains=wiki15LoggedOut;string-contains=wiki15_sessionExpires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: private, must-revalidate, max-age=0Last-Modified: Tue, 21 Jul 2009 08:08:29 GMTLocation: OWASPCo...You obtain the following informations:3 Ips: 216.48.3.18, 216.48.3.20, 216.48.3.26 (already known), The Apache version at 07.23.2009: 2.2.9 (Fedora), The PHP engine versionthe 07.23.2009: 5.2.6These informations are a bit too old to be relevant.Web robotsAdmins put sometimes informations in their sitemap or robots file to tell robots engine where to go, and... where not to go, which can be interesting for you.in firefox -> http://owasp.org/Robots.txtin firefox -> http://owasp.org/sitemap.xml OWASP has no Robots.txt or sitemap.xml file.Mix of techniquesSome tools use a panel of all the techniques below.MaltegoMaltego is a powerful graphical tool for footprinting. It can organize the results of its searches.Download the community edition from http://www.paterva.com/Start it on some Ips and the domain name owasp.org:owasp.org216.48.3.18216.48.3.22216.48.3.23216.48.3.26Here is the result:Some elements can be added. You can see that Maltego does not find immediatly every results you found before.DNS MX - mail servers:owasp.com.twDNS zone transfertlocalhost.owasp.orggoogle6912a08c3a8ccdf0b.owasp.orgns.owasp.orgdocs.owasp.orgcalendar.owasp.orgaustin.owasp.orgDNS bruteforcegateway.owasp.orgsecure.owasp.orgintranet.owasp.orgextranet.owasp.orgweb.owasp.orgwebmail.owasp.orgftp.owasp.orgsharedIPvoip.owasp.orgdomains linked to owasp.orgowasp.netowasp.twowasp.com.twowasp.org.twowasp.frowasp.nlowasp.plowasp.czowasp.itowasp.dkowasp.deowasp.infoowasp.chowasp.asiahostmap.rbLet's use another (great) tool: hostmap.rbhostmap conducts iteratives searches with DNS, search engines and X509 servers.$ ruby hostmap.rb -t 216.48.3.18hostmap 0.2.1 codename fissatinaCoded by Alessandro `jekil` Tanasi [20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org[20:49] Found new hostname _adsp._domainkey.owasp.org[20:49] Found new domain _domainkey.owasp.org[20:49] Found new domain owasp.net[20:49] Found new hostname OWASP[20:49] Found new hostname owasp.net[20:49] Found new domain owasp.org[20:49] Found new hostname _domainkey.owasp.org[20:49] Found new hostname owasp.org[20:49] Found new hostname OWASP[20:49] Found new hostname _policy._domainkey.owasp.org[20:49] Found new hostname France - OWASP[20:49] Found new domain owasp.fr[20:49] Found new hostname owasp.fr[20:49] Found new hostname Category:OWASP WebScarab Project - OWASP[20:49] Found new domain webscarab.com[20:49] Found new hostname webscarab.com[20:49] Found new hostname news.webgoat.org[20:49] Found new domain webgoat.org[20:49] Found new hostname webgoat.org[20:49] Found new hostname austin.owasp.org[20:49] Found new hostname ww.owasp.org[20:49] Found new hostname jobs.owasp.org[20:49] Found new hostname registration.owasp.org[20:49] Found new hostname old.owasp.org[20:49] Found new hostname ml1.owasp.org[20:49] Found new hostname smtp.webgoat.org[20:49] Found new hostname pop.webgoat.org[20:49] Found new hostname Category:OWASP WebGoat Project - OWASP[20:49] Found new hostname forum.owasp.org[20:49] Found new hostname es.owasp.org[20:49] Found new hostname blogs.owasp.org[20:49] Found new hostname beta.owasp.org[20:49] Found new hostname imap.webgoat.org[20:49] Found new hostname ftp.webgoat.org[20:49] Found new hostname www2.owasp.org[20:49] Found new hostname OWASP[20:49] Found new domain owasp.org.tw[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:52] Found new mail server aspmx3.googlemail.com[20:52] Found new nameserver ns2.secure.net[20:52] Detected a wildward domain: owasp.org[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:52] Found new nameserver ns1.secure.net[20:52] Found new mail server aspmx.l.google.com[20:52] Found new mail server aspmx.l.google.com[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:52] Found new mail server alt1.aspmx.l.google.com[20:52] Detected a wildward domain: _domainkey.owasp.org[20:52] Found new mail server alt1.aspmx.l.google.com[20:52] Found new mail server aspmx4.googlemail.com[20:52] Found new mail server aspmx5.googlemail.com[20:52] Found new mail server aspmx5.googlemail.com[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:52] Found new nameserver c.dns.gandi.net[20:52] Found new mail server alt2.aspmx.l.google.com[20:52] Found new mail server spool.mail.gandi.net[20:52] Found new mail server aspmx2.googlemail.com[20:53] Found new nameserver a.dns.gandi.net[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:53] Found new mail server webscarab.com[20:53] Found new mail server webscarab.com[20:53] Found new mail server fb.mail.gandi.net[20:53] Found new nameserver b.dns.gandi.net[20:53] Found new mail server fb.mail.gandi.net[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:53] Found new mail server webgoat.org[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[20:53] Found new nameserver cns1.net-chinese.com.tw[20:53] Found new nameserver cns2.net-chinese.com.tw[20:56] Found new domain owasp.tw[20:56] Found new domain webscarab.org[20:56] Found new hostname owasp.tw[20:56] Found new domain webscarab.net[20:56] Found new domain webscarab.net[20:56] Found new hostname webscarab.org[20:56] Found new domain _domainkey.owasp.tw[20:56] Found new hostname webscarab.net[20:56] Found new hostname webscarab.net[20:56] Found new hostname _domainkey.owasp.tw[21:02] Found new hostname imap.webscarab.com[21:02] Found new hostname ftp.webscarab.com[21:02] Found new hostname imap.webscarab.com[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[21:03] Detected a wildward domain: owasp.tw[21:03] Found new nameserver ns1.eurodns.com[21:03] Found new mail server mail.owasp.tw[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[21:03] Found new nameserver ns2.eurodns.com[21:03] Found new mail server snowball.spidynamics.com[21:03] Found new nameserver ns1.inflow.net[21:03] Found new hostname mail.owasp.tw[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[21:03] Found new nameserver ns4.inflow.net[21:03] Found new mail server atl-mr01.spidynamics.com[21:03] Found new mail server webscarab.net[21:03] Found new nameserver ns2.inflow.net[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[21:03] Found new nameserver ns3.inflow.net[21:03] Found new nameserver ns5.inflow.net[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.[21:03] Detected a wildward domain: _domainkey.owasp.tw[21:03] Found new nameserver ns6.inflow.net[21:13] Found new hostname pop.webscarab.net[21:13] Found new hostname pop.webscarab.net[21:13] Found new hostname smtp.webscarab.net[21:13] Found new hostname smtp.webscarab.net[21:13] Found new hostname smtp.webscarab.net[21:13] Found new hostname ftp.webscarab.net[21:13] Found new hostname ftp.webscarab.net[21:13] Found new hostname ftp.webscarab.net[21:13] Found new hostname imap.webscarab.net[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net[21:13] Found new hostname imap.webscarab.net[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net[21:13] Found new hostname imap.webscarab.net[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.netResults for 216.48.3.18Served by name server (probably)ns6.inflow.netns1.eurodns.comc.dns.gandi.netns4.inflow.netns5.inflow.netns3.inflow.netns2.inflow.netb.dns.gandi.netns1.inflow.neta.dns.gandi.netns2.eurodns.comns2.secure.netcns1.net-chinese.com.twns1.secure.netcns2.net-chinese.com.twServed by mail exchange (probably)atl-mr01.spidynamics.comaspmx2.googlemail.comaspmx.l.google.commail.owasp.twwebscarab.comalt2.aspmx.l.google.comaspmx3.googlemail.comaspmx4.googlemail.comsnowball.spidynamics.comwebgoat.orgfb.mail.gandi.netaspmx5.googlemail.comalt1.aspmx.l.google.comwebscarab.netspool.mail.gandi.netHostnames:_adsp._domainkey.owasp.orgpop.webscarab.netimap.webgoat.orgOWASPmail.owasp.twjobs.owasp.orgwebscarab.comimap.webscarab.comwww2.owasp.orgregistration.owasp.orgnews.webgoat.org_policy._domainkey.owasp.orgowasp.orgsmtp.webscarab.net_domainkey.owasp.twsmtp.webgoat.org_domainkey.owasp.orgftp.webscarab.netwebscarab.orgftp.webgoat.orges.owasp.orgOWASPaustin.owasp.orgowasp.frowasp.twbeta.owasp.orgCategory:OWASP WebGoat Project - OWASPwebgoat.orgowasp.netOWASPblogs.owasp.orgftp.webscarab.comwebscarab.netforum.owasp.orgml1.owasp.orgold.owasp.orgCategory:OWASP WebScarab Project - OWASPFrance - OWASPimap.webscarab.netpop.webgoat.orgww.owasp.orgFierce Fierce (http://ha.ckers.org/fierce/) is a DNS search tool written in PERL for Linux.root@bt:/pentest/enumeration/fierce# cat ~/tmp.txtNow logging to /root/tmp.txtDNS Servers for owasp.org:ns1.secure.netns2.secure.netTrying zone transfer first...Testing ns1.secure.netWhoah, it worked - misconfigured DNS server found:owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. (2007080369 ; Serial86400 ; Refresh7200 ; Retry2592000 ; Expire86400 ) ; Minimum TTLowasp.org. 86400 IN A 216.48.3.18owasp.org. 86400 IN NS ns1.secure.net.owasp.org. 86400 IN NS ns2.secure.net.owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"*.owasp.org. 86400 IN CNAME owasp.org.ads.owasp.org. 86400 IN A 216.48.3.26austin.owasp.org. 86400 IN CNAME owasp.org.calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.es.owasp.org. 86400 IN A 216.48.3.18forums.owasp.org. 86400 IN A 216.48.3.19google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.groups.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.jobs.owasp.org. 86400 IN CNAME owasp.org.lists.owasp.org. 86400 IN A 216.48.3.22lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.localhost.owasp.org. 86400 IN A 127.0.0.1mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.ml1lists.owasp.org. 86400 IN A 216.48.3.30registration.owasp.org. 86400 IN CNAME owasp.org.stage.owasp.org. 86400 IN A 216.48.3.20voip.owasp.org. 86400 IN A 216.48.3.22OWASP. 86400 IN CNAME owasp.org.Okay, trying the good old fashioned way... brute forceChecking for wildcard DNS...** Found 94784227069.owasp.org at 216.48.3.18.** High probability of wildcard DNS.Now performing 1896 test(s)...216.48.3.26 ads.owasp.org216.48.3.19 forums.owasp.org216.48.3.22 lists.owasp.org127.0.0.1 localhost.owasp.org216.48.3.20 stage.owasp.org216.48.3.22 voip.owasp.orgSubnets found (may want to probe here using nmap or unicornscan):127.0.0.0-255 : 1 hostnames found.216.48.3.0-255 : 5 hostnames found.Done with Fierce scan: Fierce Domain ScanFound 1895 entries.Have a nice day.Foca 2http://www.informatica64.com/DownloadFOCA/Foca 2 is a Windows tool which uses both search engines and DNS. It has a nice graphic interface and provides a useful spider of the website. It finds meta data from documents,, subdomains, IPs and can map the domain servers.Conclusion In this article, you could work on every footprinting techniques, using a whole set of tools. References1) OWasp testing guide Category:OWASP Testing Project - OWASP2) Mission Security - Jer001 - look for subdomains - MISSION: Security: [PENTESTING] [DNS] Look for subdomains, par jer001 - BLOG Sécurité des SI3) Filip Wayetens - dnsenum1.1 - .:[ packet storm ]:. - http://packetstormsecurity.org/4) outils Sensepost - SensePost - SensePost SDH Labs5) Sensepost footprinting whitepaper - http://www.sensepost.com/restricted/BH_footprint2002_paper.pdf6) Mission Security - Jer001 - MISSION: Security: [Pentesting] [Discovery phase] When relevant information is available ... on the Internet!, par jer001 - BLOG Sécurité des SI7) outils Edge Security - Edge-Security - Penetration testing Tools8) Alessandro 'Jekil' Tanasi - hostmap.rb - Browse hostmap Files on SourceForge.netinfond: tutorial footprinting - passive information gathering before a pentest Quote Link to comment Share on other sites More sharing options...
adonisslanic Posted May 23, 2010 Report Share Posted May 23, 2010 Gr8 work begood! Chiar este util acest model de footprint Now go out and leave some logs bitches! Quote Link to comment Share on other sites More sharing options...
rampart Posted October 24, 2010 Report Share Posted October 24, 2010 OMG, ce tare! Quote Link to comment Share on other sites More sharing options...
