Footprinting, scoping and recon with DNS, Google Hacking and Metadata (Hacking Illustrated Series InfoSec Tutorial Videos)
Footprinting, scoping and recon with DNS, Google Hacking and Metadata

Please note, a better version is now available here:
http://www.irongeek.com/i.php?page=videos/osint-cyberstalking-footprinting-recon


    This class covers recon work, showing the student how a pen-tester/attacker can use public information to learn more about an organization before they compromise it's security. Covered topics will include DNS tools (like Whois, NSlookup/Dig, Nmap -sL), Google Hacking using advanced search terms and Metadata in images and documents. Recorded for the Kentuckiana ISSA on March 21, 2009.

Download slides in PPTX and PDF from:
http://www.irongeek.com/downloads/recon-issa.pdf
http://www.irongeek.com/downloads/recon-issa.pptx

Download AVIs from:
Part 0 Part 1 Part 2 Part 3 Part 4 Part 5 Part 6 Part 7 Part 8 Part 9 Part 10

 

Streaming Flash:
(I had to upload it in 11 parts to keep the 720p quality, and put it in a playlist to have them play back to back. Let me know if it fails.)


Below is a text version of the slides to improve search ability:

Footprinting, scoping and recon with DNS, Google Hacking and Metadata
Adrian Crenshaw

About Adrian
*I run Irongeek.com
*I have an interest in InfoSec education
*I don't know everything - I'm just a geek with time on my hands

Class Structure
*Mile wide, 2.5 feet deep
*Feel free to ask questions at any time
*There will be many long breaks to play with the tools mentioned

So, what info is out there?
Other names:
*Scoping
*Footprinting
*Discovery
*Recon
*Cyberstalking

Subtopics
*DNS, Whois and Domain Tools
*Finding general Information about an organization via the web
*Anti-social networks
*Google Hacking
*Metadata
*Other odds and ends

Why?
For Pen-testers and attackers:
*Precursor to attack
*Social Engineering
*User names and passwords
*Web vulnerabilities
*Internal IT structure (software, servers, IP layout)
*Spearphishing
For everyone else:
*You want to keep attackers from finding this info and using this against you. ?

Dropping Docs
*All these techniques are legal
*Sorry if I "drop someone's docs" other than my own
*Please don't misuse this information

Backtrack 4 Prep
Enable the interface:
ifconfig eth0 up
Get an IP:
dhclient
Start up the GUI/WIMP:
startx

DNS, Whois and Domain Tools
Who-do the voodoo that you do so well

DNS
*Glue of the Internet
*Think of it as a phone book of sorts
*Maps names to IPs, and IPs to names (and other odds and ends)
*Organization information is also kept

Simple DNS Lookups
*Host name to IP lookup:
nslookup www.irongeek.com
*Reverse lookup:
nslookup 208.97.169.250

DNS Record Types
Just a few record types cribbed from:
http://en.wikipedia.org/wiki/List_of_DNS_record_types
A
AAAA
MX
CNAM
PTR
AXFR

Getting a list of host names
*Zonetransfers
*Nmap -sL <some-IP-range>
*Serversniff
http://serversniff.net/subdomains.php

DIGing for data
dig irongeek.com any
dig @ns1.dreamhost.com irongeek.com any

Zone Transfer:Give me all your records!
Zone Transfer: NSLOOKUP
(Windows version)
C:\Documents and Settings\Adrian>nslookup
Default Server: resolver1.opendns.com
Address: 208.67.222.222

> set type=ns
> irongeek.com
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
irongeek.com nameserver = ns1.dreamhost.com
irongeek.com nameserver = ns2.dreamhost.com
irongeek.com nameserver = ns3.dreamhost.com
> server ns1.dreamhost.com
Default Server: ns1.dreamhost.com
Address: 66.33.206.206

> ls irongeek.com
[ns1.dreamhost.com]
*** Can't list domain irongeek.com: Query refused
> exit


Zone Transfer: Can you DIG it?
dig issa-kentuckiana.org ns
dig @dns3.doteasy.com issa-kentuckiana.org axfr
dig louisvilleinfosec.com ns
dig @dns3.doteasy.com louisvilleinfosec.com axfr
dig ugent.be ns
dig @ugdns1.ugent.be ugent.be axfr

Zone Transfer: Others
*ServerSniff:
http://serversniff.net/nsreport.php
http://serversniff.net/content.php?do=subdomains 
*Fierce
http://ha.ckers.org/fierce/
./fierce.pl -dns irongeek.com
*GUI Dig for Windows
http://nscan.org/dig.html 

Nmap Demo
nmap -sL <some-IP-range>

Whois: Whooo, are you? Who-who-who-who.
*Great for troubleshooting, bad for privacy
*Who owns a domain name or IP
*E-mail contacts
*Physical addresses
*Name server
*IP ranges
*Who is by proxy?

Whois Demo
whois irongeek.com
whois 208.97.169.250

Whois Tools
*nix Command line
Nirsoft's
http://www.nirsoft.net/utils/whois_this_domain.html
http://www.nirsoft.net/utils/ipnetinfo.html 
Pretty much any network tools collection
Windows Mobile:
http://www.cam.com/vxutil_pers.html 
Whois and domain tools sites
*http://www.domaintools.com/
*http://samspade.org
*http://www.serversniff.net

Traceroute
(ok, not really a DNS tool, but I was too lazy to make another section)
*Windows (ICMP):
tracert irongeek.com
**nix (UDP by default, change with -I or -T):
traceroute irongeek.com
*Just for fun:
http://www.nabber.org/projects/geotrace/ 

Finding general Information about an organization via the web
So, you have a job posting for an Ethical Hacker huh?

