Vinni
Администратор
Всего сообщений: 2136 Рейтинг пользователя: 22 СсылкаДата регистрации на форуме: 5 июня 2009
|
Профиль | ИгнорироватьNEW! Сообщение отправлено: 28 апреля 2011 16:25
неплохая методика сбора информации о домене, принадлежащем организации, а также о многом другом (лучше смотреть первоисточник) _ttp://infond.blogspot.com/2010/05/toturial-footprinting.html [q] A pentest must be planned and prepared by several preliminary actions to obtain the most comprehensive inventory of resources hardware, software and even human target network. It is to recover the maximum information on the network architecture, operating systems, applications and users. This step should not be limited to port scanning or fingerprinting. Indeed, lots of informations can be gathered through passive means, without any access to the target, for example using DNS servers or search engines as Google. We must therefore distinguish passive - footprinting - and active recognition.
The aim of footprinting is to passivly gather intelligence about web, mail, DNS, directory servers and look for IP addresses, domain names, network protocols, active services, operating systems, softwares and users. It is then followed by a phase of active recognition. This one completes knowledge of the audited network by active operations directly on the target system. It includes network scans, with specialized softwares as NMAP, to find IP addresses, open ports and softwares running on the servers. This is related as port scanning and fingerprinting.
The purpose of this article is to present methods for passive recognition (footprinting). It also presents a practical implementation of footprinting. For teaching, we analyse the domain Owasp.org, using a full range of existing tools. We also use two scripts Python for multithreaded DNS search dnsdic and dnsbf. The point is most of the tools we present are complementary and useful for a deep recognition.
What is footprinting?
Footprinting is a security auditing technique, aimed at gathering intelligence about the infrastructure of a target network, only from information which access is free and autorized. It is the first component of the information gathering step of a pentest, before port scanning and fingerprinting.
More precisely, the aim of footprinting is to find IP addresses, network address ranges and subdomains names. During the footprinting process conduct, some services (mail, web, DNS) provided by servers can be discovered. With these informations, a pentester is then able to further focus his research.
Footprinting is based on several techniques, based on DNS and search engines: - DNS query: with a domain name, you obtain the associated IP. Any field of the DNS response can be exploited: A, MX, etc. , - reverse DNS query: with an IP or an IP addresses range, you obain domain names, - dictionnary DNS. With a domain name, you make DNS queries on usual subdomains names and top level domains. For example, from "mysite.com", you look for "smtp.mysite.com", "pop.mysite.com", etc. and then "mysite.fr", "mysite.org", etc., - attempt to transfer DNS zone: sometimes, the zone database of a misconfigured DNS server can be downloaded, - website spiding: we gather any subdomain name met during the visit of all internal links in the website, - recovery of old DNS entries: old DNS entries are sometimes listed by specialized websites, - WhoIs database: you obtain the informations legaly provided for teh domain name rental, - search engines queries, - X509 certificates queries, - robots.txt of the website analysis,
Tools
- www.robtex.com/ website which provides graphical informations from DNS and WhoIs, - dig: Linux command aimed at finding IP address associated with a domain name, - dnsbf: script for reverse DNS search in a whole subnet, - dnsdic and its dictionnary: script for DNS dictionnary bruteforce search for subdomains names, - dnsmap: (backtrack) Script for gathering IP addresses form a domain name, - dnsrecon: (backtrack) script for top level domain names search. For example, fo Owasp, we find owasp.org, owasp.net, owasp.fr, etc. - DNSWalk (backtrack) - sourceforge.net/projects/dnswalk/ , - Burp Suite www.portswigger.net/suite/ (java needed) - dnshistory.org - old DNS entries, - subdomainer.pl: (Edge-Security) script for subdomains names gathering with search engines, - Metagoofil.py (backtrack) from Edge-Security. Script for information gathering in documents (pdf,doc...) referenced by Google. Metagoofil needs extract ($ sudo apt-get install extract). Moreover, il is installed by default in /usr/bin. Modify the scrit to use the executable from this directory, - FoxyProxy (https://addons.mozilla.org/fr/firefox/addon/2464), Firefox extension useful with Burp Suite, - Maltego (backtrack) - graphical footprinting tool - www.paterva.com/ - Hostmap.rb: sourceforge.net/projects/hostmap remarkable script, wrritten in Ruby, that conducts iterative queries on DNS, search engines and cryptographic key servers, - Fierce (backtrack) - ha.ckers.org/fierce - script perl for Linux to conduct DNS search,
Results While you're reading this article, you'll find the following informations:
Owasp.org is a website hosted by Fast.net. Its DNS servers are hosted by Secure.net, a BtoB US company with the US armies as customer.
domain names The following domain names are linked to the IP address 216.48.3.18 owasp.org esapi.org webscarab.net webscarab.com webscarab.org webgoat.org
owasp.asia owasp.cg,188.165.42.228 owasp.ch owasp.com.tw owasp.cz,81.0.246.60 owasp.fr,216.48.3.18 owasp.de,78.46.49.201 owasp.dk owasp.gr,69.93.193.98 owasp.hu,193.142.209.99 owasp.ir,213.175.221.136 owasp.kr,222.231.8.226 owasp.info owasp.lt,79.98.25.1 owasp.my,202.190.179.45 owasp.mp,75.101.130.205 owasp.net owasp.nl owasp.org.tw owasp.pw,70.87.29.150 owasp.pl,91.210.130.50 owasp.ph,203.119.6.249 owasp.ru,193.232.159.1 owasp.rw,94.23.192.35 owasp.tw owasp.ws,64.70.19.33 owasp.st,195.178.160.40 owasp.es,213.186.33.5 owasp.se,212.97.132.112 owasp.ch,88.191.227.205 owasp.tw owasp.tk,193.33.61.2 owasp.tk,209.172.59.196 owasp.tk,94.103.151.195 owasp.tk,217.119.57.22 owasp.tv,64.99.80.30 owasp.vn,72.52.194.126
IP addresses every IP address of the Owasp network belongs to the subnet 216.48.3.0/24. The IP allocated to Owasp are: 216.48.3.18 216.48.3.19 216.48.3.20 216.48.3.22 216.48.3.23 216.48.3.26 216.48.3.30
The following address is interesting, because it points on websites owned by the creator of Owasp: 66.255.82.14
Any of the further subdomains have the IP 216.48.3.18 excepted:
forums.owasp.org 216.48.3.19 stage.owasp.org 216.48.3.20 lists.owasp.org 216.48.3.22 voip.owasp.org 216.48.3.22 forums.owasp.net 216.48.3.23 ads.owasp.org 216.48.3.26 ml1lists.owasp.org 216.48.3.30 docs.owasp.org hébergé par google mail.owasp.org hébergé par google groups.owasp.org hébergé par google calendar.owasp.org hébergé par google mail.owasp.net 66.255.82.14
subdomains owasp.org ml1.owasp.org www.owasp.org www2.owasp.org lists.owasp.org 216.48.3.22 ads.owasp.org 216.48.3.26 _adsp._domainkey.owasp.org jobs.owasp.org registration.owasp.org _policy._domainkey.owasp.org _domainkey.owasp.org es.owasp.org austin.owasp.org beta.owasp.org blogs.owasp.org forum.owasp.org old.owasp.org ww.owasp.org localhost.owasp.org google6912a08c3a8ccdf0b.owasp.org ns.owasp.org docs.owasp.org calendar.owasp.org austin.owasp.org gateway.owasp.org secure.owasp.org intranet.owasp.org extranet.owasp.org web.owasp.org webmail.owasp.org ftp.owasp.org stage.owasp.org
owasp.net forums.owasp.net 216.48.3.23 www.owasp.net mail.owasp.net 66.255.82.14
owasp.tw mail.owasp.tw _domainkey.owasp.tw
www.owasp.org.tw
owasp.fr www.owasp.fr
mail.esapi.org 216.48.3.18 www.esapi.org 216.48.3.18
webscarab.net 216.48.3.18 ftp.webscarab.net www.webscarab.net pop.webscarab.net smtp.webscarab.net imap.webscarab.net
webscarab.com www.webscarab.com imap.webscarab.com ftp.webscarab.com
webscarab.org
webgoat.org www.webgoat.org imap.webgoat.org news.webgoat.org smtp.webgoat.org ftp.webgoat.org pop.webgoat.org
DNS servers The DNS server used are (excepted owasp.tw, owasp.org.tw, owasp.fr and more generaly any site situated outside of USA): ns1.secure.net 192.220.124.10 (USA) ns2.secure.net 192.220.125.10
For example,
for owasp.tw: ns1.eurodns.com 80.92.65.2 (Luxembourg) ns2.eurodns.com 80.92.67.140
for owasp.fr a.dns.gandi.fr 217.70.179.40 (France) b.dns.gandi.fr 217.70.184.40
for owasp.org.tw: csn1.net-chinese.com.tw 202.153.205.76 (Taiwan) csn2.net-chinese.com.tw 202.130.187.243
people in charge Every domain names (except owasp.fr and owasp.org.tw) were filed by: Laurence Casey
owasp.fr was filed by Sébastien Gioria (0623040051) for Doing Soft company
owasp.org.tw by Wayne Huang Armorize technologies Inc
administrators www.owasp.org/index.php?title=Special%3AListUsers&group=sysop
Simple DNS queries robtex.com Use robtex website, and search owasp.org in its dns search engine: www.robtex.com/dns -> owasp.org
www.owasp.org is available on 216.48.3.18. It belongs to the subnet 216.48.2.0/23. This means that the address range available is: 216.48.2.0 to 216.48.3.255.
dig Rq: You can also find the IP address with
$ dig owasp.org
Websites www.esapi.org, www.webscarab.net and www.owasp.org point to the same IP address
The owasp.org DNS server is hosted by secure.net Its mail server is hosted by google.
google
A few google searches tell you: google -> esapi.org google -> owasp.net google -> webscarab.net google -> secure.net
esapi.org and webscarab.net are both Owasp projects secure.net is owned by Secure Network Systems, a US company which develops profestional softwares for hysical access control (airorts, etc.) with US army as customer.
Finding the IP 216.48.3.18 with robtex gives you: robtex.com/dns -> 216.48.3.18
Finding owasp.* with robtex gives you - owasp.net - owasp.de - owasp.cz
reverse DNS query on an IP address range dnsbf.py Owasp is hosted by Fastnet (http://www.fast.net/) in USA.
Here, this information is not really relevant, because Owasp probably rents there its servers. Sometimes, such a query could conduct to find other servers hold by the same company. Let's use the Python script dnsbf.py on the IP address range: 216.48.2.0/23.
$ ./dnsbf.py 216.48.2.0/23
***************************************** * under GNU 3.0 licence * * v0.2 02/13/2010 * * using dns, find hostnames in a subnet * *****************************************
begin search...
216.48.2.34 clarendon.my-vresume.com 216.48.2.10 mail.nvafamilypractice.com 216.48.4.251 ns1.croem.net 216.48.4.107 mail1.gulfstreamacademy.com 216.48.3.69 mail.nationalstrategiesinc.com 216.48.4.20 encirclepayments.com 216.48.3.90 mail.wssa.com 216.48.4.21 mail.encirclepayments.com 216.48.4.170 mail.wilhelminamiami.com 216.48.5.55 mail.eliteislandresorts.com 216.48.5.181 ns4.viomedia.com 216.48.3.10 mail.jandrroofing.com 216.48.4.194 amarinelli.com 216.48.2.74 mail.ppamedicalbilling.com 216.48.5.244 mail.terragroup.com 216.48.2.75 mail.hirestrategy.com 216.48.4.18 wxesrv01s.interpath 216.48.5.182 ns4.maquilon.com 216.48.4.253 mail.e-progroup.com 216.48.2.200 mailgate.catapulttechnology.com 216.48.4.162 mail.malloylaw.com 216.48.4.72 mail.amtel-security.com 216.48.2.194 fw.catapulttechnology.com 216.48.3.82 mail.wssa.com 216.48.3.92 freightoffice.wssa.com 216.48.3.29 mail.empiregroup.us 216.48.4.186 mail.marlinshowcase.com 216.48.2.3 smtp.advantagehomes.org 216.48.5.164 mailserver.federalmillwork.com 216.48.2.90 mail2.bgsb.net 216.48.3.122 mail3.bulletinnews.com 216.48.3.98 Mail.jamesmyersco.com 216.48.2.204 smtp.catapulttechnology.com 216.48.4.187 marlinshowcase.com 216.48.2.39 SMTP.edoptions.com 216.48.4.154 mail.krmlegal.com 216.48.5.162 mailserver.federalmillwork.com 216.48.4.106 gaamail.gulfstreamacademy.com 216.48.5.251 mail.eastridgerc.com 216.48.4.247 mail.croem.net
end of search 1023 ip tested, 40 names found, in 25 s $
dictionary DNS queries It may be interesting to look for Owasp.net available subdomains (for example, mail.owasp.net)
dnsdic.py Let's use the Python script dnsdic.py dnsdic.py needs a dictionary file.
We take the file dns.txt from dnsenum1.1 [3] written by jer001 [2]. By the way, we can not resist the pleasure of quoting an excellent source of dictionaries: www.skullsecurity.org/wiki/index.php/Passwords
$ ./dnsdic.py -f ./dns.txt owasp.net
*************************************************** * under GNU 3.0 licence * * v0.1 02/14/2010 * * dns dictionnary search of hostnames in a subnet * ***************************************************
begin search...
forums.owasp.net [] ['216.48.3.23'] owasp.net ['www.owasp.net'] ['216.48.3.18']
end of search 95 names tested, 2 hostnames found, in 6.032436 s Nous trouvons un serveur qui n'avait pas été détecté par la recherche reversedns: forums.owasp.net
$ ./dnsdic.py -f dns.txt webscarab.net
*************************************************** * under GNU 3.0 licence * * v0.1 02/14/2010 * * dns dictionnary search of hostnames in a subnet * ***************************************************
begin search...
webscarab.net ['ftp.webscarab.net'] ['216.48.3.18'] webscarab.net ['www.webscarab.net'] ['216.48.3.18'] webscarab.net ['pop.webscarab.net'] ['216.48.3.18'] webscarab.net ['smtp.webscarab.net'] ['216.48.3.18']
end of search 95 names tested, 4 hostnames found, in 8.064246 s
$ ./dnsdic.py -f dns.txt esapi.org
*************************************************** * under GNU 3.0 licence * * v0.1 02/14/2010 * * dns dictionnary search of hostnames in a subnet * ***************************************************
begin search...
esapi.org ['mail.esapi.org'] ['216.48.3.18'] esapi.org ['www.esapi.org'] ['216.48.3.18']
end of search 95 names tested, 2 hostnames found, in 2.036982 s
dnsdic.py does not give any result with owasp.org. Indeed, casting an eye to robtex results, you note that owasp.org is referenced by *.owasp.org . Any DNS request on an Owasp subdomain sends the main IP address as result.
And what about mail.owasp.net? We find an additional IP: 66.255.82.14. Still with robtex, a query with this IP gives: robtex.com/dns -> mail.owasp.net robtex.com/dns -> 66.255.28.14
It appears that Mr Casey hosts friends websites...
dnsmap dnsmap is available with backtrack. It provides the IP addresses associated with a domain name.
root@bt:/pentest/enumeration/dns/dnsmap# ./dnsmap owasp.org dnsmap 0.24 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] warning: the target domain might use wildcards. dnsmap will try to filter out false positives [+] searching (sub)domains for owasp.org using built-in wordlist
forums.owasp.org IP address #1: 216.48.3.19
groups.owasp.org IP address #1: 74.125.47.121
localhost.owasp.org IP address #1: 127.0.0.1 [+] warning: target domain might be vulnerable to "same site" scripting (http://snipurl.com/etbcv)
mail.owasp.org IP address #1: 74.125.47.121
[+] 4 (sub)domains and 4 IP address(es) found [+] completion time: 50 second(s)
dnsrecon dnsrecon provides top level domain names associated with a domain name. For example, with Owas, you find Owasp.org, Owasp.net, Owasp.fr
root@bt:/pentest/enumeration/dnsrecon# ruby dnsrecon.rb -tld owasp owasp.org,216.48.3.18,A owasp.net,216.48.3.18,A owasp.cg,188.165.42.228,A owasp.cz,81.0.246.60,A owasp.fr,216.48.3.18,A owasp.de,78.46.49.201,A owasp.gr,69.93.193.98,A owasp.hu,193.142.209.99,A owasp.ir,213.175.221.136,A owasp.kr,222.231.8.226,A owasp.lt,79.98.25.1,A owasp.my,202.190.179.45,A owasp.mp,75.101.130.205,A owasp.pw,70.87.29.150,A owasp.pl,91.210.130.50,A owasp.ph,203.119.6.249,A owasp.ru,193.232.159.1,A owasp.rw,94.23.192.35,A owasp.ws,64.70.19.33,A owasp.st,195.178.160.40,A owasp.es,213.186.33.5,A owasp.se,212.97.132.112,A owasp.ch,88.191.227.205,A owasp.tw,216.48.3.18,A owasp.tk,193.33.61.2,A owasp.tk,209.172.59.196,A owasp.tk,94.103.151.195,A owasp.tk,217.119.57.22,A owasp.tv,64.99.80.30,A owasp.vn,72.52.194.126,A
Attempt to transfer DNS zone
sometimes, the zone database of a misconfigured DNS server can be downloaded
DNSWalk
root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk owasp.org. Checking owasp.org. Getting zone transfer of owasp.org. from ns1.secure.net...done. SOA=ns1.secure.net contact=hostmaster.secure.net WARN: owasp.org A 216.48.3.18: no PTR record WARN: ads.owasp.org A 216.48.3.26: no PTR record WARN: calendar.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com) WARN: docs.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com) WARN: es.owasp.org A 216.48.3.18: no PTR record WARN: forums.owasp.org A 216.48.3.19: no PTR record WARN: groups.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com) WARN: lists.owasp.org A 216.48.3.22: no PTR record WARN: mail.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com) WARN: ml1lists.owasp.org A 216.48.3.30: no PTR record WARN: stage.owasp.org A 216.48.3.20: no PTR record WARN: voip.owasp.org A 216.48.3.22: no PTR record 0 failures, 12 warnings, 0 errors.
The attempt fails. Neverthess, DNSWalk uses other techniques described in this article and gives: 216.48.3.19 forums.owasp.org 216.48.3.30 ml1lists.owasp.org 216.48.3.20 stage.owasp.org
Old DNS entries dnshistory.org Let's use dnshistory.org/ . This site keeps old DNS entries. Here, no result...
Website spiding Burp Suite Use Burp Suite. This tool configures a proxy on your computer and visits every internal links of a website.
A traceroute to ads.owasp.org gives the IP address 216.48.3.26
$ traceroute ads.owasp.org
Informations about administrators
OWasp publishes a list of people who can administrate its Wiki:
www.owasp.org/index.php?title=Special%3AListUsers&group=sysop Aholmes (Created on 27 September 2006 at 14:51) Alison.McNamee (Created on 26 November 2007 at 22:22) Aspectmichelle (Created on 24 August 2007 at 15:10) Brennan (Created on 13 June 2006 at 00:07) Dinis.cruz Dwichers Esheridan (Created on 31 July 2006 at 20:09) Jason Li (Created on 17 April 2007 at 20:16) Jcmax Jeff Williams Jeremy Ferragamo KateHartmann (Created on 12 May 2008 at 14:01) KirstenS (Created on 16 May 2008 at 11:38) Laurence Casey OWASP (Created on 23 June 2006 at 16:50) Paulo Coimbra (Created on 4 July 2008 at 00:22) RoganDawes Sdeleersnyder Weilin Zhong Wichers WikiSysop
X509 certificates Sometimes, people publish their public key on X509 servers. That can provide email informations. cf following hostmap.rb
Whois
The WhoIs database.
$ whois owasp.org
Created On:21-Sep-2001 17:00:36 UTC Last Updated On:15-Feb-2005 15:45:17 UTC Expiration Date:21-Sep-2013 17:00:36 UTC Sponsoring Registrar:Register.com Inc. (R71-LROR) Registrant ID:546CEF135F727823 Registrant Name:Laurence Casey Registrant Organization:OWASP Foundation Registrant Street1:9175 Guilford Rd Suite 300 Registrant City:Columbia Registrant Country:US Registrant Phone:+1.3016044882 Registrant Email:larry.casey@owasp.org $ whois owasp.org
Organisation Address. UNITED STATES Admin Name........... Laurence Casey
Search engines
Simple query
google -> site:owasp.org
no relevant information.
subdomainer.py
Let's use Subdomainer.py from Edge-Security [4]:
$ python ./subdomainer.py -d owasp.org -l 10 -m yahoo
************************************* *Subdomainer Ver. 1.3b * *Coded by Christian Martorella * *Edge-Security Research * *laramies2k@yahoo.com.ar * *************************************
Searching for owasp.org in yahoo ======================================= Total results: 1998 Limit: 10 Searching results: 0
Subdomains founded: ====================
www.owasp.org lists.owasp.org
Total results: 2 Going for extra check:
www.owasp.org ====> 216.48.3.18 lists.owasp.org ====> 216.48.3.22
You find a new subdomain: lists.owasp.org
MetaGoofil.py
Now, let's use the tool MetaGoofil.py (Edge-Security) [7].
Metagoofil.py is a script aimed at seeking informations in meta datas in documents referenced by search engines (pdf,doc...) . It needs extract ($ sudo apt-get install extract). It is aslo installed by default in /usr/bin. You need to modify the script to use this directory.
$ python ./metagoofil.py -d owasp.org -l 100 -f all -o tmp.html -t tmp-files
************************************* *MetaGooFil Ver. 1.4a * *Coded by Christian Martorella * *Edge-Security Research * *cmartorella@edge-security.com * *************************************
[+] Command extract found, proceeding with leeching [+] Searching in owasp.org for: pdf [+] Total results in google: 496 [+] Limit: 800 [+] Searching results: 0 [+] Searching results: 20 [+] Searching results: 40
(...)
[+] Searching in owasp.org for: doc [+] Total results in google: 86
(...)
[+] Searching in owasp.org for: xls [+] Total results in google: 6
(...)
[+] Searching in owasp.org for: ppt [+] Total results in google: 417
(...)
[+] Searching in owasp.org for: sdw [+] Total results in google: 0 [+] Searching in owasp.org for: mdb [+] Total results in google: 0 [+] Searching in owasp.org for: sdc [+] Total results in google: 0 [+] Searching in owasp.org for: odp [+] Total results in google: 1
(...)
Usernames found: ================
Paths found: ============
2005PaperTemplate\ \Program Files\Microsoft Office\Templates\1033\ Normal\ Professional Report\ OWASP Presentation Template\ OWASP Attacking J2EE\ Flow\
[+] Process finished
Les recherches dans owasp.org ne donne rien. $ python ./metagoofil.py -d owasp.net -l 800 -f all -o tmp.html -t tmp-files $ python ./metagoofil.py -d forums.owasp.net -l 800 -f all -o tmp.html -t tmp-files $ python ./metagoofil.py -d esapi.org -l 800 -f all -o tmp.html -t tmp-files $ python ./metagoofil.py -d webscarab.net -l 800 -f all -o tmp.html -t tmp-files La recherche dans lists.owasp.org: $ python ./metagoofil.py -d lists.owasp.org -l 800 -f all -o tmp.html -t tmp-files
(...)
Usernames found: ================
Paths found: ============
Normal\ owasp melbourne \ OWASP Presentation Template\ [+] Process finished
Shodan
Shodan is a website which lists configuration informations and website vulnerabilities. www.shodanhq.com/?q=owasp.org
216.48.3.20 Linux recent 2.4 Added on 23.07.2009 United States
HTTP/1.1 301 Moved Permanently Date: Fri, 24 Jul 2009 03:15:20 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding,Cookie X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki1134Token;string-contains=wiki1134LoggedOut;string-contains=wiki1134_session Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Last-modified: Fri, 24 Jul 2009 03:15:21 GMT Location: stage.owasp.org/index.php/Main_... 216.48.3.26 Linux recent 2.4 Added on 21.07.2009 United States
HTTP/1.1 302 Found Date: Tue, 21 Jul 2009 08:08:41 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Location: ads.owasp.org/www/admin/index.php Connection: close Content-Type: text/html; charset=UTF-8
216.48.3.18 Linux recent 2.4 Added on 21.07.2009 United States
HTTP/1.1 301 Moved Permanently Date: Tue, 21 Jul 2009 08:08:29 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding,Cookie X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki15Token;string-contains=wiki15LoggedOut;string-contains=wiki15_session Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Last-Modified: Tue, 21 Jul 2009 08:08:29 GMT Location: www.owasp.org/index.php/Main_Page Co...
You obtain the following informations:
3 Ips: 216.48.3.18, 216.48.3.20, 216.48.3.26 (already known), The Apache version at 07.23.2009: 2.2.9 (Fedora), The PHP engine versionthe 07.23.2009: 5.2.6
These informations are a bit too old to be relevant.
Web robots
Admins put sometimes informations in their sitemap or robots file to tell robots engine where to go, and... where not to go, which can be interesting for you.
in firefox -> owasp.org/Robots.txt in firefox -> owasp.org/sitemap.xml
www.owasp.org has no Robots.txt or sitemap.xml file.
Mix of techniques
Some tools use a panel of all the techniques below.
Maltego Maltego is a powerful graphical tool for footprinting. It can organize the results of its searches.
Download the community edition from www.paterva.com/
Start it on some Ips and the domain name owasp.org:
owasp.org 216.48.3.18 216.48.3.22 216.48.3.23 216.48.3.26
Here is the result:
Some elements can be added. You can see that Maltego does not find immediatly every results you found before.
DNS MX - mail servers: owasp.com.tw
DNS zone transfert localhost.owasp.org google6912a08c3a8ccdf0b.owasp.org ns.owasp.org docs.owasp.org calendar.owasp.org austin.owasp.org DNS bruteforce gateway.owasp.org secure.owasp.org intranet.owasp.org extranet.owasp.org
web.owasp.org webmail.owasp.org ftp.owasp.org
sharedIP voip.owasp.org
domains linked to owasp.org owasp.net owasp.tw owasp.com.tw owasp.org.tw owasp.fr owasp.nl owasp.pl owasp.cz owasp.it owasp.dk owasp.de owasp.info owasp.ch owasp.asia
hostmap.rb Let's use another (great) tool: hostmap.rb hostmap conducts iteratives searches with DNS, search engines and X509 servers.
$ ruby hostmap.rb -t 216.48.3.18 hostmap 0.2.1 codename fissatina Coded by Alessandro `jekil` Tanasi
[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org [20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org [20:49] Found new hostname _adsp._domainkey.owasp.org [20:49] Found new domain _domainkey.owasp.org [20:49] Found new domain owasp.net [20:49] Found new hostname www.owasp.net [20:49] Found new hostname owasp.net [20:49] Found new domain owasp.org [20:49] Found new hostname _domainkey.owasp.org [20:49] Found new hostname owasp.org [20:49] Found new hostname www.owasp.org [20:49] Found new hostname _policy._domainkey.owasp.org [20:49] Found new hostname www.owasp.fr [20:49] Found new domain owasp.fr [20:49] Found new hostname owasp.fr [20:49] Found new hostname www.webscarab.com [20:49] Found new domain webscarab.com [20:49] Found new hostname webscarab.com [20:49] Found new hostname news.webgoat.org [20:49] Found new domain webgoat.org [20:49] Found new hostname webgoat.org [20:49] Found new hostname austin.owasp.org [20:49] Found new hostname ww.owasp.org [20:49] Found new hostname jobs.owasp.org [20:49] Found new hostname registration.owasp.org [20:49] Found new hostname old.owasp.org [20:49] Found new hostname ml1.owasp.org [20:49] Found new hostname smtp.webgoat.org [20:49] Found new hostname pop.webgoat.org [20:49] Found new hostname www.webgoat.org [20:49] Found new hostname forum.owasp.org [20:49] Found new hostname es.owasp.org [20:49] Found new hostname blogs.owasp.org [20:49] Found new hostname beta.owasp.org [20:49] Found new hostname imap.webgoat.org [20:49] Found new hostname ftp.webgoat.org [20:49] Found new hostname www2.owasp.org [20:49] Found new hostname www.owasp.org.tw [20:49] Found new domain owasp.org.tw [20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:52] Found new mail server aspmx3.googlemail.com [20:52] Found new nameserver ns2.secure.net [20:52] Detected a wildward domain: owasp.org [20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:52] Found new nameserver ns1.secure.net [20:52] Found new mail server aspmx.l.google.com [20:52] Found new mail server aspmx.l.google.com [20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:52] Found new mail server alt1.aspmx.l.google.com [20:52] Detected a wildward domain: _domainkey.owasp.org [20:52] Found new mail server alt1.aspmx.l.google.com [20:52] Found new mail server aspmx4.googlemail.com [20:52] Found new mail server aspmx5.googlemail.com [20:52] Found new mail server aspmx5.googlemail.com [20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:52] Found new nameserver c.dns.gandi.net [20:52] Found new mail server alt2.aspmx.l.google.com [20:52] Found new mail server spool.mail.gandi.net [20:52] Found new mail server aspmx2.googlemail.com [20:53] Found new nameserver a.dns.gandi.net [20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:53] Found new mail server webscarab.com [20:53] Found new mail server webscarab.com [20:53] Found new mail server fb.mail.gandi.net [20:53] Found new nameserver b.dns.gandi.net [20:53] Found new mail server fb.mail.gandi.net [20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:53] Found new mail server webgoat.org [20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [20:53] Found new nameserver cns1.net-chinese.com.tw [20:53] Found new nameserver cns2.net-chinese.com.tw [20:56] Found new domain owasp.tw [20:56] Found new domain webscarab.org [20:56] Found new hostname owasp.tw [20:56] Found new domain webscarab.net [20:56] Found new domain webscarab.net [20:56] Found new hostname webscarab.org [20:56] Found new domain _domainkey.owasp.tw [20:56] Found new hostname webscarab.net [20:56] Found new hostname webscarab.net [20:56] Found new hostname _domainkey.owasp.tw [21:02] Found new hostname imap.webscarab.com [21:02] Found new hostname ftp.webscarab.com [21:02] Found new hostname imap.webscarab.com [21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com [21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com [21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com [21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com [21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com [21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [21:03] Detected a wildward domain: owasp.tw [21:03] Found new nameserver ns1.eurodns.com [21:03] Found new mail server mail.owasp.tw [21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [21:03] Found new nameserver ns2.eurodns.com [21:03] Found new mail server snowball.spidynamics.com [21:03] Found new nameserver ns1.inflow.net [21:03] Found new hostname mail.owasp.tw [21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [21:03] Found new nameserver ns4.inflow.net [21:03] Found new mail server atl-mr01.spidynamics.com [21:03] Found new mail server webscarab.net [21:03] Found new nameserver ns2.inflow.net [21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [21:03] Found new nameserver ns3.inflow.net [21:03] Found new nameserver ns5.inflow.net [21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line. [21:03] Detected a wildward domain: _domainkey.owasp.tw [21:03] Found new nameserver ns6.inflow.net [21:13] Found new hostname pop.webscarab.net [21:13] Found new hostname pop.webscarab.net [21:13] Found new hostname smtp.webscarab.net [21:13] Found new hostname smtp.webscarab.net [21:13] Found new hostname smtp.webscarab.net [21:13] Found new hostname ftp.webscarab.net [21:13] Found new hostname ftp.webscarab.net [21:13] Found new hostname ftp.webscarab.net [21:13] Found new hostname imap.webscarab.net [21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net [21:13] Found new hostname imap.webscarab.net [21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net [21:13] Found new hostname imap.webscarab.net [21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net
Results for 216.48.3.18 Served by name server (probably) ns6.inflow.net ns1.eurodns.com c.dns.gandi.net ns4.inflow.net ns5.inflow.net ns3.inflow.net ns2.inflow.net b.dns.gandi.net ns1.inflow.net a.dns.gandi.net ns2.eurodns.com ns2.secure.net cns1.net-chinese.com.tw ns1.secure.net cns2.net-chinese.com.tw Served by mail exchange (probably) atl-mr01.spidynamics.com aspmx2.googlemail.com aspmx.l.google.com mail.owasp.tw webscarab.com alt2.aspmx.l.google.com aspmx3.googlemail.com aspmx4.googlemail.com snowball.spidynamics.com webgoat.org fb.mail.gandi.net aspmx5.googlemail.com alt1.aspmx.l.google.com webscarab.net spool.mail.gandi.net Hostnames: _adsp._domainkey.owasp.org pop.webscarab.net imap.webgoat.org www.owasp.org mail.owasp.tw jobs.owasp.org webscarab.com imap.webscarab.com www2.owasp.org registration.owasp.org news.webgoat.org _policy._domainkey.owasp.org owasp.org smtp.webscarab.net _domainkey.owasp.tw smtp.webgoat.org _domainkey.owasp.org ftp.webscarab.net webscarab.org ftp.webgoat.org es.owasp.org www.owasp.net austin.owasp.org owasp.fr owasp.tw beta.owasp.org www.webgoat.org webgoat.org owasp.net www.owasp.org.tw blogs.owasp.org ftp.webscarab.com webscarab.net forum.owasp.org ml1.owasp.org old.owasp.org www.webscarab.com www.owasp.fr imap.webscarab.net pop.webgoat.org ww.owasp.org
Fierce Fierce (http://ha.ckers.org/fierce/) is a DNS search tool written in PERL for Linux.
root@bt:/pentest/enumeration/fierce# cat ~/tmp.txt Now logging to /root/tmp.txt DNS Servers for owasp.org: ns1.secure.net ns2.secure.net
Trying zone transfer first... Testing ns1.secure.net
Whoah, it worked - misconfigured DNS server found: owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. ( 2007080369 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 86400 ) ; Minimum TTL owasp.org. 86400 IN A 216.48.3.18 owasp.org. 86400 IN NS ns1.secure.net. owasp.org. 86400 IN NS ns2.secure.net. owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM. owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM. owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM. owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM. owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM. owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM. owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM. owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all" *.owasp.org. 86400 IN CNAME owasp.org. ads.owasp.org. 86400 IN A 216.48.3.26 austin.owasp.org. 86400 IN CNAME owasp.org. calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM. docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM. es.owasp.org. 86400 IN A 216.48.3.18 forums.owasp.org. 86400 IN A 216.48.3.19 google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM. groups.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM. jobs.owasp.org. 86400 IN CNAME owasp.org. lists.owasp.org. 86400 IN A 216.48.3.22 lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org. localhost.owasp.org. 86400 IN A 127.0.0.1 mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM. ml1lists.owasp.org. 86400 IN A 216.48.3.30 registration.owasp.org. 86400 IN CNAME owasp.org. stage.owasp.org. 86400 IN A 216.48.3.20 voip.owasp.org. 86400 IN A 216.48.3.22 www.owasp.org. 86400 IN CNAME owasp.org. Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS... ** Found 94784227069.owasp.org at 216.48.3.18. ** High probability of wildcard DNS. Now performing 1896 test(s)... 216.48.3.26 ads.owasp.org 216.48.3.19 forums.owasp.org 216.48.3.22 lists.owasp.org 127.0.0.1 localhost.owasp.org 216.48.3.20 stage.owasp.org 216.48.3.22 voip.owasp.org
Subnets found (may want to probe here using nmap or unicornscan): 127.0.0.0-255 : 1 hostnames found. 216.48.3.0-255 : 5 hostnames found.
Done with Fierce scan: ha.ckers.org/fierce/ Found 1895 entries.
Have a nice day.
Foca 2 www.informatica64.com/DownloadFOCA/
Foca 2 is a Windows tool which uses both search engines and DNS. It has a nice graphic interface and provides a useful spider of the website. It finds meta data from documents,, subdomains, IPs and can map the domain servers.
Conclusion In this article, you could work on every footprinting techniques, using a whole set of tools.
References 1) OWasp testing guide www.owasp.org/index.php/Category:OWASP_Testing_Project 2) Mission Security - Jer001 - look for subdomains - mission-security.blogspot.com/2008/03/pentesting-dns-look-for-subdomains.html 3) Filip Wayetens - dnsenum1.1 - packetstormsecurity.org/filedesc/dnsenum1.1.tar-gz.html 4) outils Sensepost - www.sensepost.com/research_misc.html 5) Sensepost footprinting whitepaper - www.sensepost.com/restricted/BH_footprint2002_paper.pdf 6) Mission Security - Jer001 - mission-security.blogspot.com/2008/04/pentesting-discovery-phase-when.html 7) outils Edge Security - www.edge-security.com/soft.php 8) Alessandro 'Jekil' Tanasi - hostmap.rb - sourceforge.net/projects/hostmap/files//
[/q] |