leaked network security information analysis

34
Page 1 of 34 Name: Allen Galvan Due: 27 October 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #2: Reconnaissance (Fingerprinting), Passive Information Gathering The Analysis of Leaked Network Security Information Last printed 10/26/2005 1:40:00 AM Page 1

Upload: allengalvan

Post on 12-May-2015

772 views

Category:

Technology


4 download

DESCRIPTION

DNS Reconnaissance Analysis Leaked Network Security Information

TRANSCRIPT

Page 1: Leaked Network Security Information Analysis

Page 1 of 26

Name: Allen GalvanDue: 27 October 2005CSFI 214: Information Security Systems Analysis – Fall 2005Lab #2: Reconnaissance (Fingerprinting),

Passive Information GatheringThe Analysis of Leaked Network Security Information

Last printed 10/26/2005 1:40:00 AM Page 1

Page 2: Leaked Network Security Information Analysis

Page 2 of 26

Exercise 1 – Internet Service Registration.............................................................................3Exercise 2 – Domain Name System.......................................................................................4

Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers.......4Dig (Unix tool to query DNS Servers)...........................................................................5Zone Transfer.................................................................................................................5Brute Force Reverse DNS Lookup................................................................................6

Exercise 3 – Search Engines..................................................................................................7Exercise 4 – E Mail Systems..................................................................................................8Exercise 5 – Naming Conventions.........................................................................................9Exercise 6 – Website Analysis.............................................................................................10Notes....................................................................................................................................13Appendix..............................................................................................................................14Exercise 1 – Internet Service Registration...........................................................................15Exercise 2 – Domain Name System.....................................................................................15

Nslookup (Authoritative) using Network-Tools on ccc.edu........................................15Nslookup (Non-Authoritative) using Network-Tools on ccc.edu................................17Nslookup (Authoritative) using Network-Tools on www.microsoft.com...................18Nslookup (Non-Authoritative) using Network-Tools on microsoft.com.....................19Zone-Transfer of nexiliscom.com................................................................................21Zone-Transfer of microsoft.com..................................................................................23

Exercise 3 – Search Engines................................................................................................24Netcraft Search Web by Domain for .google.com.......................................................24

Exercise 4 – E Mail Systems................................................................................................25Email Headers..............................................................................................................25

Exercise 5 – Naming Conventions.......................................................................................27Tracert of www.ccc.edu...............................................................................................27

Exercise 6 – Website Analysis.............................................................................................27

Last printed 10/26/2005 1:40:00 AM Page 2

Page 3: Leaked Network Security Information Analysis

Page 3 of 26

Exercise 1 – Internet Service Registration

Internet Service Registration information gathering finds information based on global registration and maintenance of IP address information. Whois is a service that queries top-level domains for information on a domain name. There are several Whois tools provided by Network Solutions, Arin, Geektools, and Sam Spade. Using these several tools, the whois information was look up on the below websites:

Ccc.edu Microsoft.com Citibank.com Thesportsauthority.com Baitnet.com

Answer the following questions: What kinds of information is available for social engineering attacks?

o The actual name of the Registranto An actual address.o An actual phone number

What kinds of information is available for technical attacks? o The Maintainer (MNTNER) password is information that is available for

technical attacks. If the password is weak, it could be broken, and this would lead to attacks such as: DoS, Url spoofing, and Identity Theft.

Who owns the netblock (IP space)? o The netblock is owned by the organization name..

What are the authoritative DNS servers? o A server that knows the content of a DNS zone from local knowledge, and

thus can answer queries about that zone without needing to query other servers.

o The authoritative servers are given in an authoritative query using the Network Service-based Whois lookup tool of http://network-tools.com/nslook/Default.asp

What are the IP addresses of those servers? o The IP addresses of the servers are specified by the parameter inetnum, in a

Network Service-based Whois lookup,

The following table specifies Information leakage vulnerabilities, possible attacks, and possible countermeasures.

InformationLeakage

Attack Countermeasures

ISP DNS Server Attack.Man in the Middle Attack.Zone Transfers.

Pick an ISP that has well secured

Address Social Engineering Scams Pick PO Box, or use Accountant

Last printed 10/26/2005 1:40:00 AM Page 3

Page 4: Leaked Network Security Information Analysis

Page 4 of 26

Information Address.Real Names

Social Engineering Scams Pick generic function names, & Pick generic email names.

Phone Numbers

Social Engineering Scams Use a receptionist general number.Have receptionist take a message.

MNTNERAuth

Unauthorized changes toRegistration. DoS. UrlSpoofing

Choose at least PGP authorization.Choose strong passwords.

Whois Information Leakage, Attack & Countermeasures Summary Figure 1

Exercise 2 – Domain Name System

Domain Name System (DNS) information gathering provides information on local and global registration and maintenance of host naming. Use service-based Whois (http://network-tools.com/nslook/Default.asp), to find record information of the below Url websites:

Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers

http://ccc.edu/ o A non-authoritative DNS server o An authoritative DNS server o Are there any differences?

Nslookup, using http://network-tools.com/nslook/Default.asp, retrieved more information regarding the authoritative response compared with the non-authoritative response. Specifically, more Name Servers (type=NS) and more Authoritative (Canonical or Alias) Servers (type=A) were found, regarding the authoritative queried response.

o Capture the output of each query. The output was captured on page regarding Exercise 2 on page 15.

http://www.microsoft.com/ o A non-authoritative DNS servero An authoritative DNS servero Are there any differences?

