Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reconnaissance

From: jc <antihacker.jc () gmail com>
Date: Thu, 6 Mar 2008 10:40:52 -0800
While I'm not sure as to how you're defining recon, one method I've used in the past along with an iron-clad Get Out of Jail Free contract/def. (exceptionally important in this instance) 
was utilizing a few of the email verification services.
Note: Sure, u could spend all sorts of time coding yourself, but it sure is a timesaver to use the services, and the independent oversight isn't bad, either. They also provide pretty charts and certified time-stamping for those that are impressed by that sort of thing.
By garnering some of the organization's email addy's off of search engines, a few specially crafted emails were sent out, which brought us a plethora of information, especially as to platform and IP. We achieved better information disclosures from those who posted to old-skool USENET...go figure.
While the internal corp. network was locked down fairly tight, we could ascertain a pretty good picture of the layout, especially as the messages were passed between departments. The results also gave 
us a grouping of previously unknown IP's to explore.
Key vulns. were exposed when corporate executives opened email on their home machines, which gave us the IP's, which, when scanned, showed holes...and with full exec buy off on the mission, it was determined that passwords, docs, and other juicy work-related tidbits on the poorly-updated 
home machines could have been exploited, i.e., Keys to the Castle.

-jc

On Mar 5, 2008, at 12:15 PM, JD Lampard wrote:


I am interested in hearing about others' preferred
sites for conducting reconnaissance.  I know in part
the sources will varying depending on the target.  The
vast majority of my targets are financial
institutions.  So, for example, I always hit a variety
of banking association sites.  But what others are
valuable?

Thanks,
JD



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: