2007
A HACKING ODYSSEY PART I: RECONNAISSANCE CONT...
IP Address
Just like domain names are registered and entered on a WHOIS database,
IP addresses are also registered and entered on a database. For Europe
and Asia an organisation called RIPE handles this.
(http://www.ripe.net/) and for America ARIN handles it
(http://www.arin.net/index.shtml). If you browse to them and enter the
IP address mentioned in the A record you will find out who it is
registered to:
Code:
inetnum: 212.69.210.0 -
212.69.211.255
netname: DSVR
descr:
Hosting in iP House
country: GB
admin-c: NOC5587-RIPE
tech-c:
NOC5587-RIPE
status: ASSIGNED
PA
mnt-by: AS5587-MNT
source: RIPE #
Filtered
role:
AS5587.NET Network Operations
address: Victoria
Building
address: Salford Quays
address: M5 2SP
phone: +44
207 3455256
fax-no: +44 207
3455257
As I said it is not really applicable in this case as it is only for a
web server that belongs to a hosting company. But if it was for an
organisation that hosted their web server internally you would be able
to get more contact details for the company from here. In this case we
only get the name and address of the hosting company, which is in
Salford Keys, Manchester. – It may come in handy for a social
engineering attempt later on, who knows but it is worth writing it all
down.
Mail Server
Mail servers are a good way of finding information out about a company
and what email addresses are valid in the company. It is possible to
telnet to a mail server on both port 25 and 110. When you connect you
are greeted with a banner saying the type of mail server and its
version.
Open a command prompt again and type the following:
Code:
C:\Documents and Settings\Nokia>telnet shedstore.co.uk 25
This is telling the telnet application to open a connection to
shedstore.co.uk on port 25.
You should now see this:
Code:
220 internetdesign.dsvr.co.uk ESMTP Exim 4.52 Wed, 07 Feb 2007 20:03:06
+0000
The mail server banner is telling us the type of mail server is Exim,
and it is located in the UK. It also tells us that this mail server
belongs to the same people who host Shed Stores web site….but the MX
records from the DNS Zone Transfer are for a different company. The
must have a web mail solution and another hosted email solution.
Going by the MX record they also have email hosted with
emailfiltering.com So they may have another domain name in place for
email, or it may have something to do with the Guardian Buildings
organisation that they are a part of. It’s hard to tell exactly why
they have another email solution but it is something worth bearing in
mind.
Code:
MX 5 mx81.emailfiltering.com
Browse to emailfiltering.com in your browser and see if there is a web
site for it.
Yes, there is – but it has a URL redirect in place and takes you to
http://www.emailsystems.com/ . If you put an ‘s’ after the HTTP
(https://www.emailsystems.com/ ) and go to their secure site you are
presented with a logon…….probably where you go to check your emails on
line…..
Try telenting to the mail server mentioned in the MX record on port
25……now this is a seriously locked down mail server……my guess is their
email hosting company do know what they are doing, unlike their web
hosting company.
All this information comes in handy when we try to social engineer some
information out of the companies we have discovered are target uses.
FTP
Did anyone notice their was a CNAME record for an FTP server? Let us
see if it is active.
Go back to your command prompt and type:
Code:
C:\Documents and Settings\Nokia>ftp shedstore.co.uk
You should be presented with the following:
Code:
C:\Documents and Settings\Nokia>ftp shedstore.co.uk
Connected to shedstore.co.uk.
220 ProFTPD 1.3.0rc2 Server (ProFTPD) [212.69.210.106]
User (shedstore.co.uk:(none)):
It has told us what type of FTP server it is (ProFTPD) and is asking
for a user name and password. At this point DO NOT try and gain access
to anything. Remember we are researching the target passively and do
not want to try and connect to anything directly related to the Shed
Store company until we have taken the proper countermeasures to obscure
our own identity and location on the WWW.
Web hosting companies typically provide FTP access for their customers
so they can upload their web site and make any changes that are needed.
I pointed out that there is a members only part to the web site earlier
on, my guess would be that members can logon and maybe buy direct from
the company via the user portal? If so all their details are stored on
the server somewhere and if we manage to get FTP access we can also get
access to all of the files and do not have to worry about trying to
exploit the web service….
At this point it is enough for us to just know it is there and how to
access it.
*Hey look, we have learnt they have a web site, a mail server and an
FTP server and the IP address of them all…..and we didn’t have to fire
up Nmap up once to tell us what services they have….**
Social Engineering
Social Engineering is the art of interacting with someone with the sole
reason of maliciously soliciting information out of them. The common
example is to get a user name and password, but this is not always the
case. I have endless hours of fun teaching this and getting students to
phone places up and trying out what they learn in real life. It is an
incredibly hard skill to master. But once you have mastered it you can
save yourself hours of pain staking work trying to crack user accounts
etc the hard way.
Most people think Social Engineering is something reserved for the
determined attacker or for the people carrying out a Pen Test. I would
suspect that 99% of the people reading this have never tried it or are
ever likely too……yet they wouldn’t think twice about firing Nmap up and
scanning someone’s system. In my view if you can get some information
out of someone such as a password, well then it saves you having to
spend hours running a dictionary attack or trying to brute force the
password which you have just got hold of in a few minutes via social
engineering. NEVER underestimate the Social Engineering stage of
reconnaissance it nearly always pays off and saves you a lot of time
and hassle.
The reason not many people do it is that to carry out an effective
Social Engineering attack you need a rather large set of gonads, a very
good reason to want to do it and some prior information about the
person or the persons organisation that you are speaking to.
Social Engineering is not something that can be taught and is more of a
skill you pick up over time. The more you do it, the better you can
become at it.
There are a couple of facts about human beings in general that need to
be mentioned to better explain how to carry out effective social
engineering attacks:
Humans are very easily programmed and become stuck when something
happens out of the ordinary.
Being extra nice to someone and making that person like you and want to
help you, does pay off sometimes
People generally do not say no to an authoritative figure or to someone
who is higher placed then them in the organisational structure.
It is usually easier to coerce someone into doing something they don’t
normally do, than to coerce them into doing something they do everyday.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on February 7th, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.