This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post.
Discovery
There are various methods at enumerating the net blocks of your target. But to start, perform the following:
Code:
Whois -h cymru.whois.arin.net > file.txt
If a specific IP does not have an ASN number associated with it, then that IP address is not routable.
Code:
whois -h whois.cymru.com 207.168.119.1
querying whois.cymru.com
whois.cymru.com
ASN|IP|Name
4565|207.168.119.1|EPOCH-INTERNET - Epoch Network
To perform bulk queries, create a text file in this format:
begin
207.168.119.135
207.168.119.136
142.5.0.1
end
Feed the text file to whois by using netcat.
Code:
./netcat whois.cymru.com 43 <ip_list.txt |sort -n > ip_list_asn.txt
Look through the results for ASN numbers to determine if the netblocks are routable.
You can also login to a BGP router connected to the internet and display the route:
Code:
telnet route-views.oregon-ix.net
Username: rviews
route-views.oregon-ix.net> show ip bgp regexp _31830$
BGP table version is 2197815, local router ID is 198.32.162.100
Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 63.71.89.0/24 64.125.0.137 119 0 6461 701 31830 i
* 193.0.0.56 0 3333 3356 701 31830i
* 207.46.32.34 0 8075 701 31830 i
* 209.10.12.125 4103 0 4513 13789 701 31830 i
<truncated>
Learn more here:
http://www.team-cymru.org/Services/ip-to-asn.html
Once you have netblocks for your target, check bind versions and perform zone transfers against the name servers:
Code:
dig @ns1.example.com version.bind txt chaos
dig @ns1.example.com axfr
or
Code:
perl fierce.pl -dns example.com
If the zone transfers are successful, you now have a list of target IP's. Clean up your list so only the IP addresses remain. The easiest method is to open the ip list in excel and applying a filter. Now feed the IP list to nmap:
Code:
nmap -sS -P0 -iL ip_ranges.txt -p 21,22,23,25,53,79,80,81,88,110,111,113,135,139,143,254,264,265,443,445,1026,1027,1433,1434,1494,1521,1723,2049,2001,2301,2381,3389,4001,4662,5631,6000,6001,8080,10000 --max_rtt_timeout 2000 -oA formatted_list
You can now take the output files and run them through the nmap report generator:
http://forums.remote-exploit.org/showthread.php?t=13134
At this point, you should have a list of IP addresses with open ports. Lets target a few of the ports.
21 - FTP - If you see port 21 open, attempt to connect. Record the login banner and try "anonymous" as the username. If that is not successful, you may want to try running medusa against it to brute force.
Code:
medusa -h host -U logins.txt -P passwords.txt -O results.txt -M ftp
25 - SMTP - Connect the the SMTP server and attempt to enumerate valid users. You can use this to target specific employees within the company through phishing or brute force attacks at login pages.
Code:
nc mail.example.com 25
expn root
expn test
vrfy someone@example.com
quit
80 - HTTP - Look for methods that are not necessary. Namely PUT. If you find this, then you may be able to upload your own files to the server. Use put.pl to transfer cmd.asp to the server. Both files should be on BT3.
Code:
curl -I -X OPTIONS www.example.com
That should get you started. Follow up with a nessus scan:
http://forums.remote-exploit.org/showthread.php?t=13127
Some additional tools I use that are not based on Backtrack are:
LDAPMiner
Acunetix Web Vulnerability Scanner
N-Stalker Free Edition
SNScan
If you have anything to add, please do!
William
Tutorial : Internet Enumeration
Originally Posted by williamc
Posting Permissions
