Tuesday, October 16, 2007

Anonymous Reconnaissance

I have renamed this entry from Passive Reconnaissance to Anonymous Reconnaissance.

Passive Reconnaissance is the act of gathering intelligence without sending any packets to the target, whereas Anonymous Reconnaissance is the act of gathering intelligence without sending any packets to the target from your IP. I break reconnaissance down into 2 phases, Intelligence Gathering and Footprinting.

Whilst mapping my target you will also research and map any other relevant IP addresses such as business partners, subsidiaries, sister companies and divisions. All must be considered relevant as these companies may have trusts set up that provide easier access to my target or they may provide a service such as DNS,web hosting, e-commerce or email to your target which could also be targeted as part of an attack.

Intelligence Gathering

When researching a target you need to gather intelligence. The more intelligence the better as this information may tell you what systems the target has, what the target is running on those systems, and what versions of software the target has. Using this information the attack can be precise and professional. All this information can be gained without sending any packets to the target from your IP. There are many tools that can be installed on Windows or Linux PC’s to perform these tasks, here I will demonstrate how to gain this information using only tools available on web sites. The benefit is the attack will not be linked directly to you. One point to bear in mind when using these web based tools is your IP may well be sent to the target in from the website hosting the tool such as www.serversniff.net, so use these tools through an anonymous proxy (or chain of proxies) or TOR.

There are a huge amount of resources available to use on the web, these can provide you with the following:

• IP Ranges
• Operating Systems
• Software in Use
• Employee Names
• Organisational Structures
• Business Partners

This information is invaluable for targeted technical attacks and for social engineering, after all, why spend days hacking a website or a firewall when the chances are you can make a few phone calls and persuade a user to give you his or her password within an hour. But to do this you need to do your homework first and that’s where Intelligence Gathering comes in, the more knowledgeable you are about your target the more believable you will be.

www.google.com – Just about everything
www.msn.com – Shared hosting
www.paterva.com – People & organisation searches
www.dnsstuff.com – A host of web based DNS tools
www.serversniff.net – Metadata discovery, Tracerouting, IP tools, sub-domains etc…
www.windowspms.com – Whois tools and port scanner
www.publicwebproxies.com – Proxy lists
www.archive.org – The way back machine
www.netcraft.com – Website tools.

Okay so you have a target. The first thing that is required is to view the website (if available) to learn as much about the target as possible. The outcome of this should hopefully be names, addresses, telephone numbers, email addresses, business partners, organisational structures, sub-domains, IP addresses, business relationships. All of this information is useful for the later stages of an attack. Search the source of the web pages to look for details such as names, email addresses, comments etc… To prevent your IP showing in the website logs the following measures can be taken.

• Search the Google cached pages
• Use the Way Back Machine at www.archive.org
• Use an anonymous proxy or TOR
• Use www.serversniff.net

If you are to use Google cached pages (look at the link at the bottom of a Google search) be aware that if there are images on the page these will be retrieved from the site and not from Google’s cache. To prevent this you can modify the settings in the options on your browser so it doesn’t pull back anything but text.

The Way Back Machine has its advantages and disadvantages. On the downside the pages may be slightly dated, on the plus side you may get data (job adds, acquisitions etc..) that the target removed.

Anonymous proxies can be chained together or you could just use TOR for great anonymity. Check out www.publicwebproxies.com for a list of proxies.

One thing to bear in mind is that many companies do not host the website so picking up address ranges from around the IP of the website may not be at that useful.

www.netcraft.com is a useful site, it will often tell you, how long a server has been up, what OS it is and what type of webserver it is.

Using Google you can start to Google email addresses, usernames, employee names etc… it’s useful to search newsgroups on Google (use the groups directive and the author directive), maybe the techies have made postings regarding software in use, questions on servers or firewall configurations. You can focus your search on just the target by using the site directive (site:bbc.co.uk).

Another great reconnaissance tool is www.paterva.com, it will trawl the web and find postings, phone numbers, email addresses and much more.

Virtual Hosting

Virtual Hosting is where many Websites share the same IP Address (and web server) and is sometimes an indicator of a business relationship. You can discover this using the IP directive (ip:target_ip_address) on MSN or you can use the Hostname on IP function on www.serversniff.net

# Name
# 1 cgi.bbc.co.uk
# 2 ftp.bbc.co.uk
# 3 www0.bbc.co.uk
# 4 www0.mh.bbc.co.uk

www.serversniff.net can perform a range of tasks, if you find any documents published on the website this site can pull out the metadata and possibly reveal software in use and usernames. As well as this it has features that can analyse web pages for comments, look at Comments-on-Page function.

Some useful search filters for google are:

site:bbc.co.uk filetype:pdf pdf
This query will just return pdf’s from the target website (assuming the target was the BBC)

site:bbc.co.uk filetype:xls
This query would return Excel spreadsheets posted to the web for the BBC

The www.serversniff.net File-Search function will also perform similarly to the google searches mentioned above.

If the URL for one of the returned spreadsheets is then run through the File Info tool on www.serversniff.net you get the following interesting information.

