Recon tools

[pj_mcgarvey at hotmail.com (PJ McGarvey)]

Awesome list.

 

Pipl.com is another user enumeration tool, relatively new I think.

 

-PJ
 


Date: Tue, 10 Mar 2009 12:43:33 -0700
From: jcran at 0x0e.org
To: pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] Recon tools





Check out spoke.com for something similar to rapleaf. ? here?s my ?basic? recon notes - jcran
Netblocks / IP Ranges
http://www.arin.net/ 

whois -h ws.arin.net 
All ips discovered in later parts of recon should be fed back to the ranges already gathered (and if you have an ip 
that doesn't fit in one of the already-discovered ranges, determine its range using ARIN, and add it to the list) 
Domains / DNS

whois 
?         whois -h ws.arin.net $COMPANY
?         whois -h whois.ripe.net $COMPANY
?         whois -h whois.apnic.net $COMPANY
?         whois -h whois.lacnic.net $COMPANY
?         whois -h whois.afrinic.net $COMPANY

Fierce 

Forward DNS lookup (Zone Transfer + Brute Force DNS) 
o    fierce -dns $DOMAIN -wordlist hosts.list


Reverse DNS lookup (given a range) 
o    fierce -dnsserver $DNSSERVER -range $IPRANGE

DNS Enum 
dmitry 
ip-geolocation.pl 
Application Information

Browse the site / site map 
Use Fierce to brute force interesting hostnames
Look for interesting hostnames such as citrix,app,ERP,CRM,etc 
Network Information

firewalk 
scapy 

scapy-tracenet.py 

Generates graph-viz graphs of each node on the network. very handy for visualizing the devices / network. 
Halberd 

Halberd discovers HTTP load balancers. It is useful for web application security auditing and for load balancer 
configuration testing. 
LBD 

Load Balancer Detection: 
o    lbd-0.1.sh $DOMAIN

traceroute 
ping
User Enumeration

Spoke 

Log in 
Search for the company 

Get a list of the current employees 
In the browser window, type: 
o    javascript:window.personListNames

lead411.com 
Hoovers 
Jigsaw 
Facebook 
goog-mail.py 
Search Engine / Relationship analysis Tool

SEAT 
BidiBlah (Sensepost) 
Goolag 
Maltego 
Web Sites

GoogleHack Generator 
Netcraft 
Internet Archive 
Windows Live Search (ip search) 
XSSed - Look for the company / partners / other exploitable vectors for 
 
 

From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian 
Crenshaw
Sent: Tuesday, March 10, 2009 1:49 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Recon tools
 
Hi All,
      What are some good sites for doing recon on an organization via DNS tools/Google/Metadata etc? I'm doing a class 
shortly on it, and wanted some suggestions on things to show off besides Mattego.

Anyone know a good replacement for http://www.rapleaf.com ? It use to be good, but now is useless with the current TOS.

I'll start the list:
Tools:
Metagoofil:
http://www.edge-security.com/metagoofil.php

Maltego: 
http://www.paterva.com/maltego/community-edition/

Sites:
http://regex.info/exif.cgi
http://tineye.com/
http://www.domaintools.com/

You really need out checkout Tineye, I found out about it on Cyberspeakers.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/5ff4a2eb/attachment.htm