Penetration Testing mailing list archives
Re: Host discovery
From: Oliver Kindernay <oliver.kindernay () gmail com>
Date: Thu, 25 Feb 2010 00:05:31 +0100
Thank you, very helpful. I test some companies and I found dns subdomain bruteforcing (btw, new version of dnsmap was released few days ago) the most successful method for discovering servers accessible from the internet (probably for gateways/firewalls is better to use the "email" method) 2010/2/24 chr1x <chr1x () sectester net>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Oliver, Let's start: + We can start defining what systems a corporate environment usually runs locally. - - Web Server - - Mail Server - - DNS Server - - Corporate Firewall Since we are talking about a Company which is hosting the Website, then probably they don't use some of those servers hosted with a 3rd party too, but at this time we will assume that this phantom company has all enabled and how we will attempt to map them from the Internet. - - Web Server: If in the case, you can find internal IP address under the comments and/or Javascripts used by the webapp. Also you can try looking around the exceptions that thrown the app in where sometimes you can get a very nice internal information leak. - - Mail Server: We can run some tests in order to get the IP address and probably to map users. In this case, the first attempt that you can try over here is to send an email with an invalid mail user like: notw0rk1n6m41l () domaintotest com where "@domaintotest.com" should be replaced by the domain of your target. Here, since the mail server will not reach the user, it will answer you with an error message where includes a lot of useful information like mail headers and IP address, obviously you got one of your targets the IP. This technique is better that just sending emails to valid emails and you override the thing in that a user open an email or other similar interaction from the user end. - - DNS Server: This is one of the most important things talking about mapping a Corporation from Internet since it contains the address/names tables. Here we will talk about domains and the DNS service. Let's think about two different scenarios, hosted and not-hosted. * Hosted: With a hosted DNS you are able to reach the IP address and all the hosts behind the LAN. When a company configure their own DNS system, usually fails about the configuration that they does, so, in this case, you can find that there are a lot of issues like they allow zone transfers, and a lot of attacks related to the DNS system, probably you can find internal hosts here which is one of the good targets. * Not Hosted: Here, if the company wants to give a sub domain of the root domain, they usually add for example aliases like stmp.domaintotest.com, webmail.*, dns1.*, ftp.* so, if you find those ones, probably you can have other ways that you probably can use in order to get more information from the internal stuff (from Internet). - - Corporate Firewall: This is where you can use the one like an image embedded into an email in where you can see the IP address that they use where usually is the Router or Firewall of the company. We should state that many companies does bad practices like assigning public IP address directly to the NIC interfaces and obviously this takes automatically those servers exposed to the internet (and also attacks). Why about an exposed like IIS server? if somebody hack this IIS server, we would get access to the internal LAN due a this bad configuration. This is my own opinion based on my experience. Have a good luck! Christian On 23/02/2010 02:33 p.m., Ron Yount wrote:Embeded pictures in the email may work. It could even be extended to find out individual workstation Ip's if each person linked to a different pictures. Then check the logs to see which pictures were opened. RY -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Oliver Kindernay Sent: Tuesday, February 23, 2010 11:25 AM To: pen-test () securityfocus com Subject: Re: Host discovery Yes but when company use webhosting's mail server this won't work. 2010/2/23 Andrew MacPherson <andrewmohawk () gmail com>:You could always look at simply sending a bounce mail, ie, mailing thisaddressdoesntexist () organisation com, and then review the headers,oftenmail servers will leak information especially if they are serving to an internal environment. -AM On Tue, Feb 23, 2010 at 1:27 AM, Oliver Kindernay <oliver.kindernay () gmail com> wrote:Hi, Let's imagine this situation. Some small company has internal network with some servers directly connected to the internet. Company's web is on the webhosintg. How can attacker now identify company's systems? I thought about something like sending email to employee with link to website which will log an ip address and hope employee will click on that link in work. But what are some more passive methods for this? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2706 - Release Date: 02/23/10 13:34:00-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLhK3EAAoJEC7eoa2EW6vf9BIH/2J3JnL6CA8AKcYNzOzhsOsJ c21A1DgQFgeG3eo0qqpMARiDkplGqQumSpbKDQFgq0yrx8y+ISZKmH2VmFq1RSvN 2p5nwLX47A7mkRhX69dMAzlkEZFg2uX1Xb2vOm2QXgtaBg6L940oyRnlUMD4IfY3 eVLPSS4r4qABKkAMWL73jnS8xEOReVzhYV7FepsPw0gceu9LGH0RyuwV90Jui2kO fMTl1cWEDWZrJK+ZNzQwj3MbtfRXn7THMDJ2hr8+PZroSVJ5WpeXSwA4kcDi6p9q J68I41xKwnN9h5hpK1QtFeOMH7K4grxGlYP65PanDdwBf8PcDlg2JQP+As4NFTA= =5qBO -----END PGP SIGNATURE-----
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Host discovery Oliver Kindernay (Feb 22)
- Message not available
- Re: Host discovery Oliver Kindernay (Feb 23)
- Re: Host discovery Pete Herzog (Feb 25)
- Re: Host discovery Adam Mooz (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 23)
- Message not available
- <Possible follow-ups>
- RE: Host discovery Ron Yount (Feb 23)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Marco Ivaldi (Feb 25)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery YGN Ethical Hacker Group (Feb 25)