Objective
Lab 1 is designed to provide you with hands-on, practical experience with information gathering tools and methodologies. Upon completion of lab 1, you will have an understanding of the following:
1. Footprinting - mapping an organization's information systems
1. Google - advanced search operators allow you to easily find specific, relevant information
2. WHOIS - query information related to Internet ownership of domain names, IP address blocks, or autonomous systems
3. DNS Interrogation - obtaining information about an organization's computer names, IP addresses and other potential target information
2. Tools - as we investigate these footprinting techniques, we will explore the tools necessary to gather information
Materials
For the purposes of lab 1, you will need the following:
- All students: Complete the Google searches from your own system as long as you have an internet connection.
- All students: You can download the Kali VM and use it at home for this lab, or use a system of your choice (Windows XP/7/8). The CDM lab does not allow our course VMs to be connected to the internet, sorry :(
Procedures
1. Footprinting with Google
1. In this section we will experiment with Google's advanced operators to understand what types of information can easily be found on the web. Remember, the basic syntax of the advanced operator is operator:search_term. You can perform the following searches from your personal computer or connect to the lab as detailed in lab 0.
1. Let's begin with a simple example using the site: operator. Type the following command into Google site:digg.com free "desktop wallpaper". While the example may not be relevant to security, it goes to show how a search can easily be restricted to a specific site (digg.com) and piece of information (free desktop wallpapers).
2. The next operator filetype: allows us to search for pages that end in a particular file extension. Type the following command into Google filetype:conf apache. Based on
the results, are you starting to see how this is a powerful operator by itself? Consider the scenario where you are attempting to locate a particular type of configuration file that a company may have inadvertently posted to the Internet. Also try the following search filetype:reg "Terminal Server Client". This returns Microsoft Terminal Services connection settings registry files. They may contain encrypted passwords and IP addresses.
3. The next operator intitle: starts to show the real power of advanced operators. Type the following command into Google intitle:index.of "parent directory". The results show directory listings of an assortment of goodies, ranging from MP3s to source code. Let's try another search with this operator. Type the following into Google intitle:"Welcome to Windows 2000 internet Services". Though the number of results may not be exciting, the important thing to note is we can easily identify web applications with known vulnerabilities based on their title. Here are a few other searches you can use to further explore intitle:
- intitle:index.of ws_ftp.log
- intitle:"Nessus Scan Report" "This file was generated by Nessus"
- server-dbs "intitle:index of"
4. The next operator inurl: allows us to limit searches to documents containing the search term in the URL. For example, an amusing example of this is the following which you can type in Google inurl:view/index.shtml. This URL is associated with Axis webcams that are accessible over the Internet. You could spend hours looking through these feeds. For a search that is more related to security, try inurl:"nph- proxy.cgi" "Start browsing". The results contain an assortment of proxy servers at your disposal.
5. The next operator cache: enables us to browse to a sites webpage that may currently be down (either intentionally or unwillingly). Type the following command into Google cache: cache:malos-ojos.com. It's important to note the page is being served by Google's servers and not the hosting company. Think of a scenario where a company accidentally posts confidential information to their site, Google has time to cache the page, the company recognizes their mistake and pulls the page, but the content still exists thanks to Google.
6. Now let's take these operators and combine them to see what types of goodies we can dig up. First, type the following command in Google intitle:Remote.Desktop.Web.Connection inurl:tsweb. This search provides us with a set of machines that have login pages for Remote Desktop through TS Web Access. Lastly, type the following command into Google -inurl:(htm|html|php) intitle:"index of" +"last modified" +"parent directory" +description +size +(wma|mp3) "Darude". Can you piece together how this search works? Can you see how it can easily be modified to locate any filetype of your choice with any subject? Here are a few other searches you can explore that combine operators:
- intitle:index.of inurl:admin
- intitle:"EvoCam" inurl:"webcam.html"
2. Now that we have an understanding of how these operators work, let's consider a tool that can help automate these searches.
1. Install McAfee SiteDigger v3.0 (http://www.mcafee.com/us/downloads/free- tools/sitedigger.aspx).
2. Navigate through the start menu to Programs / Security Tools / Scanning Tools and click Foundstone SiteDigger v3.0.
3. Once the application has loaded, expand the two categories titled FSDB and GHDB as pictured below:
4. Each of these sub-categories contains search strings that can provide a wealth of knowledge
5. Further expand the category titled Files containing passwords listed under GHDB
6. Click the search string labeled enable password | secret "current configuration" - intext:the and make note of the description that appears in the Selected Entry Info textbox:
7. Select the checkbox next to this search string and click Scan. Results should populate in the ‘Results:' textbox as pictured below:
8. Double-click a link to open it in the default browser
9. Also note you can restrict your search to a specific site/domain
10. Spend some time searching through the different search strings and reading the ‘Entry Info' section. You will find a wealth of knowledge and possibly come up with some new searches you would like to perform
2. Footprinting with WHOIS & DNS Interrogation
1. In this section we will focus on footprinting with WHOIS and DNS interrogation. Both techniques allow us to mine information specific to an entity and its Internet resources. For the purposes of this lab, we will explore the www.cehjumpstart.com domain.
1. This section assumes you are using BT5 or Kali Linux to complete...
2. Open a terminal session by browsing to Applications / Accessories / Terminal in the top menu bar
3. Type man nslookup at the prompt and press enter. This will present the ‘man page' or manual for the application. Man pages include descriptions, syntax usage, and other information that can be referenced. Press q to return to the root@kali:~# prompt
4. Type nslookup and press enter to begin an interactive session
1. Type www.cehjumpstart.com and press enter. The result will include the server that was used to perform the query, and any answers that were received (74.220.219.78).
2. Note that the resulting IP address was listed under ‘Non-authoritative answer:'. Do you know why this is the case? Continue on and hopefully it will become clear.
3. Browse to www.networksolutions.com/whois/
4. In the ‘Search all WHOIS Records' textbox, type www.cehjumpstart.com and click Search
5. When the search is complete, scroll down on the resulting page and locate the Domain servers. Note the first item listed ns1.bluehost.com and return to the terminal prompt.
6. You should still be in an interactive session on nslookup. Type server ns1.bluehost.com and press enter.
7. Now, let's perform or original search over again using the bluehost.com nameserver instead of the default nameserver (which happens to be owned by Deron's ISP). Type www.cehjumpstart.com and press enter. Take note that the result does not include the ‘Non-authoritative answer:' heading.
5. So we've gathered that the cehjumpstart.com domain points to an IP address that his owned and hosted by bluehost.com. Curious what other IP addresses bluehost.com owns? Browse to www.arin.net.
1. In the ‘Search Whois' textbox enter the IP address from our nslookup command 74.220.219.78 and press enter. Your results should look similar to what is pictured below:
2. You now have a range of IP addresses that have been allotted to Bluehost Inc. You also know the autonomous system number. With these details in hand, you are prepared to move on to the next step in reconnaissance: ascertaining active machines. We will dive into this topic in lab 2.
3. Recall the following image from the slides for module 2. Keep this in mind as we move between the various stages of footprinting:
6. Browse to ip2location.com
1. In the ‘IP Address' textbox in the right column type 74.220.219.78 and press enter
2. While these locations may not be 100% accurate, the site does a great job of zeroing in on the best estimate. Consider the implications of understanding the physical location of an IP address.
3. Try entering your IP address and see how far off the site is
7. For our last exercise let's return to the Kali VM. If you are still inside interactive mode for nslookup, type exit and press enter.
8. At the root@kali:~# prompt type traceroute 74.220.219.78 and press enter
1. Each hop represents a router or device that is traversed as data packets make their way from the Kali VM to the server hosting the cehjumpstart.com domain.
2. What other information is this providing us? What about the two or three hops prior to the final destination that appear to be hosts on sub-domains of bluehost.com?
3. Also have a look at the corresponding IP addresses for these last few hops. These don't fall in the IP address block we identified earlier on arin.net. We just found a new set of IPs that we can begin to collect more information on.
3. Researching Your Targets
1. In this section we will do some independent research on a target and try to gather all the publicly available information we can as part of Footprinting. To do this, I'm asking you to:
1. Select a target organization. Some suggestions here are that you find a sizeable organization that has an internet presence but make sure it isn't so large that the research takes an unreasonable amount of time and effort.
2. Find all publicly available information using both resources we have talked about as well and new resources that you will identify through your own research. Make sure to NOT scan, ping, or send any packet to the target organization (we are NOT scanning people, only gathering public information).
3. For those who may be new to footprinting we would be interested in items like those mentioned in Module 2 - Slide 6 (i.e. domains they own, physical locations/addresses, people of interest, systems they may be running as witnessed in job posting or LinkedIn profiles of current and former employees, etc.)
4. Gather and present your information in you submission including a listing of all resources used. I listed some items of interest on the final page of the lab to get you started, feel free to modify and change/add as you see fit.
Additional Exercises
The following items are additional exercises related to the lab. Feel free to explore these topics on your own.
- Visit www.torproject.org to learn about TOR. It's a powerful tool that can be leveraged to maintain your anonymity online when performing certain reconnaissance tasks. For the simplest installation, download the Tor Browser Bundle, which is a self-contained executable with all the components you'll need.
- Visit www.paterva.com to learn about Maltego. Maltego can help mine data related to the items we talked about in this lab. But, that's only a portion of its functionality. Check out the site to learn about its full potential. Download and try the demo (if available) as it may be useful for #3 Researching Your Targets above.
- Use recon-ng, cree.py, or any other tools for this exercise that DO NOT actively scan the target system, site, or network. So be careful.
For this lab you must submit the following to COL (in a single file please):
- The coolest Google search string you could come up with that was used to dig up something interesting. I suggest you do some research on this topic and put together a search string that results in something good. Be creative! And please don't give me links that allow you to download books, movies, or books as I consider that to be weak.
- A screenshot of the links that your search returns.
- A short description of the search and why it was the most interesting and/or returns valuable information. One paragraph should suffice, and include why the information is useful and what you could possibly use it for in your submission.
- Again, no "free mp3" or "free music links" PLEASE!!!!
- The results of your research on your chosen target (see the following page for a sample list of items to include in a report).
IMPORTANT: Sample items that should be included in your report (make these look decent please):
- Target organization name
- Main address/HQ/datacenters
- Subsidiaries owned by the target
- Business structure (i.e. LLC, C-Corp, publically traded company, etc....sec.gov, hoovers.com, etc. may help here)
- All locations and associated address ranges (i.e. did you find a physical site without a range? Did you find generic ranges associated with the company, such as business-class DSL ranges not associated with the company name?)
- Important employees or employees of interest and their job titles or roles within the company. Choose one of these employees and expand your research...do they have a favorite hobby?
- Public facing sites of interties, such as domains, websites, portals, etc.
- Where are their name servers located (i.e. do they host them)? Where does email flow (i.e. do they use a 3rd party like Postini or accept mail directly?)
- Any other information you think may be relevant to footpriting that you find.
- A listing of the tools/sites you used in your research and a 1-2 sentence explanation of the research and why it was a valuable resource in your exercise.
Attachment:- assignment.rar