So what information types could you posses or be given before you engage?

I know the 4th item is a little extensive, why would a soliciting client only give you a list of telephone numbers, email addresses or names to do your assessment from? Well in reality they wouldn't but again practically you will need to attain information pertinent to your penetration tests effectiveness when all the rabbit hole lead you to------was a facebook, linkedin or twitter account, leaving you asking yourself how the fuzz this is useful to you as a penetration tester. So all things considered I think its a good idea to discuss how you make social information useful in a penetration test.The aim of the game is trying to make a list of other information that is linked to what ever information you already have and doing this recursively until you end up where you started or have all the information you need.Before writing an entire book on the philosophy of information gathering, I need to clarify that there are two kinds of information gathering:



I'll now discuss passive and active information retrieval techniques based on the list I've detailed above.





Using the little trick I discussed a couple of paragraphs ago, you can ask yourself, what information is linked directly to IP addresses here's a list I made off the top of my head ---Well there's a lot but the most obvious ones would be...:

So you have a bunch of IP addresses, what kind of information can you get using these IP addresses and how can you obtain this information?

Within the Internet , an) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.

Autonomous System numbers are the unique numbers associated to each Autonomous System

The next step is to decide how you can use the IP addresses you have to obtain the related information.





IP Addresses to Domain Names and Name Servers: Mapping IP addresses to domain names is one of the oldest technologies in use on the web. To do this we need to fire off a couple of DNS queries.





So how do you do DNS queries then? Querying a DNS server deserves a book on its own but to make sure those of you who don't know anything know enough to get by after reading this post I'll go through the basics you need, I'll even though in a couple of books at the end of the post.

ProTip: If you don't know something about a protocol hunt down the RFC and some books that define its behavior and read everything very attentively. The DNS RFC has been added to the reading list at the end of this post.

dig and I'll be doing whats called reverse querying---DNS exists to translate names to numbers, I am doing this in reverse---.



But before we go mindlessly querying name servers I think its important to get a little perspective, Why would we need to get the domain names? Here's a couple reasons:

To look cool---always important! Often domain names mean popular web services like ssh,ftp,http,etc because admins usually have to memorize a million IP addresses having a nifty domain to associate with a given administration service is very helpful! Gives you perspective on the naming conventions in use If push comes to shove you could use the character data from these domains to help brute force other domain names, like dnsenum Its always a good idea to use domain names during password brute-forcing. For instance one good idea is to take all the domain names associated with a given application, stick them in a list and generate all the permutations of these words to build a wordlist for JtR---John the ripper. It won't hurt your hit rate to through in words like admin,login or other common passwords so they can mangled with the domain names, these usually make very good guesses. another general tip for generating good wordlist fodder is to not only to try and guess possible passwords, but to try and enumerate which words or pieces/types of written information would likely be used as mnemonics, company names, admins' names, admins' wife's names, street names etc and build wordlists from these sources, how you manage all this information is a story for another day. The tool I'll be using isand I'll be doing whats called reverse querying---DNS exists to translate names to numbers, I am doing this in reverse---.But before we go mindlessly querying name servers I think its important to get a little perspective, Why would we need to get the domain names? Here's a couple reasons:

Back to reverse dns querying!







dig -x [ip address] So lets set up a simple example and say I was given the IP address of 82.94.164.162, this is what you would do with dig, to retrieve the associated domain name:

-x would tell dig to do a reverse look up .

Reverse Lookup with dig, the place you want to focus on is labelled "ANSWER SECTION:"





The second command I issue is the same except it returns only the associated domain name and none of the other fodder. +short cuts all the nonsense! This may be helpful to all you bash scripting sorcerers out there.



So we can lookup domain names what else can we do? Well we know that today large internet based services like twitter often have more than one domain name and are often served from many IPs. How do we get all the IPs associated with one domain name?

To do this we need the name servers in charge of translating a given domain to an IP address. This is how you do that

dig -t ns twitter.com

dig shows us that twitter.com appears in the records of a couple name servers

It's always a good idea to find out which name server is in charge of your target, DNS servers are incredible sources of information, DNS is not only about making letters into numbers!



So all we know now is who we should ask to find out about the 'twitter.com' domain, what we do next is actually direct our question at these name servers. The difference between the query we are going to see now and the preveious one is that the previous one leaves your local DNS server---probably your router, like mine is in the example above---to find the appropriate authority to resolve the IP to name query.

So lets ask some of these names servers about 'twitter.com'

'@' directs the query at a given name server, -t specifies the record type we seek, and A record is a name record, there are many other types of records and msot of the time they prove useful, so I suggest reading the DNS RFC asap. Oh and we would need to query each of the DNS servers in charge of these records to get an extensive list

So now we've extracted some more IP's associated to twitter.com. Why would this be useful? Well it gives you a little insight into the network infrastructure, they most probably do this to combat DOS attacks, it also tells you that if you ever get behind this DMZ you can expect some system to be syncing the data being collected from each of these seperate IPs if they are infact seperate machines---nowadays its most likely a bunch of machines all being referenced from the same group of IPs, or a cloud as they call it---. So try to think a little about the information you gather try to see behind just want it intends to tell you.



Before we move on, a quick recap:

Translating IP addresses to domain names:

dig -x [ ip address ]

Finding name servers incharge of a given domain:

dig -t ns [domain name]

Querying a given name server for all IPs associated to a given domain:

dig @[name server] [domain name] -t A That's about all I've discussed for now please remember if you ever find your self sitting with an IP address and need to get info on domain names or need to find more IPs these techniques are the ones you'll be looking for.



In closing I should mention that there are many different types of DNS records, each of which you can query a DNS server for, I suggest you check out the DNS RFC listed at the end of the post also you can check out the list



Now that I've basically covered a basic crash course in dig, I can show you guys some more dig based tricks, namely finding mail servers for a given domain.





Domain Names to Mail server domain names: Mail servers often turn out to be gold mines of information allowing you to figure out things like usernames, internal IPs and other very very valuable information. So finding mail servers should be a trivial task for any aspiring penetration tester.



dig -t MX [domain name] Looking up the mail servers for google.com, the next command you see is me verifying that that domain does infact host a SMTP server Of course if you are going to be doing some penetration testing for clients, you will need accept that the internet often lies to you! So an important skill you need master is verifying information, this is what I'm doing in the last command.



Before This post becomes way too long for you to cover during your morning coffee I thought I'd call it a day and end here. Expect posts on more advanced information gathering via Dig and DNS and information retrival using the WHOIS service in the next post.



If you're completely new to this, please check out all the items on the reading list, get this information down now because its quite important background for people who wish to become professionally involved in infoSec! As it turns out domain name servers hold records regarding mail servers as well! Is also very easy to find the mail servers for a given domain, all you need to do is feed dig the type switch and ask it for MX---mail exchange---record types, like so:Of course if you are going to be doing some penetration testing for clients, you will need accept that the internet often lies to you! So an important skill you need master is verifying information, this is what I'm doing in the last command.Before This post becomes way too long for you to cover during your morning coffee I thought I'd call it a day and end here. Expect posts on more advanced information gathering via Dig and DNS and information retrival using the WHOIS service in the next post.If you're completely new to this, please check out all the items on the reading list, get this information down now because its quite important background for people who wish to become professionally involved in infoSec! Before we move on, a quick recap:That's about all I've discussed for now please remember if you ever find your self sitting with an IP address and need to get info on domain names or need to find more IPs these techniques are the ones you'll be looking for.In closing I should mention that there are many different types of DNS records, each of which you can query a DNS server for, I suggest you check out the DNS RFC listed at the end of the post also you can check out the list here Now that I've basically covered a basic crash course in dig, I can show you guys some more dig based tricks, namely finding mail servers for a given domain.

Reading List

Thanks for reading ;)

Please mind the spelling mistakes lols