KEMBAR78
Information Gathering 124 Ch5 | PDF | Domain Name System | Cyberspace
Scribd
Upload
18 views45 pages

Information Gathering 124 Ch5

Chapter 5 of CNIT 124 focuses on information gathering techniques for ethical hacking, emphasizing the use of Open Source Intelligence (OSINT) to gather data about targets, including employee information and software used. It discusses various tools and methods for DNS queries, zone transfers, and email address searches, as well as manual and automated port scanning techniques using Nmap. The chapter highlights the limitations of certain methods and the importance of understanding the tools used in penetration testing.

Uploaded by

skynet ceh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views45 pages

Information Gathering 124 Ch5

Chapter 5 of CNIT 124 focuses on information gathering techniques for ethical hacking, emphasizing the use of Open Source Intelligence (OSINT) to gather data about targets, including employee information and software used. It discusses various tools and methods for DNS queries, zone transfers, and email address searches, as well as manual and automated port scanning techniques using Nmap. The chapter highlights the limitations of certain methods and the importance of understanding the tools used in penetration testing.

Uploaded by

skynet ceh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

CNIT 124:

Advanced Ethical
Hacking

Ch 5: Information Gathering
OSINT
Open Source Intelligence
Useful Info for a Pentest
• Employees who talk too much
– Twitter, Facebook, etc.
• Archived listservs may have technical
questions
• What software and hardware are they
using?
– Defenses such as firewalls
– Security problems
– Extra systems like ActiveMQ
Netcraft

• Try ccsf.edu
Whois
CCSF.EDU
• Normal record
• Informative
• Compare to
kittenwar.com
• Privacy protections
Whois Limitations
• Data can be fake or concealed
• "whois microsoft.com" has a strange result
(NSFW) because it searches the whole
FQDN, so people have added joke records
• Seems to no longer work as of 9-16-17
Whois Limitations
DNS Queries
• dig samsclass.info
• dig samsclass.info aaaa
• dig samsclass.info ns
• dig samsclass.info soa
• dig samsclass.info any
• Link Ch 5a
Dig at a specific server
• dig samsclass.info any
– 10 records
• dig @8.8.8.8 samsclass.info any
– 18 records
• dig @coco.ns.cloudflare.com
samsclass.info any
– 10 records
DNS Cache Snooping Demo
• Make a new DNS record

• dig +norecurse @109.69.8.51 test360.samsclass.info


• Shows record, if it's in the cache
• dig @109.69.8.51 test360.samsclass.info
• Caches record
Find a Public Resolver

• Link Ch
5d
Nonrecursive Query
• Server has no data in its cache
• Doesn't ask other servers (nonrecursive)
• Finds no answer
– Command works the same way on Kali Linux
and Mac OS X
Recursive Query
• DNS server asks other servers and finds
the record
• Note its TTL starts at 3600 seconds
Nonrecursive Query
• Now the data is in the cache
• This shows that someone has resolved that
site on this server recently
Demo: puntCAT Server

• Cache Snooping works simply on a single


server
• Public DNS Servers: Link Ch 5j
Demo: OpenDNS Cluster

• One recursive query puts it in one cache


• Cached record observed in 3/12 queries
Demo: OpenDNS Cluster

• Ten recursive queries puts it in more caches


Demo: OpenDNS Cluster

• Cached record observed in 6/10 queries


Watching TTL Count Down
Zone Transfers
• First find SOA
Performing Zone Transfer
University System of Georgia
• 1038
records
• Link Ch
5e
Fierce DNS Scanner
• included in
Kali
• Attempts a
zone
transfer
• Then brute-
forces
domain
names
Fierce on Zonetransfer.me
DNSqueries.com
• Link Ch 5h
Searching for Email Addresses
theHarvester

• Searches Google.
Bing, and other
sources for email
addresses
• Also finds sites
hosted at the same IP
Maltego
Port Scanning
Manual Port Scanning
• Some services show a banner as soon as a
connection is made

• The banner could be deceptive, however


• Many services, like HTTP and DNS, don't
deliver a banner so easily
Nmap SYN Scan
• -sS switch
• Sends SYN, listens for SYN/ACK
• Doesn't complete the handshake, just
sends a RST
Nmap Scan Limitations
• Nmap is so popular, IDS and IPS systems
often detect it
• They may block all results
SYN Scan of Server 2008

Took 40 sec.
Version Scan
• -sV switch
• Grabs banners to determine version
Version Scan of Windows 2008

Took 110
sec.
UDP Scans
• -sU switch
• Sends packets to commonly-used UDP ports
• Packets are valid service requests
• Servers running on default ports will reply
• Closed ports return an "ICMP Unreachable"
packet
• Cannot tell an open port that doesn't reply
from a filtered port
UDP Scan of Windows 2008

Took 1200
sec.
Scanning Specified Ports
• By default, Nmap scans 1000 "interesting"
ports
• You can specify ports with –p switch
• -p 80 will scan one port
• -p 23, 25, 80 will scan three ports
• -p 1-65535 will scan them all (slow)
Nmap Version Scan Crashes Server
• Rarely
happens, but
is a possibility

You might also like