FileType(guessed) = Microsoft Office Document
last saved by - KingsJ31
creation date - 2005-05-30T18:00:09Z
creator - Harry Blundun
date - 2005-06-29T15:59:50Z
generator - Microsoft Excel
CreateDate = 2005:05:30 18:00:09
LastSavedBy = KingsJ31
AppVersion = 10 (107b)
FileSize = 30 kB
Author = Harry Blundun
Company = fathom partners
AuthorEmail = jonathan.kingsbury@bbc.co.uk
EmailSubject = updated supplier questionaire sheet
AuthorEmailDisplayName = Jonathan Kingsbury
ModifyDate = 2005:06:29 15:59:50
Software = Microsoft Excel
TitleOfParts = Supplier describes competencies

Now were getting somewhere, usernames, email addresses software version etc… All without sending a single packet to the target from your IP.


The objective of footprinting is to mine as many valid hostnames for the target and link them with IP addresses.

Whois Searches

To effectively footprint the target you must discover the IP addresses in use and map them to hostnames. A good starting point is to perform whois lookups with the Regional Internet Registries for your target.

An excellent couple of sites for this are www.whois.sc, www.domaindossier.com and of course the most excellent www.serversniff.net.
All sites will provide you with the whois information for your target. The whois information may provide names, addresses, email addresses telephone numbers and netblock ranges.

Whois Record
Domain name:
British Broadcasting Corporation
Registrant type:
UK Limited Company, (Company number: 000057)
Registrant's address:
Research & Development
Kingswood Warren
KT20 6NP
British Broadcasting Corporation [Tag = BBC]
Relevant dates:
Registered on: before Aug-1996
Renewal date: 13-Dec-2008
Last updated: 25-Sep-2007
Registration status:
Registered until renewal date.
Name servers:

A whois lookup should be performed on each domain name that is linked to the target, as different domains have been registered the target may have disclosed different information in error. Bear in mind that it is not uncommon to find out of date information in these whois queries so verify the information with other tools listed.

DNS Bruteforce
Another great feature on www.serversniff.net is its DNS Bruteforce. This feature can be used to look for predictable hostnames and provide the associated IP addresses. The SubDomains feature on www.serversniff.net is a useful tool that will locate other hosts under the bbc.co.uk domain name for the target. The example below (sorry BBC) displays some of the more interesting information that is returned from www.serverSniff.net on SubDomains search:

Host IP Title
bogons.bbc.co.uk BBC
cgi.bbc.co.uk BBC - Error 403 - Forbidden.
chivers.ww.thdo.bbc.co.uk Directory Listing Denied
creativearchive.bbc.co.uk Creative Archive
db.bbc.co.uk BBC - homepage
extdev.bbc.co.uk ……………
ftp.bbc.co.uk ……………
gateway.bbc.co.uk gateway.bbc.co.uk ……………
mail.bbc.co.uk ……………
mx.bbc.co.uk ……………
ns.bbc.co.uk …………….
ssl.bbc.co.uk BBC - homepage..
virtual0.mh.bbc.co.uk BBC ……...
webmail.bbc.co.uk …………….
www.monitor.bbc.co.uk BBC Monitoring

Top Level Domains (TLD)
The TLD Domains tool on this site can be used for finding other registered domains that may be hosted in other countries. The benefit of this is you may have different software versions in use, different policies and different firewall rules etc… this provides you with a bigger target.


And many more…………………….

Another system that is of use here is to try to find where address ranges allocated to the target start and finish. Often the whois query on an address will highlight the netblock assigned to the ISP. By using the Reverse DNS Lookup feature on www.DNStuff.com you can specify a CIDR (i.e. and it will scan the class C: range. This will often display router names that site on the last IP on an allocated Range. To reduce the packets sent to a domain you can send individual queries to IP addresses throughout the suspected range. Eventually this will narrow down the range until you identify just the set of addresses you are interested in.

If when performing these reverse lookups you find a domain name that is not your targets in the middle of the range, this is often a good indicator of a business relationship and the new domain should be added to your list of domains to footprint.

www.dnsstuff.com can also be used to look at other records that you target may have that may point a bit closer to home, such as MX records that point to mailservers. But be aware that some companies who use mail filtering services may route there mail to the filtering companies mail servers. If you are unsure of if this is happening there are a couple of things you can do. You could Google the address that the MX record points to, or you could send an email bounce from a web-based email address and examine the headers. But the bounce attack falls outside of the scope of this document as it is no longer passive reconnaissance. However, in the example above in the subdomains section it seems quite obvious where the mail servers are.

DNS stuff can also be used for Tracerouting to the target IP’s. So if the admins on that site have left ICMP enabled on the firewall and routers you can begin to map the network. www.serversniff.net also has a UDP and TCP Traceroute which will often work when ICMP is blocked.

Zone Transfers
Okay, these days it’s a real longshot but it’s worth a try because if they haven’t been locked down it’s like stiking gold so go along to http://www.digitalpoint.com/tools/zone-transfer and give it a try.

So after you have done all this work and you have verified the information with forward and reverse lookups until you’re happy that you have a nice list of IP addresses to hostnames you can begin planning for the next phase of the attack, scanning and enumeration.

There are some excellent papers on footprinting. Breaking Into Computer Networks From The Internet is one of them.
Thanks to the guys at binrev who have contributed ideas to this topic

1 comment:

Anonymous said...

Top article.

These sites appear to be dead.

www.windowspms.com – Whois tools and port scanner
www.publicwebproxies.com – Proxy lists

for port scanning try www.hackertarget.com