Nslookup, using http://network-tools.com/nslook/Default.asp, retrieved more information regarding the authoritative response compared with the non-authoritative response. Specifically, more Name Servers (type=NS) and more Authoritative (Canonical or Alias) Servers (type=A) were found, regarding the authoritative queried response. Also the primary DNS server is identified (Type=SOA), and all the Mail Servers are identified (Type=MX), all regarding the authoritative response.

o Capture the output of each query.

Last printed 10/26/2005 1:40:00 AM Page 4

Page 5: Leaked Network Security Information Analysis

Page 5 of 26

o Why are there multiple mail servers? There are multiple mail servers for load balancing and as redundant

backups of each other.o Why are there differences with IP addresses?

There are different IP addresses for several reasons: Load Balancing. Redundant Backup. To Accommodate different services to different customers. Disaster Recovery. To support Regional Branch Office Operations.

Dig (Unix tool to query DNS Servers)

Dig is the Unix-based Nslookup DNS query tool. Using Dig (http://www.ip-plus.net/tools/dig_dns_set.en.html), the Domain nexilliscom.com is queried, regarding the DNS Server 209.180.121.65. What kind of interesting information is learned from here?

The authoritative Servers, mail Servers, and primary DNS Server are displaying with this Dig query. The operating system is Linux. The network is sharing a printer.

Zone Transfer

A special service involves a DNS Server to exchange Authoritative Records for a domain between primary and secondary servers. Also any client system can query a DNS Server and request a Zone Transfer. Using Dig (http://www.ip-plus.net/tools/dig_dns_set.en.html), the Domain nexilliscom.com is queried, regarding the DNS Server 209.180.121.65.

What are the names and IP addresses of the systems? o Ns1.nexiliscom.com 209.180.121.65o Ns2.nexiliscom.com 209.180.121.67o revolvstore.nexiliscom.com 209.180.121.65o there were many other IP addresses listed on p.22 regarding the “Zone-

Transfer of nexiliscom.com”

Can you guess what each system does? o The primary name server is given: ns1.nexiliscom.com; & the IP address is

209.180.121.65.o Also the zone transfer associated the primary name server

ns1.nexiliscom.com with postmaster.nexiliscom.com. The embedded word of “postmaster” implies an Email function.

o The below Zone Transfer information suggests an Email function, regarding the words “mail,” “postmaster,” “newmail”:

Last printed 10/26/2005 1:40:00 AM Page 5

Page 6: Leaked Network Security Information Analysis

Page 6 of 26

“mail.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com,”

“ns1.nexiliscom.com postmaster.nexiliscom.com” “newmail .nexiliscom.com address 64.119.36.25”

o The below Zone Transfer information suggests possible services. The suggestive word is store.

“revolvstore.nexiliscom.com address 209.180.121.65”o The below Zone Transfer information suggest that it might be a web server.

The suggestive word is web. “webtoo.nexiliscom.com address 64.119.36.28”

Try this against the domain of Microsoft.com, using DNS Server NS1.MSFT.NETo Can a Zone Transfer be performed?

Yes, a Zone Transfer was performed.o Why or why not?

Yes, a Zone Transfer was performed, but it seems like it yielded less information. The usual information of authoritative and name server information were available, as in authoritative and non-authoritative Whois lookups.

How could an attacker user a Zone Transfer? o First, the host name (for e.g. postmaster.nexiliscom.com) suggests its

function by using the embedded word of “postmaster.”o Second, these suggestive host names (for e.g. “mail.nexiliscom.com address

209.180.121.65”) are associated with an IP address. One could enter that IP address into a browser to see the web site, and infer its function.

Brute Force Reverse DNS Lookup

Do a brute force lookup on all of the IP addresses in the Class C space of www.cc.edu, and answer the following questions.

Can you figure out how the batch file does its work? o The input file is ips.txt. All desired IP addresses to lookup are input into

this file. First all the IP addresses are automatically input into the output file dsnout.txt. Next if nslookup finds a “hot” existing IP address, it looks for a string called “Name” and outputs the parameter variable, with the reverse lookup of the IP (for e.g. 206.166.50.100) into its corresponding host address (for e.g. dns.lth1.k12.il.us)

What use is the output? o The script quickly and automatically searched an IP range and identifies

“hot” existing IP addresses.o It identified the existing IP address along with its reverse lookup host

address. It basically did an nslookup.

Last printed 10/26/2005 1:40:00 AM Page 6

Page 7: Leaked Network Security Information Analysis

Page 7 of 26

o This is the 1st stage of identifying places to look (IP addresses) to start to find any vulnerabilities.

What else do you know about the target network? o It is possible to run a script on an IP address range based on the Primary

DNS server (type=SOA). This information was divulged from the nslookup tool of network-tools.

o One could start with all the name servers and authoritative and non-authoritative server information from all the public whois and nslookup information, and configure an IP address block (for e.g. 206.166.50.0-206.166.50.254), and search for all host “hot” existing IP address including servers and PC’s. The question always in mind would be, what hosts are vulnerable?

Information Leakage

Attack Countermeasures

Zone Transfer

A Zone TransferCould be downloaded to yield the entire network Configuration, as the Initial stage of a DoS, DDoS, or Social Engineering Attack.

Only allow Zone Transfers to Trusted Systems. Configure the server to only allow certain Ip addresses. Restrict port 53.

Reverse Lookup

Given netblock information, it Is possible to Reverse lookup Host names. This could Be the first stage of a DoS, DDoS, or Social Engineering Attack.

The server should Be Configured to only allow access on aRestricted basis and only to trusted system Ip Addresses.

Exercise 3 – Search Engines

Search engines gather information on an organization and its employees.

Go to the web site www.netcraft.com, and answer the following questions, regarding “.google.com” (remembering to include the dot preceding Google.com):

How many systems are there? o The search found 144 systems.

Which systems are NOT using Linux operating systems? o There are some systems that are designated as “unknown” operating

systems. Which systems are NOT using Google netblocks?

o All the systems yielded information on Google netblocks. What kinds of information can you learn from the site information link?

Last printed 10/26/2005 1:40:00 AM Page 7

Page 8: Leaked Network Security Information Analysis

Page 8 of 26

o Domain: google.com o NetBlock Owner: Google Inc. o Domain Registry: markmonitor.com o Site DNS name: http://1.qos.google.com o IP address 66.102.9.147

Go to the web site www.netcraft.com, and answer the following questions, regarding “.ccc.edu’ (remembering to include the dot preceding ccc.edu):

Of the servers owned by City Colleges in Chicago, are there any differences between this list and the list found doing the brute force DNS lookup?

Information Leakage

Attacks Countermeasures

Cache Information Cache pages and Information could be Retrieved as the first stageOf a DoS, DDoS, orSocial Engineering Attack.

Control the cache informationAnd meta data to limit thirdParty caching.

Error Messages Information on Hardware configurationAnd component informationCould be leaked in the errorMessages. This could be used as the first stage of aDoS, DDoS, or SocialEngineering Attack.

Make error messages genericWithout hardware or Application informationEmbedded in the message.

Company Confidential Information madePublic

Employees could leakInformation that could be Used as the first stageOf a DoS, DDoS, orSocial Engineering Attack.

Train employees to not beAllowed to leak confidentialCompany information into The public domain.

Public Documents Company Documents could Be made public that Leak Information that could be Used as the first stageOf a DoS, DDoS, orSocial Engineering Attack.

If company documentsAre to be posted publically onThe web, remove all sensitiveInternal information.

the Robots.txt file An attacker could getInformation on a Company’s system, With which to Perpetrate a DoSDDoS, or Social Engineering Attack.

Restrict access to this file.Restrict the information in This file.

Last printed 10/26/2005 1:40:00 AM Page 8

Page 9: Leaked Network Security Information Analysis

Page 9 of 26

Exercise 4 – E Mail Systems

Email system information gathering uses information found within the Email system and Email messages.

Go to http://www.spamcop.net/fom-serve/cache/19.html, to discover how to look at headers regarding email. Send an email from your school email account to your personal email account. Look at the headers and answer the following questions:

What are the IP addresses of the systems that handled this mail? o Received: from 207.115.20.36 (flpvm06.prodigy.net)o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])

(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-devo by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id

j8R3rwmF014910o Received: from agalvan1 [216.125.49.114] by student.ccc.edu ()

What kinds of servers handled the mail? o SMTP Serverso Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])

(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev

Is the same path taken both ways? o Yes the same path is taken both ways.

Can you tell what kind of email systems handled the messages? o SMTP Servers

Using the list of possible SMTP mail systems, grab ccc.edu’s mail server banner.o I couldn’t find the ccc.edu server banner.

Exercise 5 – Naming Conventions

Naming conventions describe how an organization categorizes their host devices.

At a DOS command line prompt type the command “tracert www.ccc.edu” and answer the following questions.

Can you deduce the naming convention (if any)?o The physical location is used in the naming convention.o The owner company is used in the naming convention.o One of the routers indicates it could be part of a Virtual LAN (VLAN).

Can you deduce what operating system is being used from the name?o The Operating system might be VLAN 5.0

Last printed 10/26/2005 1:40:00 AM Page 9

Page 10: Leaked Network Security Information Analysis

Page 10 of 26

Can you deduce the physical location of the host from the name?o Theses routers are all in Chicago

Ads1-68-72-175-254.ds1.chcgil.ameritech.net Dist2-vlan50.chcgil.ameritech.net Bb2-g7-0.chcgil.ameritech.net Ex1-p0-0.eqchil.sbcglobal.net Chcgil1wcx1-pos9-0-oc48.wcg.net Chcgil1wxc1-dept-central-mgmt.wcg.net Ge-1-0-ans-sob1.chicago.lincon.net Ge2-1.sob11.chicago.lincon.net

Can you determine which device is the perimeter router?o 192.168.1.1 is my originating perimeter routero 206.166.90.246 is the target perimeter router

Which netblock (IP block) is owned by the target?o Illinois Century Network owns the netblock.

InformationLeakage

Attack Countermeasures

Device Location

Could be used toDetermine theNetwork configurationAnd lead to Dos, DDoSOr stealing financial orConfidential information.

Refrain from naming Devices with locationInformation.

DeviceFunction

Could be used toDetermine theNetwork configurationAnd lead to Dos, DDoSOr stealing financial orConfidential information.

Refrain from naming Conventions withFunction information.

Exercise 6 – Website Analysis

Website analysis is an information gathering technique that uses public information via web sites. The discovered information may expose the system to unintended vulnerabilities.

There are many sources of information from the website:Look at the HTML source code for:

Passwords. Comments and other useful information.

Last printed 10/26/2005 1:40:00 AM Page 10

Page 11: Leaked Network Security Information Analysis

Page 11 of 26

Disabled code. Meta-tags containing the signatures of the development tools used to

build the site Email addresses for social engineering attacks. Accidental links to internal resources. Error pages can leak important details about the structure of the website

For example the website is stored on drive D.

When I looked at the web page http://www.robotstxt.org/wc/active/html/googlebot.html, it was clean of any extraneous information that did not pertain to the displayed web page.

WebSPHINXo By looking at the source code and the structure of the web site, what kinds of

information can you glean? The HTML source code yielded hyperlinks to other colleges and other

hyperlinks related to www.ccc.edu. o How might it be used in an attack?

By using Websphinx on the web site of http://wright.ccc.edu/department/forensics/index.asp, websphinx touched all the links to http://wright.ccc.edu/department/forensics.

All the different hyperlinks could be perused for information that could be used in a social engineering attack.

Information in Binary Files regarding the downloaded file, http://www.bergkaprowlewis.co.uk/budget2002/revce1.doc:

o Use the “strings” program to extract ASCII text. o I couldn’t extract any ASCII text using Strings.

o What kinds of metadata are found here?

o I found the below metadata: the author was found to be “Fred Rothwell.” the company name was “Her Majesty’s Treasure.” Date Created: 9/27/2005 2:21 AM Date Last Saved 9/29/2005 2:21 AM Last Printed 4/17/2002 4:11 AM Edit Time: 12:00 AM

o Anything that could be useful in an attack? o The Author’s name and company name could be used in a social

engineering attack.

o What is the redacted text from line 4 – 12? o The redacted text was “draft”

Last printed 10/26/2005 1:40:00 AM Page 11

Page 12: Leaked Network Security Information Analysis

Page 12 of 26

InformationLeakage

Attack Countermeasures

PersonalInformation

Could be usedIn a SocialEngineeringAttack.

All personal informationShould be restricted. AnyContact information shouldBe to generic emails or to the Main company phone number.

Error MessagePages

Could be used to Determine the devicesOf a network as a Prelude to a DoS, DDoSOr financial informationAttack.

Error messages should be madeTo be standard and generic withoutFunction, device, or locationInformation.

Web ServerBanners

Could be used toDetermine theNetwork configurationAs a prelude to a DoSDDos, or financialInformation stealingAttack.

Web Server Banners should beRewritten in a way different thanThe manufacturer standard headerAnd without Function, device, or locationInformation.

DocumentProperties

Could be usedIn a SocialEngineeringAttack.

Strong passwords should be used.User names should be restricted

Web code andClient code

Could be used toDetermine theNetwork configurationAs a prelude to a DoSDDos, or financialInformation stealingAttack.

All code should beCleaned of all“dead” code.

Last printed 10/26/2005 1:40:00 AM Page 12

Page 13: Leaked Network Security Information Analysis

Page 13 of 26

Notes

This is the other paper of reference:An Overview of Passive Information Gathering Techniques for Network Security, http://www.ottawa.drdc-rddc.gc.ca/docs/e/TM2004-073.pdf, &

Passive Information Gathering, The Analysis of Leaked Network Security Information, http://www.ngssoftware.com/papers/NGSJan2004PassiveWP.pdf

NGS NISRNext Generation Security Software Ltd.

Passive Information GatheringThe Analysis of Leaked Network Security Information

Gunter Ollmann, Professional Services Director

Abstract, (p.1)Information Leakage, (p.2)Definition of “Passive” (p.2)Passive Information Gathering Techniques (p.4)

Whois, (p.5)Network Service-Based WHOIS (p.6)

Network service-based WHOIS data provides details of network management data.Netblock Registration Maintenance, (p.9)

Netblock registration maintenance is normally carried out in a secure & controlled manner.

Name Service-Based WHOIS (p.11) Name service-based WHOIS data provides a number of details about a domain.

Domain Name System, (p.16)Zone Transfers, (p.20)

Reverse resolution, (p.22)DNS Brute force, (p.24)Search Engines, (p.26)Email sytems, (p.29)

Trace Route (tracert), (p.36)Displays # of hops between originating host ip (192.168.100.1) ww.example.com

Cisco-gw.example.com [212.84.xx.1]o Probably the start of a netblock; suggests it is a border router, for

example.com & it is made by Cisco. Cpfw1.examle.com [212.84.xx.2]

o Almost certainly is a Checkpoint firewall-1 firewall host.

Last printed 10/26/2005 1:40:00 AM Page 13

Page 14: Leaked Network Security Information Analysis

Page 14 of 26

Web Server Banner (p.39) Server: Zues / 4.2 Server: Microsoft IIS / 6.0 Server: Apache / 2.0.48-dev (Unix)

Appendix

Last printed 10/26/2005 1:40:00 AM Page 14

Page 15: Leaked Network Security Information Analysis

Page 15 of 26

Exercise 1 – Internet Service Registration

Exercise 2 – Domain Name System

Nslookup (Authoritative) using Network-Tools on ccc.edu

NsLookup Querythe DNSforresourcerecordsdomain ccc.edu query type ANY - Any typeserver NS1.ILLINOIS.NET query class IN - Internetport 53 timeout (ms) 5000no recursion advanced outputNS1.ILLINOIS.NET [206.166.83.22] returned an authoritative response in 31 ms:Answer recordsname class type data time to liveccc.edu IN MX preference: 0exchange: pobox.ccc.edu600s (10m)ccc.edu IN MX preference: 5exchange: pobox2.ccc.edu600s (10m)ccc.edu IN MX preference: 10exchange: guardian.ccc.edu600s (10m)ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)ccc.edu IN NS ns1.illinois.net 600s (10m)ccc.edu IN NS ns2.illinois.net 600s (10m)ccc.edu IN NS guardian.ccc.edu 600s (10m)ccc.edu IN A 216.125.49.11 600s (10m)ccc.edu IN SOA server: ns1.msa1.illinois.netemail: [email protected]: 2005062401refresh: 10800retry: 3600expire: 604800minimumttl:600600s (10m)Authority recordsname class type data time to liveNsLookup - Query the DNS for resource records Page 1 of 2http://network-tools.com/nslook/default.asp 9/20/2005-- end --URL for this outputccc.edu IN NS ns1.msa1.illinois.net 600s (10m)ccc.edu IN NS ns1.illinois.net 600s (10m)ccc.edu IN NS ns2.illinois.net 600s (10m)ccc.edu IN NS guardian.ccc.edu 600s (10m)Additional records

Last printed 10/26/2005 1:40:00 AM Page 15

Page 16: Leaked Network Security Information Analysis

Page 16 of 26

name class type data time to livepobox.ccc.edu IN A 216.125.49.10 600s (10m)pobox2.ccc.edu IN A 216.125.49.50 600s (10m)guardian.ccc.edu IN A 216.125.49.254 600s (10m)ns1.msa1.illinois.net IN A 206.166.50.100 60s (1m)ns1.illinois.net IN A 206.166.83.22 3600s (1h)ns2.illinois.net IN A 206.166.17.200 3600s (1h)Page NsLookup - Query the DNS for resource records e 2 of 2http://network-tools.com/nslook/default.asp 9/20/2005

Last printed 10/26/2005 1:40:00 AM Page 16

Page 17: Leaked Network Security Information Analysis

Page 17 of 26

Nslookup (Non-Authoritative) using Network-Tools on ccc.edu

NsLookup Query theDNS forresourcerecordsdomain ccc.edu query type ANY - Any typeserver 66.98.244.52 query class IN - Internetport 53 timeout (ms) 5000no recursion advanced output[66.98.244.52] returned a non-authoritative response in 94 ms:Answer recordsname class type data time to liveccc.edu IN MX preference: 0exchange: pobox.ccc.edu600s (10m)ccc.edu IN MX preference: 5exchange: pobox2.ccc.edu600s (10m)ccc.edu IN MX preference: 10exchange: guardian.ccc.edu600s (10m)ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)ccc.edu IN NS ns1.illinois.net 600s (10m)ccc.edu IN NS ns2.illinois.net 600s (10m)ccc.edu IN NS guardian.ccc.edu 600s (10m)ccc.edu IN A 216.125.49.11 600s (10m)ccc.edu IN SOA server: ns1.msa1.illinois.netemail: [email protected]: 2005062401refresh: 10800retry: 3600expire: 604800minimumttl:600600s (10m)Authority records[none]Additional recordsNsLookup - Query the DNS for resource records Page 1 of 2http://network-tools.com/nslook/default.asp 9/20/2005-- end --URL for this outputname class type data time to livepobox.ccc.edu IN A 216.125.49.10 600s (10m)pobox2.ccc.edu IN A 216.125.49.50 600s (10m)guardian.ccc.edu IN A 216.125.49.254 600s (10m)Page NsLookup - Query the DNS for resource records e 2 of 2http://network-tools.com/nslook/default.asp 9/20/2005

Nslookup (Authoritative) using Network-Tools on www.microsoft.com

Last printed 10/26/2005 1:40:00 AM Page 17

Page 18: Leaked Network Security Information Analysis

Page 18 of 26

NsLookup Query theDNS forresourcerecordsdomain microsoft.com query type ANY - Any typeserver 207.46.138.20 query class IN - Internetport 53 timeout (ms) 5000no recursion advanced output[207.46.138.20] returned an authoritative response in 94 ms:

Headerrcode: Successid: 0 opcode: Standard queryis a response: True authoritative: Truerecursion desired: True recursion avail: Falsetruncated: Falsequestions: 1 answers: 12authority recs: 0 additional recs: 11

