Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Several Domains

From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Fri, 12 Dec 2008 10:05:33 +0000
Ahmed Zaki wrote:

Thanks for your reply .

Apparently its my fault I should have made my question clearer.

Your target is Company X . The ip of the mail server turned to be
xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave
mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs ,
mail.companyxfs.com . As a pentester how would you go about identifying the
actual domain name that is being used internally .


you wouldn't. The implication there is that there are multiple type
"PTR" domain records (there aren't supposed to be though) which may or
may not match any forward (A) records you might know about or want, and
may or may not contain internal dns names (if I set it up, they
wouldn't; its trivial to have your internal dns serve a different domain
view than the external dns, even if they are the same instance of named
on the same machine...)

The other consideration is that, almost certainly, the mail server will
be NATted; this would imply that the lan (real) IP differs from the
internet (NAT) IP, and hence dns records would be wildly different
inside or outside the firewall.


I am not asking for networking FACTS here,  I am rather asking the
pentesters out there about their past experiences thus I identify myself as
a noob.


walking forward and backwards DNS is an important part of passive
reconn; you should also try ip addresses that appear to be in the same
IP "block" as visible addresses, try googling for domain and/or ip, and
look at the domain registrations.

If you can find emails or newsgroup postings from that host, you should
be able to examine the headers of the email/posting for information
regarding the chain of hosts passed through; you can also examine any
emails you got from your site contact similarly (note you should not use
outlook for this - the best tool in a windows environment tends to be
outlook express (!) - use IMAP if you have an Exchange solution, and
either use Ctrl-f3 on the message (view source) or drag-drop the message
out of your inbox to your desktop then use the text editor of your
choice (notepad?)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: