This first step is essential for the future. Without the collected information, we will be unable to exploit the vulnerabilities of a network or system.
We will first see the methods used to collect the information and then techniques to protect against these methods.
1 Google Hacking
We will first see the methods used to collect the information and then techniques to protect against these methods.
1 Google Hacking
The features offered by the Google
engine go beyond the simple word search.
This is a technique to divert the power of information retrieval by Google to find sensitive data and look for vulnerabilities.
This is a technique to divert the power of information retrieval by Google to find sensitive data and look for vulnerabilities.
| Filter syntax | Description |
|---|---|
| inurl | Returns inurl pages containing a
link to a file of the type mentioned in argument. Exemple : inurl :admin |
| intext | Searches a pattern in the content. Exemple: intext:mysql_connect |
| site |
Allows you to filter the search on a
site as argument.
|
| link |
Returns all link pages containing a
link to the past pattern argument.
|
| info |
Retrieves information about the site
passed as parameters. The type is mentioned as an argument.
Exemple: info:www.kernel.org
|
2 Public and private DNS Analysis
Each machine on an IP network is
identified by an address, which is a 32-bit number for IPv4 and 128
bits for IPv6. The DNS is a way to assign a name to each IP address
and vice versa. DNS analysis is to detect the correspondence between
the domain name and IP address by querying name servers for that
there are tools that automate the task.
The result of this query is as
follows:
| Server : 127.0.0.1 | DNS server used for the workstation |
| Address : 127.0.0.1#53 |
The DNS servers’ IP
|
| Non-authoritative answer : | The DNS server does not support target.fr. |
| Name : cible.fr | Sought Domain name. |
| Address : xxx.xx.30.5 | The IP of target.fr. |
The default of the command "nslookup" queries the DNS server on the records of type A that are the mappings between a host name and an IPv4 address (32 bits).
To identify the authoritative name servers for our domain, we will use "NS" as record type.
 |
| nslookup result |
The command "host" asks the nameservers. For example, it can be used to detect faults on a network (servers outside services).
 | |
|
"Dig" is a tool for testing and querying a DNS server. Other commands such as "host" and "nslookup" can provide the same kind of information but "dig" has the advantage of presenting the information in a directly usable form in a configuration file DNS Zone.
2.4 whois
The command "whois" lets us know who is the owner of this domain, who are the administrators of the domain name, when was the contract renewed, etc.
2.5 Theharvester & ReverseRaider
"The harvester" is a very powerful utility for gathering information, it is implemented in Python, which allows you to retrieve email accounts - \ ref {B} - user names, domain names, virtual domains and sub-domains from different public sources such as search engines (Google, Bing, ...) and mail servers (pgp server, ...), and it gives each of the names associated with the IP addresses.
"ReverseRaider" which is a domain scanner that uses brute force. It is used to enumerate the sub-domains of a given domain using word lists.
The commands used for this part are :
 | |
|
The command "whois" lets us know who is the owner of this domain, who are the administrators of the domain name, when was the contract renewed, etc.
2.5 Theharvester & ReverseRaider
"The harvester" is a very powerful utility for gathering information, it is implemented in Python, which allows you to retrieve email accounts - \ ref {B} - user names, domain names, virtual domains and sub-domains from different public sources such as search engines (Google, Bing, ...) and mail servers (pgp server, ...), and it gives each of the names associated with the IP addresses.
"ReverseRaider" which is a domain scanner that uses brute force. It is used to enumerate the sub-domains of a given domain using word lists.
The commands used for this part are :
$ ./reverseraider -d cible.fr -w wordlists/fast.list
$ ./reverseraider -d cible.fr -w wordlists/services.list
$ ./reverseraider -d cible.fr -w wordlists/word.list
$ ./theHarvester.py -d cible.fr -l 500 -b google
$ ./theHarvester.py -d cible.fr -l 500 -b bing
- -d : domain search.
- -w : a file containing a list of words.
- -l : limit the number of results.
- -b : search engine.
We will explain the different
options used in these commands:
The result is as follows:
xxx.xx.30.2
| result removed for privacy |
xxx.xx.30.3
| result removed for privacy |
xxx.xx.30.5
| result removed for privacy |
xxx.xx.31.6
| result removed for privacy |
xxx.xx.30.8
| result removed for privacy |
xxx.xx.30.11
| result removed for privacy |
xxx.xx.30.17
| result removed for privacy |
xxx.xx.30.41
| result removed for privacy |
xxx.xx.30.42
| result removed for privacy |
xxx.xx.31.3
| result removed for privacy |
2.6 DNS lookup
This tool allows us to study the target domain name, IP address associated with the mail server associated.
http://www.magic-net.info/dns-lookup.dnslookup?fname=cible.fr
 |
| DNS lookup result |
No comments:
Post a Comment