Thursday, July 30, 2009

A Bad Month!

July has been a really crazy month. It started off with my wife nagging me to follow through on my New Years Resolution to get 2 certifications this year. I love to make resolutions like this but then I get playing with MetaSploit, Maltego and Powershell and everything else gets forgotten.

So the beginning of the month was gearing up for the Security+. To tell the truth it was a pretty easy exam but I'm glad I did it. I would love to work in the security field one day and I guess this shows an understanding of the fundamentals. Then I was planning to take a Citrix certification but I figured a CCNA seemed so much more fun so I went with that instead. So hear I am with my head buried in Cisco books and an old router and switch being configured six ways to Sunday! I definately have a new found respect for the guys out there with their Cisco certs, this stuff is pretty hardcore when you get your hands dirty!

Anyway, back to the point. I know I intended to get a post a week out as I have in the past but things just got on top of me. I will try harder for August and get back on track. Thanks to everyone who has sent me encouraging comments and emails.

Looking forward to August.

Syn

Thursday, July 2, 2009

BackTrack 4 - DNS 1

Okay, so I've finished a week of studying, passed the exam today and now I have had a few minutes to get to grips with one or two of the DNS tools on the BT4 CD. I'm gonna start off easy and look at a couple of my favorite DNS tools and then move onto some that I'm not too familiar with. I decided to start with DNS because that usually where thing start for me, well that and Google but lets leave that for now.


Fierce

I was glad to see that Fierce is still in BT. Fierce is one of my favorite DNS tools and I have blogged about it ion the past. It always gets the job done and underneath it's simple exterior it's doing quite alot (maybe RSnake worked for Apple once).

Fierce starts off by using your DNS to get the targets DNS and then hops on over to that DNS to do it's work. All pretty cool stuff eh. Fierce will try to dump the DNS (although unlikely this will work) and then it will start to use it's name list (hosts.txt) to guess the name of hosts out there. Although not a bad wordlist I suggest you add to it as you come across anything in your travels. Anything Fierce guesses correctly it will perform reverse look ups of a few of the addresses around the correctly guessed one (also configurable) or with -wide it will scan the whole class C subnet of any host it finds. Noisy but effective.

The command I used to scan insecure.org with 10 threads and scanning the class C of any found IPs was:

./fierce.pl -wide -threads 10 insecure.org




DNSRecon

Although this found me some good results what I also wanted to do was look in between those IP's in the reverse lookup. Because if the target has a block of IP's and nested somewhere in the middle of them is host on another domain then that's interesting. For this task I Dark Operators DNSRecon ruby script.

An example of running the script against on of the subnets that Fierce located gave up some interesting (but very obvious) results:

ruby dnsrecon.rb -r 64.13.134.1 64.13.134.254



Surprise surprise nmap.org!

Well there's plenty more to go, I just wanted to make a start on this set of posts.

Happy hunting!