What You Should Know About Target Acquisition for Pentesting

In the pentesting and security scenes, one of the more popular methods of securing servers and websites is by obfuscation and/or mis-information. If you can't find the real IP of a backend server, it's harder to accurately test for vulnerabilities, brute force resistance, bandwidth limits or the impact of a DDoS.This is becoming more and more common with services like CloudFlare, RackSpace Opencloud and numerous others. These services allow you to hide your servers behind a reverse proxy to mitigate DDoS, manage traffic, cache static items, etc. And, whether it's a penetration test, investigation or some other purpose, if you can't identify the true IP of the backend server, your job is usually much, much harder.How do we find the IP? There are numerous methods, depending on how the target's backend network has been laid out. Some will work while others will not. We'll start with the simplest, which assumes the rival system admin is a DERP and didn't configure things optimally.

1. Trigger an error page. If the target's web developer and server admin are not savvy with security, this could be the simplest answer. Find a URL on the site that uses a get variable for something, and then put garbage into this variable. Attempt to trigger a server or SQL error message. Occasionally these will list the webserver, and it's IP right away.
2. Does the site have any form of an image downloading tool? Many sites now have a feature where instead of uploading a image or file, you can simply put in a URL to the file or image where it exists elsewhere on the internet. If you discover one of these, simply provide a URL to a file on one of your own servers, or something you can monitor the logs of, and see what IP downloads the file.
3. MXToolbox can be a goldmine for this, believe it or not. If the site uses notification emails, their webserver's IP is most likely is listed in the SPF Records. This is not always the case, but it only takes 20 seconds to check.
4. If the target is using a shared hosting provider, their email server may be on the exact same server as well. Use mxtoolbox to lookup their MX records. Then, dial the IPs listed in the browser and see if you get a webserver responding. If so, you could add a HOSTS file entry pointing the target's domain name to that IP. Then, attempt to visit the site so the proper domain name appears in the headers. If it appears, you have found the correct IP.
5. Get the site to email you. Ask for a password reset, register an account, or even private message yourself to get the site to send you some form of email notification. Most sites generate these on the same server the website is running on, so when you get the email, simply pull the source IP from the emails headers, and there you go.
6. Check for alternate DNS records. A lot of people like to host subdomains on the same server as the main site, and in many cases, even entire other domains. viewdns is a website that can show a decent collection of all the common records that exist for a domain. Half the time, you get lucky and find one that leads you to the servers real IP.
7. Use historical DNS. There are a number of sites that can be found via Google that actually list historical DNS records, and many, many sites are set up without reverse proxies in their inception. It's usually added later, after security has become an issue for them. Simply around and find all the historical DNS records you can. Chances are, you'll find at least the old IP, and possibly the current IP as well.

 Once you've identified the true IP of your target, your options for pentesting and other things grow. You'll have the chance to attempt bypassing the protection of the reverse proxy and striking directly at the core servers.