Information Gathering
2012 BackTrack Workshop
Upstate ISSA Chapter
Agenda





Intelligence Gathering
Publicly Available Information
Google Hacking
DNS Enumeration
Maltego
Intelligence Gathering



Special Forces conduct successful
operations based on intelligence
The more information, the more
successful the operation
Most of pentesting engagement
dedicated to reporting and information
gathering
Publicly Available Information







Website Analysis
Whois
Netcraft
Mapping Physical Locations
Social Media
SHODAN
Maltego
Website Analysis
What’s Hiding in the Code?
Whois
whois –h org.whois-servers.net issa.org
Netcraft
Netcraft
Mapping Physical Locations
Mapping Physical Locations
Social Media
Social Media
SHODAN
Google Hacking





goofile
goohost
gooscan
metagoofil
theHarvester
goofile
goohost
gooscan
gooscan
Metagoofil
Metagoofil
theHarvester
./theHarvester.py –d issa.org –l 500 –b google
DNS Enumeration




DNS Record Types
Zone Transfers
dnsenum
fierce
DNS Record Types







SOA = Start of Authority
NS = Name Server
A = Address (Host)
CNAME = Canonical Name (Alias)
MX = Mail Exchanger
SRV = Service Locator
TXT = Text Data
Zone Transfer (IP Information)
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : test.com
Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.28
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.150
DNS Servers . . . . . . . . . . . : 192.168.10.150
192.168.10.151
Primary WINS Server . . . . . . . : 192.168.10.150
Secondary WINS Server . . . . . . : 192.168.10.151
Lease Obtained. . . . . . . . . . : Monday, January 03, 2012 7:46:22 PM
Lease Expires . . . . . . . . . . : Tuesday, January 04, 2012 3:46:22 AM
Zone Transfer (Conduct AXFR)
D:\>nslookup
Default Server: ns1.test.com
Address: 192.168.10.150
> server 192.168.10.151
Default Server: ns2.test.com
Address: 192.168.10.151
> set type=any
> ls -d fluor.com
Zone Transfer (Results)
Default Server: ns1.test.com
Address: 192.168.10.10
> > [ns1.test.com]
test.com.
NS ns1.test.com
test.com.
NS ns2.test.com
ns1
A 192.168.10.10
ns2
A 192.168.10.11
payroll
A 192.168.10.199
server1
A
192.168.10.215
192.168.1.1
TXT "Core Switch GigabitEthernet 0/0"
dnsserver
CNAME ns1.test.com
_kerberos._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0, weight=100,
port=88, server1.test.com
_ldap._tcp.WashingtonDC._sites.dc._msdcs SRV priority=0, weight=100, port=389,
server1.test.com
dnsenum
dnsenum
fierce
fierce
Maltego
Bookmarks



johnny.ihackstuff.com
securitytube.net
paterva.com