IV Needle Injecting Tech into the Vein

More Recon Tools

Sam Spade (by Steve Atkins)

• Network query tool for Windows
• Ping, DNS Lookup, Whois, DNS Zone Transfer, Traceroute, Finger, SMTP Verify, Mirror Website, Check Time, Keep-alive, etc.

Spiderfoot (by Steve Micallef)

• Input domain name(s)
• Crawls website(s) for links and subdomains
• Reverse DNS lookups for IPs of findings + given block(s)
• Whois lookups {www,mail}.domains.{com,us,etc}
• Google searches with SOAP API

BiLE Suite

• BiLE-weigh.pl ($ ./BiLE-weigh.pl [site_of_interest] [BiLE_output.mine]) - Comples weighting algorithm to determine 'related' score
• tld-expand.pl - Over 250 TLDs and does DNS lookup
• vet-IPrange.pl + vet-mx.pl - Are results of previous tools in defined range - (ex. What are the mail-servers for each domain?)
• qtrace.pl - Uses hping to traceroute all target IPs - Outputs hop-by-hop paths to target

BiLE Recon Assembly-Line

BiLE -> Bile-weigh -> tld-expand -> vet-IPrange + vet-mx -> qtrace

BiLE DNS Tools

• Jarf-rev - Input target network range - Output reverse DNS lookups for each address
• Jarf-dnsbrute - Input domain + dictionary - Output DNS lookup for every sub-domain

Metadata

Info in Metadata

Includes MAC address, user names, edits, GPS info (depending on file format)

• JPG
• - EXIF (Exchangeable image file format)
• - IPTC (International Press Telecommunications Council)
• PDF
• DOC
• DOCX
• EXE
• XLS
• XLSX
• PNG
• Etc

Metadata Tools

• Strings
• Metagoofil
• EXIF Tool
• EXIF Viewer Plugin
• Jeffrey's Exif Viewer
• EXIF Reader
• Flickramio
• Pauldotcom

Recon Automation

Automating Google Recon

• SiteDigger (v2.0 Released Jan 2005) [Win]
• Wikto (v2.1 Released Dec 2008) [Win]
• Gooscan (~2006) [Lin] ... can be found in BackTrack
• Goolag (v1.0.0.41 Mar 2008) [cDc/Win]

Google Proxies

• Dec 2006... Google stops giving out SOAP API keys (deprecated)
• Mar 2009 AJAX API 'graduates' from Google Code
• Aug 2009... Google will disable the SOAP API

Google Proxy Tools

• AURA (API Usable / Re-usable Again)
• EvilAPI (defunct?)

Google Hacking

“Google, properly leveraged, has more intrusion potential than any hacking tool.” - Adrian Lamo (Grey Hat Hacker, hacked NY Times, Yahoo, etc.)

See this book: Google Hacking For Penetration Testers - Johnny Long

Google Searching Basics

• Web
• Images
• Groups
• Shopping
• Books
• Scholor
• Finance
• Blogs
• More

Preferences and Advanced

• Preferences
• Language Tools
• Advanced Search

Advanced Directives

• site: (Searches only within a given domain)
• [all]intext: (Shows pages with all terms in page text)
• [all]inurl: (Shows pages whose URL matches)
• [all]intitle: (Shows pages whose title matches)
• filetype: (ext:) vs. searchterm
• phonebook: (General)
• bphonebook: (Business)
• rphonebook: (Residential)
• link: (Shows all sites linked to a given site)
• related: (Shows similar pages [hit/miss])
• cache: (Google cache)
• info: (Cached + link: + related: ... Not very useful)
• daterange: (Indexed by Google during dates within range) -Must always be a range - Must be in Julian Date form (Number of days since Jan 1, 4713 B.C.)
• vs &as_qdr={h.d.w.m.y}[2..x]

Operators

• ""
• (|) / (OR v. or)
• (-) (+)
• (.) (*)
• (..) / numrange
• (~)

Google Hacking Database

• Available remote desktop systems
• Default web material
• Indexable directories
• UserIDs and passwords
• Shell history
• GHDB of "GoogleDorks" (http://johnny.ihackstuff.com)