131 lines
3.3 KiB
Plaintext
131 lines
3.3 KiB
Plaintext
Overview:
|
|
-- WHOIS
|
|
-- BGP
|
|
-- Internet Scanning Projects
|
|
-- DNS Bruteforcing
|
|
-- Digging Deep on Third Party Servers
|
|
-- Source Code Services
|
|
|
|
--- TESTING FACEBOOK ---
|
|
Hostenames, IPs, reconnaisance
|
|
Must Read:
|
|
https://www.facebook.com/whitehat
|
|
|
|
|
|
*** Collecting information about the company without communicating with any of their systems.
|
|
|
|
[ Challenge ]:
|
|
-- Tool(s) --
|
|
Kali Linux
|
|
|
|
Start with:
|
|
-- facebook.com
|
|
End with:
|
|
-- +100,000 IPv4
|
|
-- +100 IPv6 Ranges
|
|
-- More than 5k hostnames
|
|
|
|
|
|
|
|
:: WHOIS ::
|
|
-- Tool(s) --
|
|
dmitry: Demographic Information Gathering Tool -- See module-2-image-1 image
|
|
whois: Gets the company info
|
|
nslookup: DNS lookup
|
|
ARIN Site
|
|
|
|
|
|
Is a protocol that translates URL to company information
|
|
Go from a URL to list of IP addresses.
|
|
Associated anonymous system information (ASN Info)
|
|
*** Can use IPs to bypass some information hiding services against WHOIS lookups (see nslookup to get ip/domain)
|
|
|
|
|
|
seed URL: facebook.com
|
|
WHOIS lookups:
|
|
+100,000 IPv4
|
|
+100 IPv6 Ranges
|
|
|
|
|
|
|
|
|
|
:: BGP :: (Border Gateway Protocal)
|
|
*** Exchanges antonymous system network routing information
|
|
(Ie, creates A PATH BETWEEN THESE SYSTEMS)
|
|
Routing decisions on core internet
|
|
*** AS (antonymous system) is associated with network ranges
|
|
|
|
-- Tool(s) --
|
|
See module-2-image-2 image
|
|
|
|
|
|
|
|
|
|
:: Internet Scanning Projects ::
|
|
*** Internet scanning projects perform TCP and UDP port scans across the entire internet on a daily or weekly basis.
|
|
The data is then made publicly available and the goal is to provide the public with the data for analysis.
|
|
IE, great for gathering info/reconnaissance
|
|
|
|
-- Tool(s) --
|
|
scans.io : Hosted and maintained by University of Michigan
|
|
censys.io allows for interactive querying against data
|
|
Relevant to Footprinting:
|
|
DNSs: Virtual Hosts
|
|
SSL Certificates: Subject alternative names (another list of hostnames)
|
|
Live Services
|
|
commoncrawl.org: crawl of the internet itself. (Kinda like backend of Google)
|
|
www.shodan.io
|
|
crt.sh: Comodo Certificate sdearch
|
|
pigz: parallel decompression of tar,gzip files
|
|
|
|
|
|
|
|
|
|
:: DNS Bruteforcing ::
|
|
-- Tool(s) --
|
|
DNSRecon on Kali: dnsrecon -d <your domain> -t <types: brt for bruteforce> -n 8.8.8.8 -D <dictionary> -c <store results path file> -f <if dns wildcard in place>
|
|
Fierce on Kali
|
|
|
|
Advanced Tactics:
|
|
Recursive Bruteforce
|
|
Use organization specific patterns.
|
|
Ask someone
|
|
|
|
|
|
|
|
|
|
:: Digging Deep on Third Party Servers ::
|
|
(Think like an attacker)
|
|
(Think like an employee)
|
|
|
|
*** Think of the two sites as philosophy than actual steps.
|
|
Does it make sense to check these basically?
|
|
|
|
-- Tool(s) --
|
|
virustotal.com : Might list domains checked by users. (When OK they are acrtual domains of company)
|
|
threatcrowd.org : Malware threat information
|
|
|
|
|
|
Think about 3rd party services.
|
|
Think about mergers and acquisitions.
|
|
Think about presentation sharing sites such as slideshare.net or prezi.com
|
|
Industry blog posts
|
|
Conference videos
|
|
|
|
Other Courses:
|
|
Reconnaissance/Footprinting by Dale Meredith
|
|
|
|
|
|
|
|
|
|
:: Source Code Services ::
|
|
-- Tool(s) --
|
|
Gitrob
|
|
Gumbler
|
|
|
|
-- Group(s) --
|
|
Github
|
|
Bitbucket
|
|
SourceForge
|
|
Googlecode (Now defunct)
|