Welcome to Recon - Part 2 where we will look at our target's website to gather information. We will also look for some information on subdomains since we can often find other targets or juicy information with those subdomains.
First, I log on the website and gather as much information as I can. Items of note are names, addresses, phone numbers, products or services offered, customer/project lists, or others. Looking in the source for the pages is also a good way to find some hidden jewels of information. Also of note would be any subdomains in use. Sometimes those can lead to finding other systems.
One way to find those subdomains, is to query Google. Using the "site:" search term you can find the subdomains.
Start with a search for:
"site:domain.ext"
Take the result and subtract the search for that subdomain:
"site:domain.ext -site:sub.domain.ext"
Take that result and add to the search and you can find a lot of sites that way. This is long and tedious though and there must be an easier way. Well, there is!
A great tool to do this is GXFR by Tim Tomes (@LaNMaSTeR53). The syntax is very simple and the tool can also query Bing (though you need an API key for Bing).
# python gxfr.pl --gxfr --dns-lookup
You will be prompted for a domain name and the tool will do it's job. If you want to save the output, just pass the -o option and you will be prompted for the output file name. You can then review the output to see if other systems or pages are available for you to attack (of course only if it is in scope). Often, this type of recon will uncover hidden administrative pages that were not designed to be available to access and at a minimum will give you a better picture of your target environment.
Well, that is it for now. Recon - Part 3 will focus on Whois lookups to determine our target's IP ranges.
Wednesday, January 22, 2014
Recon - Part 1 - Intro
To begin any penetration test engagement I always start with at least a full day of recon. Depending on the type of engagement, I might start with more information or less, but for the purposes of this article, I will start with knowing nothing but the company name and domain name. There are a number of tools to help with the process, and I will not go too deep with the tools, but will mention some of the ones I use.
Since recon is such an important process in a penetration test, I will make this a multiple part post, and will update this post with links to the other parts as they are written. So how do I start?
We will look through Whois Recon, Google Searching, Website Crawling, and some other methods of recon. In Recon Part 2, we will look at the simplest method for gaining information on a target organization, by using their own website. Part of this will also look at possible subdomains the target might have.
Since recon is such an important process in a penetration test, I will make this a multiple part post, and will update this post with links to the other parts as they are written. So how do I start?
We will look through Whois Recon, Google Searching, Website Crawling, and some other methods of recon. In Recon Part 2, we will look at the simplest method for gaining information on a target organization, by using their own website. Part of this will also look at possible subdomains the target might have.
Subscribe to:
Comments (Atom)