IV Needle Injecting Tech into the Vein

7May/090

Inventory

Target

  • Name
  • IP Address(es)
  • OS
  • Open Ports
  • Known Vulnerabilities
  • Administrative Accounts / Passwords
  • Other Accounts / Passwords

How Discovered?

Findings

  • Objectives
  • Exploitation Attempts
  • Results
  • Obtained Flag (Pwnd?)
Filed under: Uncategorized No Comments
7May/090

Web-based Recon

Target's own websites:

  • Press releases
  • White Papers
  • Design Documents
  • Sample deliverables
  • Open positions
  • Key people
  • Contacts

Related Sites:

  • Business partners, ISP, suppliers
  • Competitors, review sites

Public Databases:

On/Off-line

  • Newspapers
  • Magazines
  • Etc.
Filed under: Uncategorized No Comments
7May/09Off

DNS Interrogation

DNS Record Types (http://en.wikipedia.org/wiki/List_of_DNS_record_types)

  • A: IPv4 Address record
  • CNAME: Canonical Name (alias)
  • MX: Mail Exchange record (mail servers for domain)
  • NS: Name Server record (authoritative name server)
  • PTR: Pointer for inverse lookups record (reverse record)
  • SOA: Start of Authority record (server authoritative for zone)
  • TXT: Text record (arbitrary text string - often used vs. spam)
  • HINFO: Host Information record (formerly system type) - rarely used
  • RP: Responsible Person record (info of human) - rarely used
  • SRV: Service Locator record (host/port info - used for newer protocols instead of creating proto-specific records like MX) - rarely used

nslookup (+interactive mode)

  • server
  • set
  • - type=any
  • - [no]recurse
  • ls -d [> filename]
  • view

DNS Cache Snooping - Luis Grangia (http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf)

dig [@global-server [domain] [type]

  • dig @ -t AXFR (All zone transfer)
  • dig @ -t IXFR= (Incremental zone transfer, retrieving records since SOA serial number was N)
  • +[no]recursive (recursive searches default)
  • Dig for Windows (http://www.nscan.org/dig.html)

DNSstuff.com & DNS Query Websites

7May/090

Whois Lookups

InterNIC -> Individual Registrar (sometimes more detail)

Web-based whois searches:

CLI 'whois':

  • Direct vs. Automatically Redirected
  • whois [-h HOST] OBJECT

IP Address Assignments:

ARIN (http://www.arin.net): North America

  • Max 256 results
  • Query-by-record-type:
  • - n: network address space
  • - a: automation system
  • - p: point of contact
  • - o: organization
  • - c: end-user customers
  • Query-by-attribute:
  • - @: match domain portion of an email address
  • - ! : match handle or id
  • - . : match by name
  • Display flags:
  • - + : FULL output (details for each match)
  • - - : LIST output (summary only)

RIPE NCC (http://www.ripe.net): Europe, Middle East, Central Asia
APNIC (http://www.apnic.net): Asia and Pacific Region
AUNIC (http://www.aunic.net): Australia
LACNIC (http://www.lacnic.net): Latin America and Caribbean
AfriNIC (http://www.afrinic.net): Africa

Filed under: Uncategorized No Comments
7May/090

Reconnaissance

The following are reconnaissance techniques:

Filed under: Uncategorized No Comments
7May/090

Hacking Techniques

As outlined in my Ethical Hacking Class:

Filed under: Uncategorized No Comments