Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Host discovery

From: chr1x <chr1x () sectester net>
Date: Wed, 24 Feb 2010 21:35:43 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Welcome, for subdomain search you can also use netcraft.net with those
together.

http://searchdns.netcraft.com/?restriction=site+contains&host=sectester.net&lookup=wait..&position=limited

There outside are a lot of very useful tools like this to enrich your
testings.

Cheers.


Christian


On 24/02/2010 05:05 p.m., Oliver Kindernay wrote:

Thank you, very helpful. I test some companies and I found dns
subdomain bruteforcing (btw, new version of dnsmap was released few
days ago) the most successful method for discovering servers
accessible from the internet (probably for gateways/firewalls is
better to use the "email" method)

2010/2/24 chr1x <chr1x () sectester net>:
Hi Oliver, Let's start:

+ We can start defining what systems a corporate environment usually
runs locally.

- Web Server
- Mail Server
- DNS Server
- Corporate Firewall

Since we are talking about a Company which is hosting the Website, then
probably they don't use some of those servers hosted with a 3rd party
too, but at this time we will assume that this phantom company has all
enabled and how we will attempt to map them from the Internet.

- Web Server: If in the case, you can find internal IP address under the
comments and/or Javascripts used by the webapp. Also you can try looking
around the exceptions that thrown the app in where sometimes you can get
a very nice internal information leak.

- Mail Server: We can run some tests in order to get the IP address and
probably to map users. In this case, the first attempt that you can try
over here is to send an email with an invalid mail user like:
notw0rk1n6m41l () domaintotest com where "@domaintotest.com" should be
replaced by the domain of your target. Here, since the mail server will
not reach the user, it will answer you with an error message where
includes a lot of useful information like mail headers and IP address,
obviously you got one of your targets the IP. This technique is better
that just sending emails to valid emails and you override the thing in
that a user open an email or other similar interaction from the user end.

- DNS Server: This is one of the most important things talking about
mapping a Corporation from Internet since it contains the address/names
tables. Here we will talk about domains and the DNS service. Let's think
about two different scenarios, hosted and not-hosted.

 * Hosted: With a hosted DNS you are able to reach the IP address and
all the hosts behind the LAN. When a company configure their own DNS
system, usually fails about the configuration that they does, so, in
this case, you can find that there are a lot of issues like they allow
zone transfers, and a lot of attacks related to the DNS system, probably
you can find internal hosts here which is one of the good targets.

 * Not Hosted: Here, if the company wants to give a sub domain of the
root domain, they usually add for example aliases like
stmp.domaintotest.com, webmail.*, dns1.*, ftp.* so, if you find those
ones, probably you can have other ways that you probably can use in
order to get more information from the internal stuff (from Internet).

- Corporate Firewall: This is where you can use the one like an image
embedded into an email in where you can see the IP address that they use
where usually is the Router or Firewall of the company.

We should state that many companies does bad practices like assigning
public IP address directly to the NIC interfaces and obviously this
takes automatically those servers exposed to the internet (and also
attacks). Why about an exposed like IIS server? if somebody hack this
IIS server, we would get access to the internal LAN due a this bad
configuration.

This is my own opinion based on my experience.

Have a good luck!

Christian

On 23/02/2010 02:33 p.m., Ron Yount wrote:

Embeded pictures in the email may work.  It could even be extended to find
out individual workstation Ip's if each person linked to a different
pictures. Then check the logs to see which pictures were opened.

RY

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Oliver Kindernay
Sent: Tuesday, February 23, 2010 11:25 AM
To: pen-test () securityfocus com
Subject: Re: Host discovery

Yes but when company use webhosting's mail server this won't work.

2010/2/23 Andrew MacPherson <andrewmohawk () gmail com>:

You could always look at simply sending a bounce mail, ie, mailing
thisaddressdoesntexist () organisation com, and then review the headers,

often

mail servers will leak information especially if they are serving to an
internal environment.

-AM

On Tue, Feb 23, 2010 at 1:27 AM, Oliver Kindernay
<oliver.kindernay () gmail com> wrote:


Hi,

Let's imagine this situation. Some small company has internal network
with some servers directly connected to the internet. Company's web is
on the webhosintg. How can attacker now identify company's systems? I
thought about something like sending email to employee with link to
website which will log an ip address and hope employee will click on
that link in work. But what are some more passive methods for this?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------






------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.733 / Virus Database: 271.1.1/2706 - Release Date: 02/23/10 13:34:00







No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.733 / Virus Database: 271.1.1/2707 - Release Date: 02/24/10
01:34:00



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLhfAPAAoJEC7eoa2EW6vfzpsIAMjY0wybn8/4cT4tGP2Ovpgb
VZ83pHGmHZtlMt/ddUaClytn0I+I7TTXAMqKecg7Qz2DTJhIZFG8IyEwprD9bqNb
J/6Vfe7RvQTb+c13N9CXE0TuMpFMBdT3wTtTaQyKj043EmKAzlOARhc0Sm7UvZMb
mRXsAT9w3dMIt19UPj+HbQvffqAqBaVgGUuv2gZOoeEZSdpeaEcFx/iT28LbTHH5
PLF3T6gsZGUpZEKLJ1i1SLtDftI+Kbr7Q16HakRdKOfAjENWBRO9PnJ+uQaAq3Aw
yoLeGw8HLQ3ZhZX1ZwcyHmRguKm74JAhYkJgfCX1K0BotkLoDtxQLe/OzotLpkk=
=uu9F
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: