All right, So we're gonna start with some open source. Intelligence gatherings were not going to directly talk to any of our other virtual machines. At this point,
I'm for the section you are allowed to run these exercises against any domain that you'd like. This part is perfectly legal. All we're really doing is searching
information that is available publicly on the Internet. So you don't have to just do the same ones I do. Any domain is finds who? Your domain, Your company's domain,
your worst enemy studying anything you like. But of course, when we do switch back and start talking to our virtual machines again, we will want to keep that within the lab because we will be actually performing attacks.
We need to keep that within the lab. But this open source intelligence gathering section, we can
any company we like.
All right, so I'm gonna try a couple different ones. I'm gonna do bulb security, calm his That's my company, but it
naturally pretty small, so you won't get quite as interesting of results as we might
with some larger organization. So I might switch back and forth, but again feel free to run these exercises against anyone you like. In fact, it will be much more interesting for you if you d'oh!
The first thing I want to know is just a little bit of basics about it. Although who is Look up
on the demands. I'll start with both security thought calms. This is gonna give us information. Basically, from the registrar
of who owns this domain will not be able to get some interesting information out of this thing again. We might not.
Looks like a job security dot com is
People told me I should switch it, but I don't really have the time to go through all the trouble right now.
Um, but it is registered with domains by proxy to basically I pay a little bit extra to hide my information on who is look up. So you may find that this is true
with the organization's you work with.
They're just basically says the good out here, is it?
But I actually have another one. I started badly on purpose because you may find that you can find some interesting information with who is.
They got my name right dot com,
but the Who is Look up for this one
a little bit more interesting, like we haven't email address. That's not my primary email address dummy e mail address.
But this is actually where I used to live. It's not my apartment anymore, but at the time it waas so
kind of inviting on wide attention here that even how's the apartment number where I lived
at the time? And that was also in my phone number at one point as well. So none of this information is still true. So if you come and try and show up at my door, you will be sorely disappointed. But this is
that example of what it may look like if they don't use demanded by proxy than information about
the individual or organization is
theoretically available here.
Who you may find minor the same to the admin in the tech, but you may find some phone numbers, even addresses your location. So if you're going to do any fishing later to try and get people to click on links and emails or do some cold calling trying,
get more information, you might be able to find a good place to start here that was a valid number.
Female goes. I never check. It is still valid.
There's a little bit there.
Another thing I might be interested in is D. N s names or domain name. Service is probably this w divvy up bulb security that calm but wonder stares like maybe they'll hold a bowl of security that calm
or FTP doubled security, toe calm or any other obscurity dot coms.
that would be the next point I might want to take a look at.
So there's a few different tools built in for
There's big there's enough. Look up
the host command and do it all, too.
So let's start within us. Look up if you have one that you'd rather use well means. Just used that. But if I did like in us, look up on bulbs security dot com. Don't give me the I p address of bulbs security dot com. Don't beat every nut job security dot com Rather,
Blue Ivy Address A deuce Shared hosting. That's also the I P address
who says, Well, as we'll see a bit later,
it might also be interested in things like mail servers if I did like it s look up,
just hit, enter and then sit
And then said full security dot com. Imax is short for basically mail server. Indiana speaks. It's gonna ask, What are the metal servers for Bob? Security out calm.
And they are all actually Google servers in this case, So those will probably be out of scope for your PIN test.
Chances are you won't be able to go after Google APS, but if your organization that you were testing boost their own mouth servers, those maybe in scoop
additional host, we might be able to attack. So
on quits, not the right answer exit.
And so we're doing enough look up on set tight peoples in Max again
and say we want say, How about Cisco Doubt Tom for one of the big one that looks like they have their own mail servers. And again, I don't know. Let's just go dot com, but well, I'm doing is doing a basic query here, so I'm not
crossing the line of legality just by asking them what their mail servers are actually started. Attacking. The mail service is just get all calm. That would be that.
But just for this part again, you're welcome to try. Different organizations
can maybe also want, like, name servers. I could say such type equals in s for name, server
full security dot com.
I just I don't hurt My own domain controller is either.
That's just a main control that calm. But again, if I just get out calm
looks like they in fact, do post their own name server. So again, this would be
additional hosts that might be in scope for our pin test.
Oh, I said hear. So naturally, my question would be kind. I get all of the hosts that are owned by such and such a domain would be possible for me to just get a list. Hopefully, the answer to that is no,
there is something called a zone transfer for D. N s, which, as the name implies, it involves taking the zone for Germaine and transferring it
well. It's theoretically between
different name servers. The primary would transfer to the secondary other slaves, but you could actually just get it. If it's set up to do so, get it to send his own file to you as well. So if you get a complete list of all of the domain names and their associate ID
for a certain domain,
but hopefully this should be turned off. It is definitely a best practice, and if I ever see it on any of my clients, always test for this. But I have seen it come up.
Go on a rare occasion, and I definitely let them know that they should turn that off. But typically, you'll see that this has turned off
close to the host command for this one. Again, there's different ways to do this. First thing I need to know is this Type his name server to dash T in this case,
and I'll tell it, I want the names overs for job security that come
so again, those are my two domain controllers.
And then, if I try and do a domain transfer domain zone, transfer
the crutch. Syntax is Dash L
and in the domain that I want that job security dot com
And then I tell it, the names over to try and transfer from
to main control dot coms not allow zone transfers
try the other one as well.
Indeed, it doesn't allow me to do his own transfer,
of a domain that is set up to allow the and transfers is so transfer.
name service for his own. Transferred out of me against that does t. And enough
the after the name servers like to do post does. Oh,
you asked for this urn transfers if it's available, tell that I want information about zone transferred All there May
on Let's start with the 1st 1 s in
her in Astro Other z t is too
And there we have it
It's like they have an office in Australia
did be email, internal office I p v six, Ooo
All TCP ports open. The different I P address is there
and their associate ID fully qualified domain name. So this would give us additional potential targets
if we were pinned Testing zone transferred off me.
But of course this should be turned off, but it's something I always check for.
But if we can't do that,
our question is, can we still find additional
political? If I domain names additional hosts, we could attack
on Dhe. Naturally. Same way we deal with everything else. We can always just let Computer
basically check four hours. I mean, we could sit there and asked for, you know, what is?
How about tennis? Look up. Say SPP doubled security dot com.
Well, there is an ftp dot bulb security dot com.
What about mailed a bold security? Come.
Okay, It looks like it at least gives
How about law? The security guys home? Nothing there. So we could just go through every possible domain name we could think of, or we could take it and let the computer do it for us. This is
pretty typical in anything. Computer science really is computer. You're really good at doing
repetitive tasks that really boring to people. So we could
Yeah, but a list of domains
on and then have it basically cycle through and do it in s look up or equivalent on all of them
and see what comes back with an answer. And what doesn't? Naturally, people were some tools from that.
One of them is fierce.
So it is a Pearl Squid script. It has DNA switch with the domain after it does. Seeing us on
globalsecurity dot com won't come up with very much about Microsoft dot com for this one, the one that has a few wars every names, then
who tries his own transfer. It doesn't work
now, going through and basically the first part of the silly, qualified domain name.
It's basically running through a file, and you can give it a different file for that. But it's using it.
And indeed, there quite a lot of post for my yourself. Don't call.
I was just putting like ex dot Microsoft dot com, probably a four loop where X is
something from that file, and it just loops through. So fairly typical is letting Computer do it for us
like we did when we did our scripting examples earlier in the class.
So then it's finding a lot of stuff for my yourself dot com probably won't have quite as many.
We did just scared. All come home
Microsoft is trial pretty large, so a little bit smaller here.
Looks like Microsoft had one to toe like a zillion not quite as many, but still, we're getting a lot of results. But if you're working with a small company
might be much smaller, like job security, that calm doesn't really come up with much at all.
I could just sit here like this for a while and then come up with think it'll find FTP
to read every dart. But there's just not that many hosts in that case, so
nothing to be alarmed about ist smaller organization. If you do like small local banks and local businesses, they probably don't have that many hosts,
so that gives us some additional target. You may or may not even need to do this. I typically do unless my client tells me not to give them an idea of what their Internet presence is. But typically your class will say these of the I P addresses you need to test, but you may find yourself doing a complete
black box. Tash, really,
we're so and so dot com have at it, in which case something like this would