What You Should Know About Target Acquisition for Pentesting
- Trigger an error page. If the target's web developer and server admin are not savvy with security, this could be the simplest answer. Find a URL on the site that uses a get variable for something, and then put garbage into this variable. Attempt to trigger a server or SQL error message. Occasionally these will list the webserver, and it's IP right away.
- Does the site have any form of an image downloading tool? Many sites now have a feature where instead of uploading a image or file, you can simply put in a URL to the file or image where it exists elsewhere on the internet. If you discover one of these, simply provide a URL to a file on one of your own servers, or something you can monitor the logs of, and see what IP downloads the file.
- MXToolbox can be a goldmine for this, believe it or not. If the site uses notification emails, their webserver's IP is most likely is listed in the SPF Records. This is not always the case, but it only takes 20 seconds to check.
- If the target is using a shared hosting provider, their email server may be on the exact same server as well. Use mxtoolbox to lookup their MX records. Then, dial the IPs listed in the browser and see if you get a webserver responding. If so, you could add a HOSTS file entry pointing the target's domain name to that IP. Then, attempt to visit the site so the proper domain name appears in the headers. If it appears, you have found the correct IP.
- Get the site to email you. Ask for a password reset, register an account, or even private message yourself to get the site to send you some form of email notification. Most sites generate these on the same server the website is running on, so when you get the email, simply pull the source IP from the emails headers, and there you go.
- Check for alternate DNS records. A lot of people like to host subdomains on the same server as the main site, and in many cases, even entire other domains. viewdns is a website that can show a decent collection of all the common records that exist for a domain. Half the time, you get lucky and find one that leads you to the servers real IP.
- Use historical DNS. There are a number of sites that can be found via Google that actually list historical DNS records, and many, many sites are set up without reverse proxies in their inception. It's usually added later, after security has become an issue for them. Simply around and find all the historical DNS records you can. Chances are, you'll find at least the old IP, and possibly the current IP as well.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!