Questionsname class typemicrosoft.com IN ANYAnswer recordsname class type data time to livemicrosoft.com IN A 207.46.250.119 3600s (1h)microsoft.com IN A 207.46.130.108 3600s (1h)microsoft.com IN NS ns3.msft.net 172800s (2d)microsoft.com IN NS ns4.msft.net 172800s (2d)microsoft.com IN NS ns5.msft.net 172800s (2d)microsoft.com IN NS ns1.msft.net 172800s (2d)NsLookup - Query the DNS for resource records Page 1 of 2http://network-tools.com/nslook/default.asp 9/20/2005-- end --URL for this outputmicrosoft.com IN NS ns2.msft.net 172800s (2d)microsoft.com IN SOA server: dns.cp.msft.netemail: [email protected]: 2005092003refresh: 300retry: 600expire: 2419200minimumttl:36003600s (1h)microsoft.com IN MX preference: 10exchange: mailc.microsoft.com3600s (1h)microsoft.com IN MX preference: 10exchange: maila.microsoft.com3600s (1h)microsoft.com IN MX preference: 10exchange: mailb.microsoft.com3600s (1h)microsoft.com IN TXT v=spf1 mxredirect=_spf.microsoft.com3600s (1h)

Last printed 10/26/2005 1:40:00 AM Page 18

Page 19: Leaked Network Security Information Analysis

Page 19 of 26

Authority records[none]Additional recordsname class type data time to livens3.msft.net IN A 213.199.144.151 3600s (1h)ns4.msft.net IN A 207.46.66.75 3600s (1h)ns5.msft.net IN A 207.46.138.20 3600s (1h)ns1.msft.net IN A 207.46.245.230 3600s (1h)ns2.msft.net IN A 64.4.25.30 3600s (1h)mailc.microsoft.com IN A 207.46.121.52 3600s (1h)mailc.microsoft.com IN A 207.46.121.53 3600s (1h)maila.microsoft.com IN A 131.107.3.125 3600s (1h)maila.microsoft.com IN A 131.107.3.124 3600s (1h)mailb.microsoft.com IN A 131.107.3.123 3600s (1h)mailb.microsoft.com IN A 207.46.121.51 3600s (1h)Page NsLookup - Query the DNS for resource records e 2 of 2http://network-tools.com/nslook/default.asp 9/20/2005

Nslookup (Non-Authoritative) using Network-Tools on microsoft.com

NsLookup Query the DNS for resourcerecordsdomain microsoft.com query type ANY - Any typeserver 66.98.244.52 query class IN - Internetport 53 timeout (ms) 5000no recursion advanced output[66.98.244.52] returned a non-authoritative response in 0 ms:-- end --URL for this outputAnswer recordsname class type data time to livemicrosoft.com IN NS ns5.msft.net 171510s (1d 23h 38m30s)microsoft.com IN NS ns4.msft.net 171510s (1d 23h 38m30s)microsoft.com IN NS ns3.msft.net 171510s (1d 23h 38m30s)microsoft.com IN NS ns2.msft.net 171510s (1d 23h 38m30s)microsoft.com IN NS ns1.msft.net 171510s (1d 23h 38m30s)Authority records[none]Additional records[none]NsLookup - Query the DNS for resource records Page 1 of 1http://network-tools.com/nslook/default.asp 9/20/2005

Last printed 10/26/2005 1:40:00 AM Page 19

Page 20: Leaked Network Security Information Analysis

Page 20 of 26

Zone-Transfer of nexiliscom.com

1 of 2 9/26/2005 1:56 AMDNS check tool BackDomain nexiliscom.com, DNS server 209.180.121.65Setting Source IP Address to : "164.128.36.54"Check if the server "209.180.121.65" is configured for "nexiliscom.com" ... ok.Check SOA Record ...Server: ns1.nexiliscom.comAddress: 209.180.121.65Query about nexiliscom.com for record types SOATrying nexiliscom.com ...nexiliscom.com 3600 IN SOA ns1.nexiliscom.com postmaster.nexiliscom.com (2005083001 ;serial (version)3600 ;refresh period (1 hour)*** WARNING *** Refresh 3600 , use recommended value "10800"3600 ;retry interval (1 hour)3600 ;expire time (1 hour)*** WARNING *** Expire 3600 , use recommended value "604800"3600 ;default ttl (1 hour)*** WARNING *** TTL 3600 , use recommended value "86400"Check NS Records ...Server: ns1.nexiliscom.comAddress: 209.180.121.65Query about nexiliscom.com for record types NSTrying nexiliscom.com ...Query done, 2 answers, authoritative status: no errornexiliscom.com 3600 IN NS ns2.nexiliscom.comns2.nexiliscom.com is secondary nameservernexiliscom.com 3600 IN NS ns1.nexiliscom.comns1.nexiliscom.com is primary nameserverAdditional information:ns1.nexiliscom.com 3600 IN A 209.180.121.65ns2.nexiliscom.com 3600 IN A 209.180.121.67Found IP address "209.180.121.67" for server "ns2.nexiliscom.com"Found IP address "209.180.121.65" for server "ns1.nexiliscom.com"Check SOA Record for Consistency on all Servers ...nexiliscom.com NS ns1.nexiliscom.comns1.nexiliscom.com postmaster.nexiliscom.com (2005083001 3600 3600 3600 3600)*** WARNING *** !!! nexiliscom.com SOA refresh+retry exceeds expire*** WARNING *** !!! nexiliscom.com SOA expire is less than 1 week (1 hour)nexiliscom.com NS ns2.nexiliscom.comns1.nexiliscom.com postmaster.nexiliscom.com (2005060901 3600 3600 3600 3600)*** WARNING *** !!! ns2.nexiliscom.com and ns1.nexiliscom.com have different serial for nexiliscom.Check Zone TransferThis may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs -Z -a -l -v -A -G -D done.*** WARNING *** !!! nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! atensubmissions.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi

Last printed 10/26/2005 1:40:00 AM Page 20

Page 21: Leaked Network Security Information Analysis

Page 21 of 26

2 of 2 9/26/2005 1:56 AM*** WARNING *** !!! mail.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! memorial-unborn.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.*** WARNING *** !!! mms1.nexiliscom.com address 64.119.36.27 maps to ip027.nexilis.cr3.tus.simplybits.*** WARNING *** !!! netsaint.nexiliscom.com address 209.180.121.67 maps to ns2.nexiliscom.com*** WARNING *** !!! newmail.nexiliscom.com address 64.119.36.25 maps to newmail1.nexiliscom.com*** WARNING *** !!! newmail.nexiliscom.com address 209.180.121.66 maps to newmail2.nexiliscom.com*** WARNING *** !!! ns3.nexiliscom.com address 64.119.36.26 maps to ip026.nexilis.cr3.tus.simplybits.*** WARNING *** !!! pop.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! revolvstore.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! smtp.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! test.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com*** WARNING *** !!! webtoo.nexiliscom.com address 64.119.36.28 maps to ip028.nexilis.cr3.tus.simplybits.*** WARNING *** !!! www.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.comNo errors found in "nexiliscom.com"21 warnings found in "nexiliscom.com"Possible error messages and warnings

Last printed 10/26/2005 1:40:00 AM Page 21

Page 22: Leaked Network Security Information Analysis

Page 22 of 26

Zone-Transfer of microsoft.com

IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi1 of 2 9/26/2005 6:36 PMDNS check tool BackDomain microsoft.com, DNS server ns1.msft.netFound IP address "207.46.245.230" for server "ns1.msft.net"Setting Source IP Address to : "164.128.36.54"Check if the server "ns1.msft.net" is configured for "microsoft.com" ... ok.Check SOA Record ...Server: ns1.msft.netAddress: 207.46.245.230Query about microsoft.com for record types SOATrying microsoft.com ...microsoft.com 3600 IN SOA dns.cp.msft.net msnhst.microsoft.com (2005092601 ;serial (version)300 ;refresh period (5 minutes)*** WARNING *** Refresh 300 , use recommended value "10800"600 ;retry interval (10 minutes)*** WARNING *** Retry 600 , use recommended value "3600"2419200 ;expire time (4 weeks)*** WARNING *** Expire 2419200 , use recommended value "604800"3600 ;default ttl (1 hour)*** WARNING *** TTL 3600 , use recommended value "86400"Check NS Records ...Server: ns1.msft.netAddress: 207.46.245.230Query about microsoft.com for record types NSTrying microsoft.com ...Query done, 5 answers, authoritative status: no errormicrosoft.com 172800 IN NS ns5.msft.netns5.msft.net is secondary nameservermicrosoft.com 172800 IN NS ns1.msft.netns1.msft.net is secondary nameservermicrosoft.com 172800 IN NS ns2.msft.netns2.msft.net is secondary nameservermicrosoft.com 172800 IN NS ns3.msft.netns3.msft.net is secondary nameservermicrosoft.com 172800 IN NS ns4.msft.netns4.msft.net is secondary nameserverAdditional information:ns5.msft.net 3600 IN A 207.46.138.20ns1.msft.net 3600 IN A 207.46.245.230ns2.msft.net 3600 IN A 64.4.25.30ns3.msft.net 3600 IN A 213.199.144.151ns4.msft.net 3600 IN A 207.46.66.75Found IP address "207.46.138.20" for server "ns5.msft.net"*** WARNING *** failed reverse lookup for "207.46.138.20"*** WARNING *** 207.46.138.20 does not exist at ns1.msft.net (Authoritative answer)*** WARNING *** It's recommended to have reverse lookup for your nameserversFound IP address "207.46.245.230" for server "ns1.msft.net"*** WARNING *** failed reverse lookup for "207.46.245.230"

Last printed 10/26/2005 1:40:00 AM Page 22

Page 23: Leaked Network Security Information Analysis

Page 23 of 26

*** WARNING *** 207.46.245.230 does not exist at ns1.msft.net (Authoritative answer)*** WARNING *** It's recommended to have reverse lookup for your nameserversIP-Plus http://www.ip-plus.net/tools/domaincheck.cgi2 of 2 9/26/2005 6:36 PMFound IP address "64.4.25.30" for server "ns2.msft.net"*** WARNING *** failed reverse lookup for "64.4.25.30"*** WARNING *** 64.4.25.30 does not exist at ns1.msft.net (Authoritative answer)*** WARNING *** It's recommended to have reverse lookup for your nameserversFound IP address "213.199.144.151" for server "ns3.msft.net"*** WARNING *** failed reverse lookup for "213.199.144.151"*** WARNING *** 213.199.144.151 does not exist at ns1.msft.net (Authoritative answer)*** WARNING *** It's recommended to have reverse lookup for your nameserversFound IP address "207.46.66.75" for server "ns4.msft.net"*** WARNING *** failed reverse lookup for "207.46.66.75"*** WARNING *** 207.46.66.75 does not exist at ns1.msft.net (Authoritative answer)*** WARNING *** It's recommended to have reverse lookup for your nameservers*** ERROR *** NS record for primary nameserver "dns.cp.msft.net" missing.Check SOA Record for Consistency on all Servers ...microsoft.com NS ns1.msft.netdns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)*** WARNING *** !!! microsoft.com SOA primary dns.cp.msft.net is not advertised via NS*** WARNING *** !!! microsoft.com SOA retry exceeds refreshmicrosoft.com NS ns2.msft.netdns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)microsoft.com NS ns3.msft.netdns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)microsoft.com NS ns4.msft.netdns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)microsoft.com NS ns5.msft.netdns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)Check Zone TransferThis may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs -Z -a -l -v -A -G -D done.*** ERROR *** 207.46.245.230 (207.46.245.230) connect: Connection timed out2 errors found in "microsoft.com" please correct11 warnings found in "microsoft.com"Possible error messages and warnings

Exercise 3 – Search Engines

Netcraft Search Web by Domain for .google.com

Netcraft - Search Web by Domain http://searchdns.netcraft.com/?host=.google.com&position=limited&loo...1 of 1 9/26/2005 9:48 PM

Last printed 10/26/2005 1:40:00 AM Page 23

Page 24: Leaked Network Security Information Analysis

Page 24 of 26

Site SearchSearch Web by DomainExplore 70,884,595 web sites 27th September 2005Search: search tips

site contains lookup!example: site contains .sco.com

Results for .google.comFound 144 sitesSite Site Report First seen Netblock OS1. 1.qos.google.com May 2004 Google Inc. Linux2. 35820365512262.qos.google.com November 2002 Google Inc. Linux3. adsense.google.com September 2004 Google Inc. Linux4. adwords.google.com.au August 2004 Google Inc. unknown5. adwords.google.com.br November 2003 Google Inc. Linux6. adwordstest.google.com October 2003 Google Inc. Linux7. america.google.com November 2003 Google Inc. Linux8. answer.google.com January 2003 Google Inc. Linux9. aol.google.com August 2004 Google Inc. Linux10. api.google.com June 2002 Google Inc. Linux11. asia.google.com November 2003 Google Inc. Linux12. catalog.google.com April 2002 Google Inc. Linux13. catalogues.google.com June 2002 Google Inc. Linux14. console.google.com May 2001 Google Inc. Linux15. desktop.google.com December 2004 Google Inc. Linux16. dir.google.com November 2001 Google Inc. Linux17. directory.google.com August 2001 Google Inc. Linux18. download.google.com November 2004 Google Inc. Linux19. ent-demo9.google.com October 2004 Google Inc. Linux20. europe.google.com November 2003 Google Inc. LinuxNext pageCOP Y R I GH T © NE T CR A F T L TD 2 0 0 4

.google.comNetcraft News

Exercise 4 – E Mail Systems

Email Headers

X-Apparently-To: [email protected] via 66.163.170.105; Mon, 26 Sep 2005 20:54:45 -0700X-Originating-IP: [216.125.49.18]Return-Path: <[email protected]>Authentication-Results: mta812.mail.scd.yahoo.com from=student.ccc.edu; domainkeys=neutral (no sig)Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36) by mta812.mail.scd.yahoo.com with SMTP; Mon, 26 Sep 2005 20:54:44 -0700X-Originating-IP: [216.125.49.18]Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])

by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910

for <[email protected]>; Mon, 26 Sep 2005 20:53:58 -0700Received: from agalvan1 [216.125.49.114] by student.ccc.edu

with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500Subject: csfi214 - test msgFrom: "ALLEN GALVAN" <[email protected]>To: [email protected]: Mon, 26 Sep 2005 22:54:43 -0500

Last printed 10/26/2005 1:40:00 AM Page 24

Page 25: Leaked Network Security Information Analysis

Page 25 of 26

X-Mailer: NetMail ModWeb ModuleX-Sender: agalvan1MIME-Version: 1.0Message-ID: <[email protected]>Content-Type: text/plain; charset="UTF-8"Content-Transfer-Encoding: quoted-printable

X-Apparently-To: [email protected] via 66.163.170.105; Mon, 26 Sep 2005 20:54:45 -0700X-Originating-IP: [216.125.49.18]Return-Path: <[email protected]>Authentication-Results: mta812.mail.scd.yahoo.com from=student.ccc.edu; domainkeys=neutral (no sig)Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36) by mta812.mail.scd.yahoo.com with SMTP; Mon, 26 Sep 2005 20:54:44 -0700X-Originating-IP: [216.125.49.18]Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])

by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910

for <[email protected]>; Mon, 26 Sep 2005 20:53:58 -0700Received: from agalvan1 [216.125.49.114] by student.ccc.edu

with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500Subject: csfi214 - test msgFrom: "ALLEN GALVAN" <[email protected]>To: [email protected]: Mon, 26 Sep 2005 22:54:43 -0500X-Mailer: NetMail ModWeb ModuleX-Sender: agalvan1MIME-Version: 1.0Message-ID: <[email protected]>Content-Type: text/plain; charset="UTF-8"Content-Transfer-Encoding: quoted-printable

nobody here but us [email protected]

Last printed 10/26/2005 1:40:00 AM Page 25

Page 26: Leaked Network Security Information Analysis

Page 26 of 26

Exercise 5 – Naming Conventions

Tracert of www.ccc.edu

Exercise 6 – Website Analysis

Last printed 10/26/2005 1:40:00 AM Page 26