Penetration Testing mailing list archives
Re: Several Domains
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Fri, 12 Dec 2008 10:05:33 +0000
Ahmed Zaki wrote:
Thanks for your reply . Apparently its my fault I should have made my question clearer. Your target is Company X . The ip of the mail server turned to be xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs , mail.companyxfs.com . As a pentester how would you go about identifying the actual domain name that is being used internally .
you wouldn't. The implication there is that there are multiple type "PTR" domain records (there aren't supposed to be though) which may or may not match any forward (A) records you might know about or want, and may or may not contain internal dns names (if I set it up, they wouldn't; its trivial to have your internal dns serve a different domain view than the external dns, even if they are the same instance of named on the same machine...) The other consideration is that, almost certainly, the mail server will be NATted; this would imply that the lan (real) IP differs from the internet (NAT) IP, and hence dns records would be wildly different inside or outside the firewall.
I am not asking for networking FACTS here, I am rather asking the pentesters out there about their past experiences thus I identify myself as a noob.
walking forward and backwards DNS is an important part of passive reconn; you should also try ip addresses that appear to be in the same IP "block" as visible addresses, try googling for domain and/or ip, and look at the domain registrations. If you can find emails or newsgroup postings from that host, you should be able to examine the headers of the email/posting for information regarding the chain of hosts passed through; you can also examine any emails you got from your site contact similarly (note you should not use outlook for this - the best tool in a windows environment tends to be outlook express (!) - use IMAP if you have an Exchange solution, and either use Ctrl-f3 on the message (view source) or drag-drop the message out of your inbox to your desktop then use the text editor of your choice (notepad?) ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Several Domains Ahmed Zaki (Dec 11)
- Re: Several Domains tony_l_turner (Dec 11)
- Message not available
- RE: Several Domains Ahmed Zaki (Dec 11)
- Re: Several Domains Todd Haverkos (Dec 12)
- Re: Several Domains Tim Brown (Dec 12)
- Re: Several Domains David Howe (Dec 12)
- Re: Several Domains Adam Thompson (Dec 12)
- Re: Several Domains ArcSighter (Dec 12)
- RE: Several Domains Ahmed Zaki (Dec 11)