What You Should Know About Target Acquisition for Pentesting

June 30, 2016 | Views: 4255

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In the pentesting and security scenes, one of the more popular methods of securing servers and websites is by obfuscation and/or mis-information. If you can’t find the real IP of a backend server, it’s harder to accurately test for vulnerabilities, brute force resistance, bandwidth limits or the impact of a DDoS.

This is becoming more and more common with services like CloudFlare, RackSpace Opencloud and numerous others. These services allow you to hide your servers behind a reverse proxy to mitigate DDoS, manage traffic, cache static items, etc. And, whether it’s a penetration test, investigation or some other purpose, if you can’t identify the true IP of the backend server, your job is usually much, much harder.

How do we find the IP? There are numerous methods, depending on how the target’s backend network has been laid out. Some will work while others will not. We’ll start with the simplest, which assumes the rival system admin is a DERP and didn’t configure things optimally.

  1. Trigger an error page. If the target’s web developer and server admin are not savvy with security, this could be the simplest answer. Find a URL on the site that uses a get variable for something, and then put garbage into this variable. Attempt to trigger a server or SQL error message. Occasionally these will list the webserver, and it’s IP right away.
  2. Does the site have any form of an image downloading tool? Many sites now have a feature where instead of uploading a image or file, you can simply put in a URL to the file or image where it exists elsewhere on the internet. If you discover one of these, simply provide a URL to a file on one of your own servers, or something you can monitor the logs of, and see what IP downloads the file.
  3. MXToolbox can be a goldmine for this, believe it or not. If the site uses notification emails, their webserver’s IP is most likely is listed in the SPF Records. This is not always the case, but it only takes 20 seconds to check.
  4. If the target is using a shared hosting provider, their email server may be on the exact same server as well. Use mxtoolbox to lookup their MX records. Then, dial the IPs listed in the browser and see if you get a webserver responding. If so, you could add a HOSTS file entry pointing the target’s domain name to that IP. Then, attempt to visit the site so the proper domain name appears in the headers. If it appears, you have found the correct IP.
  5. Get the site to email you. Ask for a password reset, register an account, or even private message yourself to get the site to send you some form of email notification. Most sites generate these on the same server the website is running on, so when you get the email, simply pull the source IP from the emails headers, and there you go.
  6. Check for alternate DNS records. A lot of people like to host subdomains on the same server as the main site, and in many cases, even entire other domains. viewdns is a website that can show a decent collection of all the common records that exist for a domain. Half the time, you get lucky and find one that leads you to the servers real IP.
  7. Use historical DNS. There are a number of sites that can be found via Google that actually list historical DNS records, and many, many sites are set up without reverse proxies in their inception. It’s usually added later, after security has become an issue for them. Simply around and find all the historical DNS records you can. Chances are, you’ll find at least the old IP, and possibly the current IP as well.

 

Once you’ve identified the true IP of your target, your options for pentesting and other things grow. You’ll have the chance to attempt bypassing the protection of the reverse proxy and striking directly at the core servers.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Thank you. Very useful

  2. Very useful. Thanks.

  3. thanks brother 😀 this help me 1+

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel