PaulDotCom mailing list archives

Recon tools

From: jcran at 0x0e.org (Jonathan Cran)
Date: Tue, 10 Mar 2009 12:43:33 -0700

Check out spoke.com for something similar to rapleaf. - here's my
"basic" recon notes - jcran

Netblocks / IP Ranges

http://www.arin.net/ 

*       whois -h ws.arin.net 
*       All ips discovered in later parts of recon should be fed back to
the ranges already gathered (and if you have an ip that doesn't fit in
one of the already-discovered ranges, determine its range using ARIN,
and add it to the list) 

Domains / DNS

*       whois 

*         whois -h ws.arin.net $COMPANY

*         whois -h whois.ripe.net $COMPANY

*         whois -h whois.apnic.net $COMPANY

*         whois -h whois.lacnic.net $COMPANY

*         whois -h whois.afrinic.net $COMPANY

*       Fierce 

        *       Forward DNS lookup (Zone Transfer + Brute Force DNS) 

o    fierce -dns $DOMAIN -wordlist hosts.list

        *       Reverse DNS lookup (given a range) 

o    fierce -dnsserver $DNSSERVER -range $IPRANGE

*       DNS Enum 
*       dmitry 
*       ip-geolocation.pl 

Application Information

*       Browse the site / site map 
*       Use Fierce to brute force interesting hostnames
*       Look for interesting hostnames such as citrix,app,ERP,CRM,etc 

Network Information

*       firewalk 
*       scapy 

        *       scapy-tracenet.py 

                *       Generates graph-viz graphs of each node on the
network. very handy for visualizing the devices / network. 

*       Halberd 

        *       Halberd discovers HTTP load balancers. It is useful for
web application security auditing and for load balancer configuration
testing. 

*       LBD 

        *       Load Balancer Detection: 

o    lbd-0.1.sh $DOMAIN

*       traceroute 
*       ping

User Enumeration

*       Spoke <http://www.spoke.com>  

        *       Log in 
        *       Search for the company 

                *       Get a list of the current employees 

        *       In the browser window, type: 

o    javascript:window.personListNames

*       lead411.com 
*       Hoovers 
*       Jigsaw 
*       Facebook 
*       goog-mail.py 

Search Engine / Relationship analysis Tool

*       SEAT 
*       BidiBlah (Sensepost) 
*       Goolag 
*       Maltego 

Web Sites

*       GoogleHack Generator <http://www.0x0e.net/ghg>  
*       Netcraft <http://www.netcraft.com>  
*       Internet Archive <http://www.archive.org>  
*       Windows Live Search (ip search) <http://www.live.com>  
*       XSSed <http://www.xssed.com>  - Look for the company / partners
/ other exploitable vectors for 

 

 

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian
Crenshaw
Sent: Tuesday, March 10, 2009 1:49 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Recon tools

 

Hi All,
      What are some good sites for doing recon on an organization via
DNS tools/Google/Metadata etc? I'm doing a class shortly on it, and
wanted some suggestions on things to show off besides Mattego.

Anyone know a good replacement for http://www.rapleaf.com
<http://www.rapleaf.com/>  ? It use to be good, but now is useless with
the current TOS.

I'll start the list:
Tools:
Metagoofil:
http://www.edge-security.com/metagoofil.php

Maltego: 
http://www.paterva.com/maltego/community-edition/

Sites:
http://regex.info/exif.cgi
http://tineye.com/
http://www.domaintools.com/

You really need out checkout Tineye, I found out about it on
Cyberspeakers.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/671f593a/attachment.htm

Current thread:

Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Raffi Jamgotchian (Mar 10)
  - Recon tools Adrian Crenshaw (Mar 10)
    - Recon tools Robin Wood (Mar 10)
    - Recon tools James Costello (Mar 10)
    - Recon tools Daniel [Virturity.com] (Mar 10)
- Recon tools Jonathan Cran (Mar 10)
  - Recon tools PJ McGarvey (Mar 10)