Penetration Testing mailing list archives

Re: Host discovery

From: Marco Ivaldi <raptor () mediaservice net>
Date: Thu, 25 Feb 2010 18:09:37 +0100 (ora solare Europa occidentale)

Oliver,

On Thu, 25 Feb 2010, Oliver Kindernay wrote:

Thank you, very helpful. I test some companies and I found dns
subdomain bruteforcing (btw, new version of dnsmap was released few
days ago) the most successful method for discovering servers
accessible from the internet (probably for gateways/firewalls is
better to use the "email" method)

Beside the already suggested techniques (you should really check out theOSSTMM as suggested by Pete, by the way), don't forget the following:


- WHOIS databases. Hint: use the free text searches when available [1] or
  download the database [2] and build your own custom search tool.

- Email headers. Even if their mail exchanger is hosted somewhere else, it
  might be (mis)configured to leak the "Received:" headers and therefore
  it could expose the public IP address of their firewall, or even their
  private IP address space.

- Web servers. There are many different vectors to gather useful
  information. Among those that weren't already mentioned in this thread:
  web server logs and stats, SSL certificates, HTTP headers.

- Google/Bing. Always powerful weapons if you know what you're doing.

Hope this helps,

[1]. E.g. http://www.ripe.net/db/whois-free.html
[2]. E.g. ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz

--
------------------------------------------------------------------------
Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
Bid Manager
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://mediaservice.net/disclaimer
------------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Host discovery Oliver Kindernay (Feb 22)
- Message not available
  - Re: Host discovery Oliver Kindernay (Feb 23)
    - Re: Host discovery Pete Herzog (Feb 25)
    - Re: Host discovery Adam Mooz (Feb 25)
    - Re: Host discovery Oliver Kindernay (Feb 25)
- <Possible follow-ups>
- RE: Host discovery Ron Yount (Feb 23)
  - Re: Host discovery chr1x (Feb 25)
    - Re: Host discovery Oliver Kindernay (Feb 25)
    - Re: Host discovery chr1x (Feb 25)
    - Re: Host discovery Marco Ivaldi (Feb 25)
  - Re: Host discovery Oliver Kindernay (Feb 25)
  - Re: Host discovery YGN Ethical Hacker Group (Feb 25)