Inventory
Target
- Name
- IP Address(es)
- OS
- Open Ports
- Known Vulnerabilities
- Administrative Accounts / Passwords
- Other Accounts / Passwords
How Discovered?
Findings
- Objectives
- Exploitation Attempts
- Results
- Obtained Flag (Pwnd?)
Web-based Recon
Target's own websites:
- Press releases
- White Papers
- Design Documents
- Sample deliverables
- Open positions
- Key people
- Contacts
Related Sites:
- Business partners, ISP, suppliers
- Competitors, review sites
Public Databases:
- SEC's Edgar database (Public Companies... http://www.sec.gov/edgar/quickedgar.htm)
- Job Sites (monster.com, hotjobs.com, etc.)
- Blogs
- Social Networking Sites
- Newsgroups
- Wayback Machine
On/Off-line
- Newspapers
- Magazines
- Etc.
DNS Interrogation
DNS Record Types (http://en.wikipedia.org/wiki/List_of_DNS_record_types)
- A: IPv4 Address record
- CNAME: Canonical Name (alias)
- MX: Mail Exchange record (mail servers for domain)
- NS: Name Server record (authoritative name server)
- PTR: Pointer for inverse lookups record (reverse record)
- SOA: Start of Authority record (server authoritative for zone)
- TXT: Text record (arbitrary text string - often used vs. spam)
- HINFO: Host Information record (formerly system type) - rarely used
- RP: Responsible Person record (info of human) - rarely used
- SRV: Service Locator record (host/port info - used for newer protocols instead of creating proto-specific records like MX) - rarely used
nslookup (+interactive mode)
- server
- set
- - type=any
- - [no]recurse
- ls -d [> filename]
- view
DNS Cache Snooping - Luis Grangia (http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf)
dig [@global-server [domain] [type]
- dig @ -t AXFR (All zone transfer)
- dig @ -t IXFR= (Incremental zone transfer, retrieving records since SOA serial number was N)
- +[no]recursive (recursive searches default)
- Dig for Windows (http://www.nscan.org/dig.html)
DNSstuff.com & DNS Query Websites
- http://member.dnsstuff.com/pages/tools.php
- DNS Report (Improved, lots of info – but only trial free now)
- Whois/IPWhois Lookup
- IP Information (City, Country, etc.)
- URL Deobfuscator
- Traceroute
Whois Lookups
InterNIC -> Individual Registrar (sometimes more detail)
Web-based whois searches:
CLI 'whois':
- Direct vs. Automatically Redirected
- whois [-h HOST] OBJECT
IP Address Assignments:
ARIN (http://www.arin.net): North America
- Max 256 results
- Query-by-record-type:
- - n: network address space
- - a: automation system
- - p: point of contact
- - o: organization
- - c: end-user customers
- Query-by-attribute:
- - @
: match domain portion of an email address - - !
: match handle or id - - .
: match by name - Display flags:
- - + : FULL output (details for each match)
- - - : LIST output (summary only)
RIPE NCC (http://www.ripe.net): Europe, Middle East, Central Asia
APNIC (http://www.apnic.net): Asia and Pacific Region
AUNIC (http://www.aunic.net): Australia
LACNIC (http://www.lacnic.net): Latin America and Caribbean
AfriNIC (http://www.afrinic.net): Africa
Hacking Techniques
As outlined in my Ethical Hacking Class:
- Reconnaissance
- Scanning
- Exploitation
- Maintaining Access (Malware)
- Evading Detection