PaulDotCom mailing list archives
Recon tools
From: jcran at 0x0e.org (Jonathan Cran)
Date: Tue, 10 Mar 2009 12:43:33 -0700
Check out spoke.com for something similar to rapleaf. - here's my "basic" recon notes - jcran Netblocks / IP Ranges http://www.arin.net/ * whois -h ws.arin.net * All ips discovered in later parts of recon should be fed back to the ranges already gathered (and if you have an ip that doesn't fit in one of the already-discovered ranges, determine its range using ARIN, and add it to the list) Domains / DNS * whois * whois -h ws.arin.net $COMPANY * whois -h whois.ripe.net $COMPANY * whois -h whois.apnic.net $COMPANY * whois -h whois.lacnic.net $COMPANY * whois -h whois.afrinic.net $COMPANY * Fierce * Forward DNS lookup (Zone Transfer + Brute Force DNS) o fierce -dns $DOMAIN -wordlist hosts.list * Reverse DNS lookup (given a range) o fierce -dnsserver $DNSSERVER -range $IPRANGE * DNS Enum * dmitry * ip-geolocation.pl Application Information * Browse the site / site map * Use Fierce to brute force interesting hostnames * Look for interesting hostnames such as citrix,app,ERP,CRM,etc Network Information * firewalk * scapy * scapy-tracenet.py * Generates graph-viz graphs of each node on the network. very handy for visualizing the devices / network. * Halberd * Halberd discovers HTTP load balancers. It is useful for web application security auditing and for load balancer configuration testing. * LBD * Load Balancer Detection: o lbd-0.1.sh $DOMAIN * traceroute * ping User Enumeration * Spoke <http://www.spoke.com> * Log in * Search for the company * Get a list of the current employees * In the browser window, type: o javascript:window.personListNames * lead411.com * Hoovers * Jigsaw * Facebook * goog-mail.py Search Engine / Relationship analysis Tool * SEAT * BidiBlah (Sensepost) * Goolag * Maltego Web Sites * GoogleHack Generator <http://www.0x0e.net/ghg> * Netcraft <http://www.netcraft.com> * Internet Archive <http://www.archive.org> * Windows Live Search (ip search) <http://www.live.com> * XSSed <http://www.xssed.com> - Look for the company / partners / other exploitable vectors for From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw Sent: Tuesday, March 10, 2009 1:49 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Recon tools Hi All, What are some good sites for doing recon on an organization via DNS tools/Google/Metadata etc? I'm doing a class shortly on it, and wanted some suggestions on things to show off besides Mattego. Anyone know a good replacement for http://www.rapleaf.com <http://www.rapleaf.com/> ? It use to be good, but now is useless with the current TOS. I'll start the list: Tools: Metagoofil: http://www.edge-security.com/metagoofil.php Maltego: http://www.paterva.com/maltego/community-edition/ Sites: http://regex.info/exif.cgi http://tineye.com/ http://www.domaintools.com/ You really need out checkout Tineye, I found out about it on Cyberspeakers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/671f593a/attachment.htm
Current thread:
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Raffi Jamgotchian (Mar 10)
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Robin Wood (Mar 10)
- Recon tools James Costello (Mar 10)
- Recon tools Daniel [Virturity.com] (Mar 10)
- Recon tools Adrian Crenshaw (Mar 10)
- Recon tools Raffi Jamgotchian (Mar 10)
- Recon tools Jonathan Cran (Mar 10)
- Recon tools PJ McGarvey (Mar 10)