Sites about the organization
*The organization's website (duh!)
*Wayback Machine
http://www.archive.org 
*Monster (and other job sites)
http://www.monster.com/ 
*Zoominfo
http://www.zoominfo.com/
*Google Groups (News groups, Google Groups and forums)
http://groups.google.com/ 
*Board reader
http://boardreader.com 
*LinkedIn
http://www.linkedin.com/ 

Anti-social networks
It's all about how this links to that links to some other thing.

Cyberstalking Sites
Useful:
*http://www.pipl.com
*http://www.peekyou.com 
*http://yoname.com 
Not quite related, but cool:
*http://tineye.com 
Crap:
*http://www.spock.com 
*http://wink.com 
*http://Rapleaf.com (not very useful anymore)

Tools
*Maltego
http://www.paterva.com/maltego/community-edition/
*Covers a large cross section of what this presentation is about.

Google Hacking
More than just turning off safe search (though that's fun too)
So, do you really know what's shared online about your organization?
*PII (Personally identifiable information)
*Email address
*User names
*Vulnerable web services
*Web based admin interfaces for hardware
*Much more....
*YOU HAVE TO USE YOUR IMAGINATION

Google Advance Operators
site:
inurl:/allinurl:
intitle:/allintitle:
cache:
ext:/filetype:
info:
link:
inanchor:

More Operators
-
~
[#]..[#]
*
+
OR
|

Examples
*inurl:nph-proxy
*intitle:index.of.etc
*intitle:index.of site:irongeek.com
*filetype:pptx site:irongeek.com
*"vnc desktop" inurl:5800
*adrian crenshaw -site:irongeek.com

Examples
*SSN filetype:xls | filetype:xlsx
*"dig @* * axfr"
*inurl:admin
*inurl:indexFrame.shtml Axis
*inurl:hp/device/this.LCDispatcher
*"192.168.*.*" (but replace with your IP range)

Google Hacking DB
*http://johnny.ihackstuff.com/ghdb.php 

Google Hacking Tools
*Metagoofil
./metagoofil.py -d irongeek.com -l 1000 -f all -0 output.html -t temp
*Online Google Hacking Tool
http://www.secapps.com/a/ghdb 
*Spiderfoot
http://www.binarypool.com/spiderfoot/
*Goolag
http://goolag.org 

More Google Hacking Tools
*Gooscan
Should be on BackTrack CD/VM
*Wikto
http://www.sensepost.com/research/wikto/ 
*SiteDigger
http://www.foundstone.com/us/resources/proddesc/sitedigger.htm 
*BiLE
http://www.sensepost.com/research_misc.html 
*MSNPawn
http://www.net-square.com/msnpawn/index.shtml 

Google SOAP API Proxys
*EvilAPI
http://evilapi.com/ (defunct?)
*Aura
http://www.sensepost.com/research/aura/ 

Metadata
Data about data

Pwned by Metadata
Examples of file types that contain metadata
*JPG
EXIF (Exchangeable image file format)
IPTC (International Press Telecommunications Council)
*PDF
*DOC
*DOCX
*EXE
*XLS
*XLSX
*PNG
*Too many to name them all.

Metadata Tools
*Strings
*Metagoofil
http://www.edge-security.com/metagoofil.php 
*EXIF Tool
http://www.sno.phy.queensu.ca/~phil/exiftool/ 
*EXIF Viewer Plugin
https://addons.mozilla.org/en-US/firefox/addon/3905 
*Jeffrey's Exif Viewer
http://regex.info/exif.cgi 
Metadata Tools
*EXIF Reader
http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/
*Flickramio
http://userscripts.org/scripts/show/27101 
*Pauldotcom
http://www.google.com/search?hl=en&q=metadata+site%3Apauldotcom.com&btnG=Search

Other odds and ends
Stuff that does not quite fit anywhere else

Mail Header Fun

Robots.txt
User-agent: *
Disallow: /private
Disallow: /secret
IGiGLE and WiGLE

More Links
*Recon Sites and Tools
http://www.binrev.com/forums/index.php?showtopic=40526 
*Pauldotcom
http://mail.pauldotcom.com/pipermail/pauldotcom/2009-March/000960.html 
*VulnerabilityAssessment.co.uk - An information portal for Vulnerability Analysts and Penetration Testers
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html 

Events
*Free ISSA classes
*ISSA Meeting
http://issa-kentuckiana.org/ 
*Louisville Infosec
http://www.louisvilleinfosec.com/ 
*Phreaknic/Notacon/Outerz0ne
http://phreaknic.info 
http://notacon.org/
http://www.outerz0ne.org/ 

Thanks
*Brian
http://www.pocodoy.com/blog/ 
*Kelly for getting us the room and organizing things
*Jonathan Cran
http://hexesec.wordpress.com/
http://www.0x0e.net/ghg/ 
*Folks at Binrev and Pauldotcom
*Louisville ISSA
*Russ Mcree
http://holisticinfosec.org 
*iamnowonmai for helping me "zone out"
*Larry "metadata" Pesce
http://pauldotcom.com 
*John for the extra camera

Questions?
42

 



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek