Форум Сообщества Практиков Конкурентной разведки (СПКР)

[q]

A pentest must be planned and prepared by several preliminary actions to obtain the most comprehensive inventory of resources hardware, software and even human target network. It is to recover the maximum information on the network architecture, operating systems, applications and users. This step should not be limited to port scanning or fingerprinting. Indeed, lots of informations can be gathered through passive means, without any access to the target, for example using DNS servers or search engines as Google. We must therefore distinguish passive - footprinting - and active recognition.

The aim of footprinting is to passivly gather intelligence about web, mail, DNS, directory servers and look for IP addresses, domain names, network protocols, active services, operating systems, softwares and users. It is then followed by a phase of active recognition. This one completes knowledge of the audited network by active operations directly on the target system. It includes network scans, with specialized softwares as NMAP, to find IP addresses, open ports and softwares running on the servers. This is related as port scanning and fingerprinting.

The purpose of this article is to present methods for passive recognition (footprinting). It also presents a practical implementation of footprinting. For teaching, we analyse the domain Owasp.org, using a full range of existing tools. We also use two scripts Python for multithreaded DNS search dnsdic and dnsbf. The point is most of the tools we present are complementary and useful for a deep recognition.

What is footprinting?

Footprinting is a security auditing technique, aimed at gathering intelligence about the infrastructure of a target network, only from information which access is free and autorized. It is the first component of the information gathering step of a pentest, before port scanning and fingerprinting.

More precisely, the aim of footprinting is to find IP addresses, network address ranges and subdomains names. During the footprinting process conduct, some services (mail, web, DNS) provided by servers can be discovered. With these informations, a pentester is then able to further focus his research.

Footprinting is based on several techniques, based on DNS and search engines:
- DNS query: with a domain name, you obtain the associated IP. Any field of the DNS response can be exploited: A, MX, etc. ,
- reverse DNS query: with an IP or an IP addresses range, you obain domain names,
- dictionnary DNS. With a domain name, you make DNS queries on usual subdomains names and top level domains. For example, from "mysite.com", you look for "smtp.mysite.com", "pop.mysite.com", etc. and then "mysite.fr", "mysite.org", etc.,
- attempt to transfer DNS zone: sometimes, the zone database of a misconfigured DNS server can be downloaded,
- website spiding: we gather any subdomain name met during the visit of all internal links in the website,
- recovery of old DNS entries: old DNS entries are sometimes listed by specialized websites,
- WhoIs database: you obtain the informations legaly provided for teh domain name rental,
- search engines queries,
- X509 certificates queries,
- robots.txt of the website analysis,


Tools

- www.robtex.com/ website which provides graphical informations from DNS and WhoIs,
- dig: Linux command aimed at finding IP address associated with a domain name,
- dnsbf: script for reverse DNS search in a whole subnet,
- dnsdic and its dictionnary: script for DNS dictionnary bruteforce search for subdomains names,
- dnsmap: (backtrack) Script for gathering IP addresses form a domain name,
- dnsrecon: (backtrack) script for top level domain names search. For example, fo Owasp, we find owasp.org, owasp.net, owasp.fr, etc.
- DNSWalk (backtrack) - sourceforge.net/projects/dnswalk/ ,
- Burp Suite www.portswigger.net/suite/ (java needed)
- dnshistory.org - old DNS entries,
- subdomainer.pl: (Edge-Security) script for subdomains names gathering with search engines,
- Metagoofil.py (backtrack) from Edge-Security. Script for information gathering in documents (pdf,doc...) referenced by Google. Metagoofil needs extract ($ sudo apt-get install extract). Moreover, il is installed by default in /usr/bin. Modify the scrit to use the executable from this directory,
- FoxyProxy (https://addons.mozilla.org/fr/firefox/addon/2464), Firefox extension useful with Burp Suite,
- Maltego (backtrack) - graphical footprinting tool - www.paterva.com/
- Hostmap.rb: sourceforge.net/projects/hostmap remarkable script, wrritten in Ruby, that conducts iterative queries on DNS, search engines and cryptographic key servers,
- Fierce (backtrack) - ha.ckers.org/fierce - script perl for Linux to conduct DNS search,


Results
While you're reading this article, you'll find the following informations:

Owasp.org is a website hosted by Fast.net. Its DNS servers are hosted by Secure.net, a BtoB US company with the US armies as customer.


domain names
The following domain names are linked to the IP address 216.48.3.18
owasp.org
esapi.org
webscarab.net
webscarab.com
webscarab.org
webgoat.org

owasp.asia
owasp.cg,188.165.42.228
owasp.ch
owasp.com.tw
owasp.cz,81.0.246.60
owasp.fr,216.48.3.18
owasp.de,78.46.49.201
owasp.dk
owasp.gr,69.93.193.98
owasp.hu,193.142.209.99
owasp.ir,213.175.221.136
owasp.kr,222.231.8.226
owasp.info
owasp.lt,79.98.25.1
owasp.my,202.190.179.45
owasp.mp,75.101.130.205
owasp.net
owasp.nl
owasp.org.tw
owasp.pw,70.87.29.150
owasp.pl,91.210.130.50
owasp.ph,203.119.6.249
owasp.ru,193.232.159.1
owasp.rw,94.23.192.35
owasp.tw
owasp.ws,64.70.19.33
owasp.st,195.178.160.40
owasp.es,213.186.33.5
owasp.se,212.97.132.112
owasp.ch,88.191.227.205
owasp.tw
owasp.tk,193.33.61.2
owasp.tk,209.172.59.196
owasp.tk,94.103.151.195
owasp.tk,217.119.57.22
owasp.tv,64.99.80.30
owasp.vn,72.52.194.126



IP addresses
every IP address of the Owasp network belongs to the subnet 216.48.3.0/24. The IP allocated to Owasp are:
216.48.3.18
216.48.3.19
216.48.3.20
216.48.3.22
216.48.3.23
216.48.3.26
216.48.3.30

The following address is interesting, because it points on websites owned by the creator of Owasp:
66.255.82.14

Any of the further subdomains have the IP 216.48.3.18 excepted:

forums.owasp.org 216.48.3.19
stage.owasp.org 216.48.3.20
lists.owasp.org 216.48.3.22
voip.owasp.org 216.48.3.22
forums.owasp.net 216.48.3.23
ads.owasp.org 216.48.3.26
ml1lists.owasp.org 216.48.3.30
docs.owasp.org hébergé par google
mail.owasp.org hébergé par google
groups.owasp.org hébergé par google
calendar.owasp.org hébergé par google
mail.owasp.net 66.255.82.14


subdomains
owasp.org
ml1.owasp.org
www.owasp.org
www2.owasp.org
lists.owasp.org 216.48.3.22
ads.owasp.org 216.48.3.26
_adsp._domainkey.owasp.org
jobs.owasp.org
registration.owasp.org
_policy._domainkey.owasp.org
_domainkey.owasp.org
es.owasp.org
austin.owasp.org
beta.owasp.org
blogs.owasp.org
forum.owasp.org
old.owasp.org
ww.owasp.org
localhost.owasp.org
google6912a08c3a8ccdf0b.owasp.org
ns.owasp.org
docs.owasp.org
calendar.owasp.org
austin.owasp.org
gateway.owasp.org
secure.owasp.org
intranet.owasp.org
extranet.owasp.org
web.owasp.org
webmail.owasp.org
ftp.owasp.org
stage.owasp.org

owasp.net
forums.owasp.net 216.48.3.23
www.owasp.net
mail.owasp.net 66.255.82.14

owasp.tw
mail.owasp.tw
_domainkey.owasp.tw

www.owasp.org.tw

owasp.fr
www.owasp.fr

mail.esapi.org 216.48.3.18
www.esapi.org 216.48.3.18

webscarab.net 216.48.3.18
ftp.webscarab.net
www.webscarab.net
pop.webscarab.net
smtp.webscarab.net
imap.webscarab.net

webscarab.com
www.webscarab.com
imap.webscarab.com
ftp.webscarab.com

webscarab.org

webgoat.org
www.webgoat.org
imap.webgoat.org
news.webgoat.org
smtp.webgoat.org
ftp.webgoat.org
pop.webgoat.org


DNS servers
The DNS server used are (excepted owasp.tw, owasp.org.tw, owasp.fr and more generaly any site situated outside of USA):
ns1.secure.net 192.220.124.10 (USA)
ns2.secure.net 192.220.125.10

For example,

for owasp.tw:
ns1.eurodns.com 80.92.65.2 (Luxembourg)
ns2.eurodns.com 80.92.67.140

for owasp.fr
a.dns.gandi.fr 217.70.179.40 (France)
b.dns.gandi.fr 217.70.184.40

for owasp.org.tw:
csn1.net-chinese.com.tw 202.153.205.76 (Taiwan)
csn2.net-chinese.com.tw 202.130.187.243

people in charge
Every domain names (except owasp.fr and owasp.org.tw) were filed by:
Laurence Casey

owasp.fr was filed by Sébastien Gioria (0623040051) for Doing Soft company

owasp.org.tw by Wayne Huang Armorize technologies Inc


administrators
www.owasp.org/index.php?title=Special%3AListUsers&group=sysop



Simple DNS queries
robtex.com
Use robtex website, and search owasp.org in its dns search engine: www.robtex.com/dns -> owasp.org



www.owasp.org is available on 216.48.3.18. It belongs to the subnet 216.48.2.0/23. This means that the address range available is:
216.48.2.0 to 216.48.3.255.


dig
Rq: You can also find the IP address with

$ dig owasp.org


Websites www.esapi.org, www.webscarab.net and www.owasp.org point to the same IP address

The owasp.org DNS server is hosted by secure.net
Its mail server is hosted by google.

google

A few google searches tell you:
google -> esapi.org
google -> owasp.net
google -> webscarab.net
google -> secure.net

esapi.org and webscarab.net are both Owasp projects
secure.net is owned by Secure Network Systems, a US company which develops profestional softwares for hysical access control (airorts, etc.) with US army as customer.

Finding the IP 216.48.3.18 with robtex gives you: robtex.com/dns -> 216.48.3.18




Finding owasp.* with robtex gives you
- owasp.net
- owasp.de
- owasp.cz



reverse DNS query on an IP address range
dnsbf.py
Owasp is hosted by Fastnet (http://www.fast.net/) in USA.

Here, this information is not really relevant, because Owasp probably rents there its servers. Sometimes, such a query could conduct to find other servers hold by the same company.
Let's use the Python script dnsbf.py on the IP address range: 216.48.2.0/23.

$ ./dnsbf.py 216.48.2.0/23

*****************************************
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

216.48.2.34 clarendon.my-vresume.com
216.48.2.10 mail.nvafamilypractice.com
216.48.4.251 ns1.croem.net
216.48.4.107 mail1.gulfstreamacademy.com
216.48.3.69 mail.nationalstrategiesinc.com
216.48.4.20 encirclepayments.com
216.48.3.90 mail.wssa.com
216.48.4.21 mail.encirclepayments.com
216.48.4.170 mail.wilhelminamiami.com
216.48.5.55 mail.eliteislandresorts.com
216.48.5.181 ns4.viomedia.com
216.48.3.10 mail.jandrroofing.com
216.48.4.194 amarinelli.com
216.48.2.74 mail.ppamedicalbilling.com
216.48.5.244 mail.terragroup.com
216.48.2.75 mail.hirestrategy.com
216.48.4.18 wxesrv01s.interpath
216.48.5.182 ns4.maquilon.com
216.48.4.253 mail.e-progroup.com
216.48.2.200 mailgate.catapulttechnology.com
216.48.4.162 mail.malloylaw.com
216.48.4.72 mail.amtel-security.com
216.48.2.194 fw.catapulttechnology.com
216.48.3.82 mail.wssa.com
216.48.3.92 freightoffice.wssa.com
216.48.3.29 mail.empiregroup.us
216.48.4.186 mail.marlinshowcase.com
216.48.2.3 smtp.advantagehomes.org
216.48.5.164 mailserver.federalmillwork.com
216.48.2.90 mail2.bgsb.net
216.48.3.122 mail3.bulletinnews.com
216.48.3.98 Mail.jamesmyersco.com
216.48.2.204 smtp.catapulttechnology.com
216.48.4.187 marlinshowcase.com
216.48.2.39 SMTP.edoptions.com
216.48.4.154 mail.krmlegal.com
216.48.5.162 mailserver.federalmillwork.com
216.48.4.106 gaamail.gulfstreamacademy.com
216.48.5.251 mail.eastridgerc.com
216.48.4.247 mail.croem.net

end of search
1023 ip tested, 40 names found, in 25 s
$


dictionary DNS queries
It may be interesting to look for Owasp.net available subdomains (for example, mail.owasp.net)

dnsdic.py
Let's use the Python script dnsdic.py
dnsdic.py needs a dictionary file.

We take the file dns.txt from dnsenum1.1 [3] written by jer001 [2].
By the way, we can not resist the pleasure of quoting an excellent source of dictionaries: www.skullsecurity.org/wiki/index.php/Passwords

$ ./dnsdic.py -f ./dns.txt owasp.net

***************************************************
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

forums.owasp.net [] ['216.48.3.23']
owasp.net ['www.owasp.net'] ['216.48.3.18']

end of search
95 names tested, 2 hostnames found, in 6.032436 s Nous trouvons un serveur qui n'avait pas été détecté par la recherche reversedns: forums.owasp.net



$ ./dnsdic.py -f dns.txt webscarab.net

***************************************************
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

webscarab.net ['ftp.webscarab.net'] ['216.48.3.18']
webscarab.net ['www.webscarab.net'] ['216.48.3.18']
webscarab.net ['pop.webscarab.net'] ['216.48.3.18']
webscarab.net ['smtp.webscarab.net'] ['216.48.3.18']

end of search
95 names tested, 4 hostnames found, in 8.064246 s




$ ./dnsdic.py -f dns.txt esapi.org

***************************************************
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

esapi.org ['mail.esapi.org'] ['216.48.3.18']
esapi.org ['www.esapi.org'] ['216.48.3.18']

end of search
95 names tested, 2 hostnames found, in 2.036982 s



dnsdic.py does not give any result with owasp.org. Indeed, casting an eye to robtex results, you note that owasp.org is referenced by *.owasp.org . Any DNS request on an Owasp subdomain sends the main IP address as result.

And what about mail.owasp.net? We find an additional IP: 66.255.82.14. Still with robtex, a query with this IP gives:
robtex.com/dns -> mail.owasp.net
robtex.com/dns -> 66.255.28.14

It appears that Mr Casey hosts friends websites...


dnsmap
dnsmap is available with backtrack. It provides the IP addresses associated with a domain name.


root@bt:/pentest/enumeration/dns/dnsmap# ./dnsmap owasp.org
dnsmap 0.24 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] warning: the target domain might use wildcards. dnsmap will try to filter out false positives
[+] searching (sub)domains for owasp.org using built-in wordlist

forums.owasp.org
IP address #1: 216.48.3.19

groups.owasp.org
IP address #1: 74.125.47.121

localhost.owasp.org
IP address #1: 127.0.0.1
[+] warning: target domain might be vulnerable to "same site" scripting (http://snipurl.com/etbcv)

mail.owasp.org
IP address #1: 74.125.47.121

[+] 4 (sub)domains and 4 IP address(es) found
[+] completion time: 50 second(s)



dnsrecon
dnsrecon provides top level domain names associated with a domain name. For example, with Owas, you find Owasp.org, Owasp.net, Owasp.fr


root@bt:/pentest/enumeration/dnsrecon# ruby dnsrecon.rb -tld owasp
owasp.org,216.48.3.18,A
owasp.net,216.48.3.18,A
owasp.cg,188.165.42.228,A
owasp.cz,81.0.246.60,A
owasp.fr,216.48.3.18,A
owasp.de,78.46.49.201,A
owasp.gr,69.93.193.98,A
owasp.hu,193.142.209.99,A
owasp.ir,213.175.221.136,A
owasp.kr,222.231.8.226,A
owasp.lt,79.98.25.1,A
owasp.my,202.190.179.45,A
owasp.mp,75.101.130.205,A
owasp.pw,70.87.29.150,A
owasp.pl,91.210.130.50,A
owasp.ph,203.119.6.249,A
owasp.ru,193.232.159.1,A
owasp.rw,94.23.192.35,A
owasp.ws,64.70.19.33,A
owasp.st,195.178.160.40,A
owasp.es,213.186.33.5,A
owasp.se,212.97.132.112,A
owasp.ch,88.191.227.205,A
owasp.tw,216.48.3.18,A
owasp.tk,193.33.61.2,A
owasp.tk,209.172.59.196,A
owasp.tk,94.103.151.195,A
owasp.tk,217.119.57.22,A
owasp.tv,64.99.80.30,A
owasp.vn,72.52.194.126,A


Attempt to transfer DNS zone

sometimes, the zone database of a misconfigured DNS server can be downloaded

DNSWalk

root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk owasp.org.
Checking owasp.org.
Getting zone transfer of owasp.org. from ns1.secure.net...done.
SOA=ns1.secure.net contact=hostmaster.secure.net
WARN: owasp.org A 216.48.3.18: no PTR record
WARN: ads.owasp.org A 216.48.3.26: no PTR record
WARN: calendar.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)
WARN: docs.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)
WARN: es.owasp.org A 216.48.3.18: no PTR record
WARN: forums.owasp.org A 216.48.3.19: no PTR record
WARN: groups.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)
WARN: lists.owasp.org A 216.48.3.22: no PTR record
WARN: mail.owasp.org CNAME ghs.GOOGLE.COM: CNAME (to ghs.l.google.com)
WARN: ml1lists.owasp.org A 216.48.3.30: no PTR record
WARN: stage.owasp.org A 216.48.3.20: no PTR record
WARN: voip.owasp.org A 216.48.3.22: no PTR record
0 failures, 12 warnings, 0 errors.


The attempt fails. Neverthess, DNSWalk uses other techniques described in this article and gives:
216.48.3.19 forums.owasp.org
216.48.3.30 ml1lists.owasp.org
216.48.3.20 stage.owasp.org



Old DNS entries
dnshistory.org
Let's use dnshistory.org/ . This site keeps old DNS entries. Here, no result...



Website spiding
Burp Suite
Use Burp Suite. This tool configures a proxy on your computer and visits every internal links of a website.




A traceroute to ads.owasp.org gives the IP address 216.48.3.26


$ traceroute ads.owasp.org




Informations about administrators

OWasp publishes a list of people who can administrate its Wiki:

www.owasp.org/index.php?title=Special%3AListUsers&group=sysop
Aholmes ‎ (Created on 27 September 2006 at 14:51)
Alison.McNamee ‎ (Created on 26 November 2007 at 22:22)
Aspectmichelle ‎ (Created on 24 August 2007 at 15:10)
Brennan ‎ (Created on 13 June 2006 at 00:07)
Dinis.cruz ‎
Dwichers ‎
Esheridan ‎ (Created on 31 July 2006 at 20:09)
Jason Li ‎ (Created on 17 April 2007 at 20:16)
Jcmax ‎
Jeff Williams ‎
Jeremy Ferragamo ‎
KateHartmann ‎ (Created on 12 May 2008 at 14:01)
KirstenS ‎ (Created on 16 May 2008 at 11:38)
Laurence Casey ‎
OWASP ‎ (Created on 23 June 2006 at 16:50)
Paulo Coimbra ‎ (Created on 4 July 2008 at 00:22)
RoganDawes ‎
Sdeleersnyder
Weilin Zhong ‎
Wichers ‎
WikiSysop ‎

X509 certificates
Sometimes, people publish their public key on X509 servers. That can provide email informations. cf following hostmap.rb


Whois

The WhoIs database.

$ whois owasp.org

Created On:21-Sep-2001 17:00:36 UTC
Last Updated On:15-Feb-2005 15:45:17 UTC
Expiration Date:21-Sep-2013 17:00:36 UTC
Sponsoring Registrar:Register.com Inc. (R71-LROR)
Registrant ID:546CEF135F727823
Registrant Name:Laurence Casey
Registrant Organization:OWASP Foundation
Registrant Street1:9175 Guilford Rd Suite 300
Registrant City:Columbia
Registrant Country:US
Registrant Phone:+1.3016044882
Registrant Email:larry.casey@owasp.org $ whois owasp.org

Organisation Address. UNITED STATES
Admin Name........... Laurence Casey


Search engines

Simple query

google -> site:owasp.org

no relevant information.


subdomainer.py

Let's use Subdomainer.py from Edge-Security [4]:

$ python ./subdomainer.py -d owasp.org -l 10 -m yahoo

*************************************
*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies2k@yahoo.com.ar *
*************************************


Searching for owasp.org in yahoo
=======================================
Total results: 1998
Limit: 10
Searching results: 0

Subdomains founded:
====================

www.owasp.org
lists.owasp.org

Total results: 2
Going for extra check:

www.owasp.org ====> 216.48.3.18
lists.owasp.org ====> 216.48.3.22


You find a new subdomain: lists.owasp.org

MetaGoofil.py

Now, let's use the tool MetaGoofil.py (Edge-Security) [7].

Metagoofil.py is a script aimed at seeking informations in meta datas in documents referenced by search engines (pdf,doc...) . It needs extract ($ sudo apt-get install extract). It is aslo installed by default in /usr/bin. You need to modify the script to use this directory.


$ python ./metagoofil.py -d owasp.org -l 100 -f all -o tmp.html -t tmp-files

*************************************
*MetaGooFil Ver. 1.4a *
*Coded by Christian Martorella *
*Edge-Security Research *
*cmartorella@edge-security.com *
*************************************


[+] Command extract found, proceeding with leeching
[+] Searching in owasp.org for: pdf
[+] Total results in google: 496
[+] Limit: 800
[+] Searching results: 0
[+] Searching results: 20
[+] Searching results: 40

(...)

[+] Searching in owasp.org for: doc
[+] Total results in google: 86

(...)

[+] Searching in owasp.org for: xls
[+] Total results in google: 6

(...)

[+] Searching in owasp.org for: ppt
[+] Total results in google: 417

(...)

[+] Searching in owasp.org for: sdw
[+] Total results in google: 0
[+] Searching in owasp.org for: mdb
[+] Total results in google: 0
[+] Searching in owasp.org for: sdc
[+] Total results in google: 0
[+] Searching in owasp.org for: odp
[+] Total results in google: 1

(...)

Usernames found:
================


Paths found:
============

2005PaperTemplate\
\Program Files\Microsoft Office\Templates\1033\
Normal\
Professional Report\
OWASP Presentation Template\
OWASP Attacking J2EE\
Flow\

[+] Process finished

Les recherches dans owasp.org ne donne rien. $ python ./metagoofil.py -d owasp.net -l 800 -f all -o tmp.html -t tmp-files
$ python ./metagoofil.py -d forums.owasp.net -l 800 -f all -o tmp.html -t tmp-files
$ python ./metagoofil.py -d esapi.org -l 800 -f all -o tmp.html -t tmp-files
$ python ./metagoofil.py -d webscarab.net -l 800 -f all -o tmp.html -t tmp-files La recherche dans lists.owasp.org:
$ python ./metagoofil.py -d lists.owasp.org -l 800 -f all -o tmp.html -t tmp-files

(...)

Usernames found:
================


Paths found:
============

Normal\
owasp melbourne \
OWASP Presentation Template\
[+] Process finished



Shodan

Shodan is a website which lists configuration informations and website vulnerabilities.
www.shodanhq.com/?q=owasp.org


216.48.3.20
Linux recent 2.4
Added on 23.07.2009
United States

HTTP/1.1 301 Moved Permanently
Date: Fri, 24 Jul 2009 03:15:20 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,Cookie
X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki1134Token;string-contains=wiki1134LoggedOut;string-contains=wiki1134_session
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-modified: Fri, 24 Jul 2009 03:15:21 GMT
Location: stage.owasp.org/index.php/Main_...
216.48.3.26
Linux recent 2.4
Added on 21.07.2009
United States

HTTP/1.1 302 Found
Date: Tue, 21 Jul 2009 08:08:41 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Location: ads.owasp.org/www/admin/index.php
Connection: close
Content-Type: text/html; charset=UTF-8

216.48.3.18
Linux recent 2.4
Added on 21.07.2009
United States

HTTP/1.1 301 Moved Permanently
Date: Tue, 21 Jul 2009 08:08:29 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,Cookie
X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wiki15Token;string-contains=wiki15LoggedOut;string-contains=wiki15_session
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-Modified: Tue, 21 Jul 2009 08:08:29 GMT
Location: www.owasp.org/index.php/Main_Page
Co...


You obtain the following informations:

3 Ips: 216.48.3.18, 216.48.3.20, 216.48.3.26 (already known),
The Apache version at 07.23.2009: 2.2.9 (Fedora),
The PHP engine versionthe 07.23.2009: 5.2.6

These informations are a bit too old to be relevant.


Web robots

Admins put sometimes informations in their sitemap or robots file to tell robots engine where to go, and... where not to go, which can be interesting for you.

in firefox -> owasp.org/Robots.txt
in firefox -> owasp.org/sitemap.xml


www.owasp.org has no Robots.txt or sitemap.xml file.



Mix of techniques

Some tools use a panel of all the techniques below.



Maltego
Maltego is a powerful graphical tool for footprinting. It can organize the results of its searches.

Download the community edition from www.paterva.com/

Start it on some Ips and the domain name owasp.org:

owasp.org
216.48.3.18
216.48.3.22
216.48.3.23
216.48.3.26

Here is the result:




Some elements can be added. You can see that Maltego does not find immediatly every results you found before.

DNS MX - mail servers:
owasp.com.tw

DNS zone transfert
localhost.owasp.org
google6912a08c3a8ccdf0b.owasp.org
ns.owasp.org
docs.owasp.org
calendar.owasp.org
austin.owasp.org
DNS bruteforce
gateway.owasp.org
secure.owasp.org
intranet.owasp.org
extranet.owasp.org

web.owasp.org
webmail.owasp.org
ftp.owasp.org

sharedIP
voip.owasp.org

domains linked to owasp.org
owasp.net
owasp.tw
owasp.com.tw
owasp.org.tw
owasp.fr
owasp.nl
owasp.pl
owasp.cz
owasp.it
owasp.dk
owasp.de
owasp.info
owasp.ch
owasp.asia

hostmap.rb
Let's use another (great) tool: hostmap.rb
hostmap conducts iteratives searches with DNS, search engines and X509 servers.

$ ruby hostmap.rb -t 216.48.3.18
hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi

[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org
[20:49] Detected a wildcard entry in X.509 certificate for: *.owasp.org
[20:49] Found new hostname _adsp._domainkey.owasp.org
[20:49] Found new domain _domainkey.owasp.org
[20:49] Found new domain owasp.net
[20:49] Found new hostname www.owasp.net
[20:49] Found new hostname owasp.net
[20:49] Found new domain owasp.org
[20:49] Found new hostname _domainkey.owasp.org
[20:49] Found new hostname owasp.org
[20:49] Found new hostname www.owasp.org
[20:49] Found new hostname _policy._domainkey.owasp.org
[20:49] Found new hostname www.owasp.fr
[20:49] Found new domain owasp.fr
[20:49] Found new hostname owasp.fr
[20:49] Found new hostname www.webscarab.com
[20:49] Found new domain webscarab.com
[20:49] Found new hostname webscarab.com
[20:49] Found new hostname news.webgoat.org
[20:49] Found new domain webgoat.org
[20:49] Found new hostname webgoat.org
[20:49] Found new hostname austin.owasp.org
[20:49] Found new hostname ww.owasp.org
[20:49] Found new hostname jobs.owasp.org
[20:49] Found new hostname registration.owasp.org
[20:49] Found new hostname old.owasp.org
[20:49] Found new hostname ml1.owasp.org
[20:49] Found new hostname smtp.webgoat.org
[20:49] Found new hostname pop.webgoat.org
[20:49] Found new hostname www.webgoat.org
[20:49] Found new hostname forum.owasp.org
[20:49] Found new hostname es.owasp.org
[20:49] Found new hostname blogs.owasp.org
[20:49] Found new hostname beta.owasp.org
[20:49] Found new hostname imap.webgoat.org
[20:49] Found new hostname ftp.webgoat.org
[20:49] Found new hostname www2.owasp.org
[20:49] Found new hostname www.owasp.org.tw
[20:49] Found new domain owasp.org.tw
[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:52] Found new mail server aspmx3.googlemail.com
[20:52] Found new nameserver ns2.secure.net
[20:52] Detected a wildward domain: owasp.org
[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:52] Found new nameserver ns1.secure.net
[20:52] Found new mail server aspmx.l.google.com
[20:52] Found new mail server aspmx.l.google.com
[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:52] Found new mail server alt1.aspmx.l.google.com
[20:52] Detected a wildward domain: _domainkey.owasp.org
[20:52] Found new mail server alt1.aspmx.l.google.com
[20:52] Found new mail server aspmx4.googlemail.com
[20:52] Found new mail server aspmx5.googlemail.com
[20:52] Found new mail server aspmx5.googlemail.com
[20:52] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:52] Found new nameserver c.dns.gandi.net
[20:52] Found new mail server alt2.aspmx.l.google.com
[20:52] Found new mail server spool.mail.gandi.net
[20:52] Found new mail server aspmx2.googlemail.com
[20:53] Found new nameserver a.dns.gandi.net
[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:53] Found new mail server webscarab.com
[20:53] Found new mail server webscarab.com
[20:53] Found new mail server fb.mail.gandi.net
[20:53] Found new nameserver b.dns.gandi.net
[20:53] Found new mail server fb.mail.gandi.net
[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:53] Found new mail server webgoat.org
[20:53] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[20:53] Found new nameserver cns1.net-chinese.com.tw
[20:53] Found new nameserver cns2.net-chinese.com.tw
[20:56] Found new domain owasp.tw
[20:56] Found new domain webscarab.org
[20:56] Found new hostname owasp.tw
[20:56] Found new domain webscarab.net
[20:56] Found new domain webscarab.net
[20:56] Found new hostname webscarab.org
[20:56] Found new domain _domainkey.owasp.tw
[20:56] Found new hostname webscarab.net
[20:56] Found new hostname webscarab.net
[20:56] Found new hostname _domainkey.owasp.tw
[21:02] Found new hostname imap.webscarab.com
[21:02] Found new hostname ftp.webscarab.com
[21:02] Found new hostname imap.webscarab.com
[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com
[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com
[21:02] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com
[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com
[21:03] Plugin :bruteforcebydomain execution expired. Output: imap.webscarab.com imap.webgoat.org ftp.webgoat.org ftp.webscarab.com
[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[21:03] Detected a wildward domain: owasp.tw
[21:03] Found new nameserver ns1.eurodns.com
[21:03] Found new mail server mail.owasp.tw
[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[21:03] Found new nameserver ns2.eurodns.com
[21:03] Found new mail server snowball.spidynamics.com
[21:03] Found new nameserver ns1.inflow.net
[21:03] Found new hostname mail.owasp.tw
[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[21:03] Found new nameserver ns4.inflow.net
[21:03] Found new mail server atl-mr01.spidynamics.com
[21:03] Found new mail server webscarab.net
[21:03] Found new nameserver ns2.inflow.net
[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[21:03] Found new nameserver ns3.inflow.net
[21:03] Found new nameserver ns5.inflow.net
[21:03] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[21:03] Detected a wildward domain: _domainkey.owasp.tw
[21:03] Found new nameserver ns6.inflow.net
[21:13] Found new hostname pop.webscarab.net
[21:13] Found new hostname pop.webscarab.net
[21:13] Found new hostname smtp.webscarab.net
[21:13] Found new hostname smtp.webscarab.net
[21:13] Found new hostname smtp.webscarab.net
[21:13] Found new hostname ftp.webscarab.net
[21:13] Found new hostname ftp.webscarab.net
[21:13] Found new hostname ftp.webscarab.net
[21:13] Found new hostname imap.webscarab.net
[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net
[21:13] Found new hostname imap.webscarab.net
[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net
[21:13] Found new hostname imap.webscarab.net
[21:13] Plugin :bruteforcebydomain execution expired. Output: pop.webscarab.net smtp.webscarab.net ftp.webscarab.net imap.webscarab.net

Results for 216.48.3.18
Served by name server (probably)
ns6.inflow.net
ns1.eurodns.com
c.dns.gandi.net
ns4.inflow.net
ns5.inflow.net
ns3.inflow.net
ns2.inflow.net
b.dns.gandi.net
ns1.inflow.net
a.dns.gandi.net
ns2.eurodns.com
ns2.secure.net
cns1.net-chinese.com.tw
ns1.secure.net
cns2.net-chinese.com.tw
Served by mail exchange (probably)
atl-mr01.spidynamics.com
aspmx2.googlemail.com
aspmx.l.google.com
mail.owasp.tw
webscarab.com
alt2.aspmx.l.google.com
aspmx3.googlemail.com
aspmx4.googlemail.com
snowball.spidynamics.com
webgoat.org
fb.mail.gandi.net
aspmx5.googlemail.com
alt1.aspmx.l.google.com
webscarab.net
spool.mail.gandi.net
Hostnames:
_adsp._domainkey.owasp.org
pop.webscarab.net
imap.webgoat.org
www.owasp.org
mail.owasp.tw
jobs.owasp.org
webscarab.com
imap.webscarab.com
www2.owasp.org
registration.owasp.org
news.webgoat.org
_policy._domainkey.owasp.org
owasp.org
smtp.webscarab.net
_domainkey.owasp.tw
smtp.webgoat.org
_domainkey.owasp.org
ftp.webscarab.net
webscarab.org
ftp.webgoat.org
es.owasp.org
www.owasp.net
austin.owasp.org
owasp.fr
owasp.tw
beta.owasp.org
www.webgoat.org
webgoat.org
owasp.net
www.owasp.org.tw
blogs.owasp.org
ftp.webscarab.com
webscarab.net
forum.owasp.org
ml1.owasp.org
old.owasp.org
www.webscarab.com
www.owasp.fr
imap.webscarab.net
pop.webgoat.org
ww.owasp.org



Fierce
Fierce (http://ha.ckers.org/fierce/) is a DNS search tool written in PERL for Linux.


root@bt:/pentest/enumeration/fierce# cat ~/tmp.txt
Now logging to /root/tmp.txt
DNS Servers for owasp.org:
ns1.secure.net
ns2.secure.net

Trying zone transfer first...
Testing ns1.secure.net

Whoah, it worked - misconfigured DNS server found:
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. (
2007080369 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
86400 ) ; Minimum TTL
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
groups.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
www.owasp.org. 86400 IN CNAME owasp.org.
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
** Found 94784227069.owasp.org at 216.48.3.18.
** High probability of wildcard DNS.
Now performing 1896 test(s)...
216.48.3.26 ads.owasp.org
216.48.3.19 forums.owasp.org
216.48.3.22 lists.owasp.org
127.0.0.1 localhost.owasp.org
216.48.3.20 stage.owasp.org
216.48.3.22 voip.owasp.org

Subnets found (may want to probe here using nmap or unicornscan):
127.0.0.0-255 : 1 hostnames found.
216.48.3.0-255 : 5 hostnames found.

Done with Fierce scan: ha.ckers.org/fierce/
Found 1895 entries.

Have a nice day.



Foca 2
www.informatica64.com/DownloadFOCA/

Foca 2 is a Windows tool which uses both search engines and DNS. It has a nice graphic interface and provides a useful spider of the website. It finds meta data from documents,, subdomains, IPs and can map the domain servers.






Conclusion
In this article, you could work on every footprinting techniques, using a whole set of tools.



References
1) OWasp testing guide www.owasp.org/index.php/Category:OWASP_Testing_Project
2) Mission Security - Jer001 - look for subdomains - mission-security.blogspot.com/2008/03/pentesting-dns-look-for-subdomains.html
3) Filip Wayetens - dnsenum1.1 - packetstormsecurity.org/filedesc/dnsenum1.1.tar-gz.html
4) outils Sensepost - www.sensepost.com/research_misc.html
5) Sensepost footprinting whitepaper - www.sensepost.com/restricted/BH_footprint2002_paper.pdf
6) Mission Security - Jer001 - mission-security.blogspot.com/2008/04/pentesting-discovery-phase-when.html
7) outils Edge Security - www.edge-security.com/soft.php
8) Alessandro 'Jekil' Tanasi - hostmap.rb - sourceforge.net/projects/hostmap/files//

[/q]