outline - metropolitan state university of...
TRANSCRIPT
.
1
Information Gathering for the Ethical Hacker
Chapter #2:
Reconnaissance
CIS 4500
Outline
n Define active and passive footprinting
n Identify methods and procedures in information
gathering
n Understand the use of social networking, search engines,
and Google hacking in information gathering
n Understand the use of whois, ARIN, and nslookup in
information gathering
n Describe the DNS record types
Reconnaissance 2
CIS 4500
Phases of Hacking
Essential Knowledge 3 CIS 4500
Footprinting
n ECC describes four main focuses and benefits of
footprinting for the ethical hacker:
1. Know the security posture (footprinting helps make this clear).
2. Reduce the focus area (network range, number of targets, and
so on).
3. Identify vulnerabilities (self-explanatory).
4. Draw a network map.
Reconnaissance 4
.
2
CIS 4500
Examples of Resources
n Search engines
n Publicly facing web sites
n DNS records
n Domain registration info
Reconnaissance 5 CIS 4500
Passive Footprinting
n Gathering of competitive intelligence
n Using search engines
n Perusing social media sites
n Participating in the ever-popular dumpster dive
n Gaining network ranges
n Raiding DNS for information
Reconnaissance 6
CIS 4500
Passive Footprinting
n General business info
n EDGAR Database (www.sec.gov/edgar.shtml)
n Hoovers (www.hoovers.com)
n LexisNexis (www.lexisnexis.com)
n Business Wire (www.businesswire.com)
n Company plans and financials, the following list provides some great resources:
n SEC Info (www.secinfo.com)
n Experian (www.experian.com)
n Market Watch (www.marketwatch.com)
n Wall Street Monitor (www.twst.com)
n Euromonitor (www.euromonitor.com)
Reconnaissance 7 CIS 4500
Active Footprinting
n Social engineering
n Robin Sage
n Search engines
n Google hacking
n Database with options * BS
n SiteDigger (www.mcafee.com) - uses Google hack searches
n MetaGoofil (www.edge-security.com)
n Fun – lmgtfy.com
Reconnaissance 8
.
3
CIS 4500
Web Site
n Mirroring
n HTTrack (www.httrack.com)
n Black Widow (http://softbytelabs.com)
n WebRipper (www.calluna-software.com)
n Teleport Pro (www.tenmax.com)
n GNU Wget (www.gnu.org)
n Backstreet Browser (http://spadixbd.com)
n Wayback Machine (https://archive.org/web) - history
n Website Watcher (http://aignes.com) - changes Reconnaissance 9 CIS 4500
n .mailtracking.com Received: from MWHPR03MB3102.namprd03.prod.outlook.com (10.174.164.153) by CY4PR03MB3096.namprd03.prod.outlook.com with HTTPS via MWHPR1301CA0012.NAMPRD13.PROD.OUTLOOK.COM; Thu, 31 Aug 2017 09:00:56 +0000 Received: from BN6PR03CA0009.namprd03.prod.outlook.com (10.168.230.147) by MWHPR03MB3102.namprd03.prod.outlook.com (10.174.174.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Thu, 31 Aug 2017 09:00:54 +0000 Received: from CO1NAM04FT034.eop-NAM04.prod.protection.outlook.com (2a01:111:f400:7e4d::203) by BN6PR03CA0009.outlook.office365.com (2603:10b6:404:23::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10 via Frontend Transport; Thu, 31 Aug 2017 09:00:53 +0000 Authentication-Results: spf=pass (sender IP is 129.145.16.89) smtp.mailfrom=messages1.blackhat.com; msudenver.edu; dkim=pass (signature was verified) header.d=messages1.blackhat.com;msudenver.edu; dmarc=pass action=none header.from=messages1.blackhat.com; Received-SPF: Pass (protection.outlook.com: domain of messages1.blackhat.com designates 129.145.16.89 as permitted sender) receiver=protection.outlook.com; client-ip=129.145.16.89; helo=mail01.messages.blackhat.com;
Received: from mail01.messages.blackhat.com (129.145.16.89) by CO1NAM04FT034.mail.protection.outlook.com (10.152.90.119) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1385.11 via Frontend Transport; Thu, 31 Aug 2017 09:00:52 +0000 Return-Path: [email protected] DKIM-Signature: v=1; a=rsa-sha256; d=messages1.blackhat.com; s=dk2016; c=relaxed/relaxed;
q=dns/txt; [email protected]; t=1504170051; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=ckjda510ltji+pbAK019BkCgwTcv3T8MLSP1JqbDOPI=; b=QeryECb3hkVx6sDbwHv0JrA4pAPemC1n8gW3sGSWtlyko8/HuufM7cGv6Pd68IvW fRgTh/VMXJn/yGi2IMO2/DbsEZgHpY4Cx5ApxKZZo/tQF/kM64/RRYuUVev99sTZ iMIbrfuqa7gscnW/Sr/rHXYCx1vkJ4RTGcBvGPiAVwo=;
Received: from [10.34.116.102] ([10.34.116.102:57550] helo=G04SNJ010) by msm-mta03-dc6 (envelope-from <[email protected]>) (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP id AC/8D-23913-340D7A95; Thu, 31 Aug 2017 05:00:51 -0400
Message-ID: <424ae7eb23894ad3953a5277dca53356@95530031> X-Binding: 95530031 X-elqSiteID: 95530031 X-elqPod: 0x42929D304091F2FE066CF35EC31ADF5FBC4AF91DBF6F3D6F9D91109E00869E13 X-cid: 24-149-2017/08/31 09:00:51 MIME-Version: 1.0 From: "Black Hat Europe 2017" <[email protected]> To: [email protected] Reply-To: Black Hat <[email protected]> Date: 31 Aug 2017 05:00:51 -0400
E-mail Footprinting
Reconnaissance 10
CIS 4500
DNS
Reconnaissance 11 CIS 4500
DNS Record Types
Reconnaissance 12
.
4
CIS 4500
DNS Records
@ IN SOA ns1.any.net. hostmaster.any.net. (
2004030401 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS ns1.any.net.
IN NS ns2.any.net.
IN MX 50 smtp1.any.net.
IN MX 100 smtp2.any.net.
IN A 202.24.24.122
smtp IN A 203.44.44.10
www IN CNAME @
ftp IN CNAME @
mail IN CNAME smtp
pop IN CNAME smtp
pop3 IN CNAME smtp
Reconnaissance 13 CIS 4500
Registrars
Reconnaissance 14
CIS 4500
nslookup
n nslookup msudenver.edu
n nslookup 147.153.45.39
n nslookup –type=ns msudenver.edu
n nslookup –type=mx msudenver.edu
n nslookup –type=soa msudenver.edu
n interactive: nslookup
>set all
n dig @ns2.msudenver.edu msudenver.edu soa (all)
Reconnaissance 15 CIS 4500
Network Footprinting
n arin.net
n tracert / traceroute (ICMP ECHO packages – Linux UDP)
n Many-many tools
Reconnaissance 16
.
5
CIS 4500
Other Tools
n Maltego
n HW
n How does it work, what are the settings, configuration
options?
Reconnaissance 17
Stay Alert!
There is no 100 percent secure system,
and there is nothing that is foolproof!