This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post.
There are various methods at enumerating the net blocks of your target. But to start, perform the following:
If a specific IP does not have an ASN number associated with it, then that IP address is not routable.
Whois -h cymru.whois.arin.net > file.txt
To perform bulk queries, create a text file in this format:
whois -h whois.cymru.com 18.104.22.168
4565|22.214.171.124|EPOCH-INTERNET - Epoch Network
Feed the text file to whois by using netcat.
Look through the results for ASN numbers to determine if the netblocks are routable.
./netcat whois.cymru.com 43 <ip_list.txt |sort -n > ip_list_asn.txt
You can also login to a BGP router connected to the internet and display the route:
Learn more here:
route-views.oregon-ix.net> show ip bgp regexp _31830$
BGP table version is 2197815, local router ID is 126.96.36.199
Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 188.8.131.52/24 184.108.40.206 119 0 6461 701 31830 i
* 220.127.116.11 0 3333 3356 701 31830i
* 18.104.22.168 0 8075 701 31830 i
* 22.214.171.124 4103 0 4513 13789 701 31830 i
Once you have netblocks for your target, check bind versions and perform zone transfers against the name servers:
dig @ns1.example.com version.bind txt chaos
dig @ns1.example.com axfr
If the zone transfers are successful, you now have a list of target IP's. Clean up your list so only the IP addresses remain. The easiest method is to open the ip list in excel and applying a filter. Now feed the IP list to nmap:
perl fierce.pl -dns example.com
You can now take the output files and run them through the nmap report generator:
nmap -sS -P0 -iL ip_ranges.txt -p 21,22,23,25,53,79,80,81,88,110,111,113,135,139,143,254,264,265,443,445,1026,1027,1433,1434,1494,1521,1723,2049,2001,2301,2381,3389,4001,4662,5631,6000,6001,8080,10000 --max_rtt_timeout 2000 -oA formatted_list
At this point, you should have a list of IP addresses with open ports. Lets target a few of the ports.
21 - FTP - If you see port 21 open, attempt to connect. Record the login banner and try "anonymous" as the username. If that is not successful, you may want to try running medusa against it to brute force.
25 - SMTP - Connect the the SMTP server and attempt to enumerate valid users. You can use this to target specific employees within the company through phishing or brute force attacks at login pages.
medusa -h host -U logins.txt -P passwords.txt -O results.txt -M ftp
80 - HTTP - Look for methods that are not necessary. Namely PUT. If you find this, then you may be able to upload your own files to the server. Use put.pl to transfer cmd.asp to the server. Both files should be on BT3.
nc mail.example.com 25
That should get you started. Follow up with a nessus scan:
curl -I -X OPTIONS www.example.com
Some additional tools I use that are not based on Backtrack are:
Acunetix Web Vulnerability Scanner
N-Stalker Free Edition
If you have anything to add, please do!