Footprinting, scoping and recon with DNS, Google
Hacking and Metadata
Adrian Crenshaw
About Adrian
*I run Irongeek.com
*I have an interest in InfoSec education
*I don't know everything - I'm just a geek with time on my hands
Class Structure
*Mile wide, 2.5 feet deep
*Feel free to ask questions at any time
*There will be many long breaks to play with the tools mentioned
So, what info is out there?
Other names:
*Scoping
*Footprinting
*Discovery
*Recon
*Cyberstalking
Subtopics
*DNS, Whois and Domain Tools
*Finding general Information about an organization via the web
*Anti-social networks
*Google Hacking
*Metadata
*Other odds and ends
Why?
For Pen-testers and attackers:
*Precursor to attack
*Social Engineering
*User names and passwords
*Web vulnerabilities
*Internal IT structure (software, servers, IP layout)
*Spearphishing
For everyone else:
*You want to keep attackers from finding this info and using this
against you. ?
Dropping Docs
*All these techniques are legal
*Sorry if I "drop someone's docs" other than my own
*Please don't misuse this information
Backtrack 4 Prep
Enable the interface:
ifconfig eth0 up
Get an IP:
dhclient
Start up the GUI/WIMP:
startx
DNS, Whois and Domain Tools
Who-do the voodoo that you do so well
DNS
*Glue of the Internet
*Think of it as a phone book of sorts
*Maps names to IPs, and IPs to names (and other odds and ends)
*Organization information is also keptSimple DNS Lookups
*Host name to IP lookup:
nslookup www.irongeek.com
*Reverse lookup:
nslookup 208.97.169.250
DNS Record Types
Just a few record types cribbed from:
http://en.wikipedia.org/wiki/List_of_DNS_record_types
A
AAAA
MX
CNAM
PTR
AXFR
Getting a list of host names
*Zonetransfers
*Nmap -sL <some-IP-range>
*Serversniff
http://serversniff.net/subdomains.php
DIGing for data
dig irongeek.com any
dig @ns1.dreamhost.com irongeek.com any Zone Transfer:Give me all your records!
Zone Transfer: NSLOOKUP
(Windows version)
C:\Documents and Settings\Adrian>nslookup
Default Server: resolver1.opendns.com
Address: 208.67.222.222
> set type=ns
> irongeek.com
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
irongeek.com nameserver = ns1.dreamhost.com
irongeek.com nameserver = ns2.dreamhost.com
irongeek.com nameserver = ns3.dreamhost.com
> server ns1.dreamhost.com
Default Server: ns1.dreamhost.com
Address: 66.33.206.206
> ls irongeek.com
[ns1.dreamhost.com]
*** Can't list domain irongeek.com: Query refused
> exit
Zone Transfer: Can you DIG it?
dig issa-kentuckiana.org ns
dig @dns3.doteasy.com issa-kentuckiana.org axfr
dig louisvilleinfosec.com ns
dig @dns3.doteasy.com louisvilleinfosec.com axfr
dig ugent.be ns
dig @ugdns1.ugent.be ugent.be axfr
Zone Transfer: Others
*ServerSniff:
http://serversniff.net/nsreport.php
http://serversniff.net/content.php?do=subdomains
*Fierce
http://ha.ckers.org/fierce/
./fierce.pl -dns irongeek.com
*GUI Dig for Windows
http://nscan.org/dig.html
Nmap Demo
nmap -sL <some-IP-range> Whois: Whooo, are you? Who-who-who-who.
*Great for troubleshooting, bad for privacy
*Who owns a domain name or IP
*E-mail contacts
*Physical addresses
*Name server
*IP ranges
*Who is by proxy? Whois Demo
whois irongeek.com
whois 208.97.169.250
Whois Tools
*nix Command line
Nirsoft's
http://www.nirsoft.net/utils/whois_this_domain.html
http://www.nirsoft.net/utils/ipnetinfo.html
Pretty much any network tools collection
Windows Mobile:
http://www.cam.com/vxutil_pers.html
Whois and domain tools sites
*http://www.domaintools.com/
*http://samspade.org
*http://www.serversniff.net
Traceroute
(ok, not really a DNS tool, but I was too lazy to make another
section)
*Windows (ICMP):
tracert irongeek.com
**nix (UDP by default, change with -I or -T):
traceroute irongeek.com
*Just for fun:
http://www.nabber.org/projects/geotrace/
Finding general Information about an organization via the web
So, you have a job posting for an Ethical Hacker huh?
Sites about the organization
*The organization's website (duh!)
*Wayback Machine
http://www.archive.org
*Monster (and other job sites)
http://www.monster.com/
*Zoominfo
http://www.zoominfo.com/
*Google Groups (News groups, Google Groups and forums)
http://groups.google.com/
*Board reader
http://boardreader.com
*LinkedIn
http://www.linkedin.com/
|
Anti-social networks
It's all about how this links to that links to some other thing.
Cyberstalking Sites
Useful:
*http://www.pipl.com
*http://www.peekyou.com
*http://yoname.com
Not quite related, but cool:
*http://tineye.com
Crap:
*http://www.spock.com
*http://wink.com
*http://Rapleaf.com (not very
useful anymore)Tools
*Maltego
http://www.paterva.com/maltego/community-edition/
*Covers a large cross section of what this presentation is about.
Google Hacking
More than just turning off safe search (though that's fun too)
So, do you really know what's shared online about your organization?
*PII (Personally identifiable information)
*Email address
*User names
*Vulnerable web services
*Web based admin interfaces for hardware
*Much more....
*YOU HAVE TO USE YOUR IMAGINATION
Google Advance Operators
site:
inurl:/allinurl:
intitle:/allintitle:
cache:
ext:/filetype:
info:
link:
inanchor:
More Operators
-
~
[#]..[#]
*
+
OR
|
Examples
*inurl:nph-proxy
*intitle:index.of.etc
*intitle:index.of site:irongeek.com
*filetype:pptx site:irongeek.com
*"vnc desktop" inurl:5800
*adrian crenshaw -site:irongeek.com
Examples
*SSN filetype:xls | filetype:xlsx
*"dig @* * axfr"
*inurl:admin
*inurl:indexFrame.shtml Axis
*inurl:hp/device/this.LCDispatcher
*"192.168.*.*" (but replace with your IP range)
Google Hacking DB
*http://johnny.ihackstuff.com/ghdb.php
Google Hacking Tools
*Metagoofil
./metagoofil.py -d irongeek.com -l 1000 -f all -0 output.html -t
temp
*Online Google Hacking Tool
http://www.secapps.com/a/ghdb
*Spiderfoot
http://www.binarypool.com/spiderfoot/
*Goolag
http://goolag.org
More Google Hacking Tools
*Gooscan
Should be on BackTrack CD/VM
*Wikto
http://www.sensepost.com/research/wikto/
*SiteDigger
http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
*BiLE
http://www.sensepost.com/research_misc.html
*MSNPawn
http://www.net-square.com/msnpawn/index.shtml
Google SOAP API Proxys
*EvilAPI
http://evilapi.com/ (defunct?)
*Aura
http://www.sensepost.com/research/aura/
Metadata
Data about data
Pwned by Metadata
Examples of file types that contain metadata
*JPG
EXIF (Exchangeable image file format)
IPTC (International Press Telecommunications Council)
*PDF
*DOC
*DOCX
*EXE
*XLS
*XLSX
*PNG
*Too many to name them all.
Metadata Tools
*Strings
*Metagoofil
http://www.edge-security.com/metagoofil.php
*EXIF Tool
http://www.sno.phy.queensu.ca/~phil/exiftool/
*EXIF Viewer Plugin
https://addons.mozilla.org/en-US/firefox/addon/3905
*Jeffrey's Exif Viewer
http://regex.info/exif.cgi
Metadata Tools
*EXIF Reader
http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/
*Flickramio
http://userscripts.org/scripts/show/27101
*Pauldotcom
http://www.google.com/search?hl=en&q=metadata+site%3Apauldotcom.com&btnG=Search
Other odds and ends
Stuff that does not quite fit anywhere else
Mail Header Fun
Robots.txt
User-agent: *
Disallow: /private
Disallow: /secret
IGiGLE and WiGLE
More Links
*Recon Sites and Tools
http://www.binrev.com/forums/index.php?showtopic=40526
*Pauldotcom
http://mail.pauldotcom.com/pipermail/pauldotcom/2009-March/000960.html
*VulnerabilityAssessment.co.uk - An information portal for
Vulnerability Analysts and Penetration Testers
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
Events
*Free ISSA classes
*ISSA Meeting
http://issa-kentuckiana.org/
*Louisville Infosec
http://www.louisvilleinfosec.com/
*Phreaknic/Notacon/Outerz0ne
http://phreaknic.info
http://notacon.org/
http://www.outerz0ne.org/
Thanks
*Brian
http://www.pocodoy.com/blog/
*Kelly for getting us the room and organizing things
*Jonathan Cran
http://hexesec.wordpress.com/
http://www.0x0e.net/ghg/
*Folks at Binrev and Pauldotcom
*Louisville ISSA
*Russ Mcree
http://holisticinfosec.org
*iamnowonmai for helping me "zone out"
*Larry "metadata" Pesce
http://pauldotcom.com
*John for the extra camera
Questions?
42 |
Printable version of this article