Active Host Reconnaissance
Although the passive reconnaissance means are effective, they are often time intensive and do not always produce the most accurate results. In active reconnaissance, you use technical tools to discover information on the hosts that are active on your target network. The drawback to active reconnaissance, however, is that it is easier to detect. For example, consider a criminal who walks past a house she wants to burglarize (passive reconnaissance) versus looking into each window of the house to see what goods are inside (active reconnaissance). Obviously, a burglar peeking into the windows of a house is much more conspicuous than simply walking past it. The same is true for active reconnaissance. It reveals more information but is detected easily.
Some of the tools that are useful in active host reconnaissance include the following:
- NSLookup/Whois/Dig lookups
- Visual Route/Cheops
When you are doing black-box testing and you are not given detailed information on the target network, the client might give you only a network range of IP addresses to test. Often, you might be given only the website address, leaving you to discover the network range on your own. In this case, you have to perform some DNS lookups to ascertain the IP addresses associated with the website.
Before you can venture into performing DNS lookups, you need to understand how DNS works. The Domain Name System (DNS) allows you to use friendly names, such as http://www.cisco.com, instead of IP addresses when referencing hosts on an IP network.
DNS is a hierarchical, distributed database shared among servers and queried by hosts and other servers. The highest level of the hierarchy is the last label in a domain name. Top-level names can be either two- or three-letter organizational designators, such as .com for commercial or .edu for educational organizations, .biz for businesses, or two-letter country designators, such as .uk for the United Kingdom or .au for Australia. Figure 5-10 shows the DNS hierarchy for the website http://www.hackmynetwork.com. Companies register their DNS with a naming authority, such as ARIN in the United States or RIPE in Europe.
Figure 5-10 DNS Hierarchy
A contiguous portion of the DNS namespace is called a zone. A zone can contain one or more domain names. When an update needs to be made to a DNS zone, it is done to a primary zone on a master server. Secondary zones are copies of the primary zone that have been replicated from the master server. A server can house multiple zones with both primary and secondary copies. When a secondary DNS server needs to replicate from the master server, it performs a zone transfer. The section "SamSpade," later in this chapter, discusses zone transfers in more detail.
Included in the zone information are resource records (RRs). Several types of resource records define information about the hosts in a domain. Table 5-1 defines the different types of record types.
Table 5-1. DNS Resource Records
IP to name reverse lookups
Name Service record
A master record for the entire zone
When you are performing a penetration test, do DNS lookups to get IP address information of hosts on your target network. DNS lookups can also give you information on the purpose of the host. For example, if an MX record exists for a host named smtp.hackmyntework.com, you know that the host is being used for e-mail because MX is the record for mail exchange.
If DNS servers are the doors to discovering what public hosts belong to your target site, Whois, NSLookup, and Dig are the keys to unlocking those doors.
Whois (RFC 812) is found installed by default on most UNIX and Linux platforms, but on Windows, you need third-party software such as SamSpade to perform Whois queries.
Whois, which in its early days was called NICNAME, is a TCP transaction-based query/response utility to look up registration information for a specific domain. You can obtain Whois at http://www.linux.it/~md/software. By default, Whois queries servers set by the NICNAMSERVER and WHOISSERVER environment variables, and, if neither is set, it queries whois.crsnic.net. Typing whois without any options reveals the default server being used in the query. Example 5-2 shows the output of a query on hackmynetwork.com.
Example 5-2. Sample Whois Query
#whois hackmynetwork.com Registrant: HackMyNetwork (hackmynetwork-DOM) 123 Main Street Portland, OR 97415 Domain Name: hackmynetwork.com Administrative Contact: John Nobody (RJXX2-ORG) hackmynetwork@HD1.VSNL.NET.IN HackMyNetwork 123 Main Street Portland, OR 97415 Technical Contact: John Nobody (VSXX) email@example.com 123 Main Street Portland, OR 97415 Record expires on 14-Nov-2006 Record created on 13-Nov-2003 Dataabase last updated on 17-May-2004 Billing contact: John Nobody 123 Main Street Portland, OR 97415 Domain servers in listed order: NS1.hackmynetwork.com 172.29.140.12 NS2.hackmynetwork.com 172.22.145.12
Whois queries are useful for two purposes:
- You learn administrative contact information that is helpful in social engineering. (For more on social engineering, see Chapter 4.)
- You learn the authoritative DNS servers for the domain. As you will see shortly, this is helpful when you want to attempt a DNS zone transfer with a tool such as SamSpade.
NSLookup, Dig, and Host are three other command-line tools that you can use to unearth information about your target network. NSLookup is available on both UNIX and Windows platforms, although NSLookup is being deprecated on most Linux systems, with Dig and Host being its replacement. NSLookup can reveal additional IP addresses and records when the authoritative DNS server is known. Example 5-3 shows an NSLookup query.
Example 5-3. NSLookup Query
#nslookup >set type=mx >hackmynetwork.com Server: smtp.hackmynetwork.com Address: 172.28.135.16 Non-authoritative answer: hackmynetwork.com origin = hackmynetwork.com mail addr: webmaster.hackmynetwork.com serial = 20108130 refresh = 720 (2H) retry = 3600 (1H) expire = 1728000 (2w6d) minimum ttl = 7200 (2H) hackmynetwork.com nameserver = ns1.hackmynetwork.com
Although NSLookup and Dig are effective tools, they are limited compared to SamSpade.
If the tools previously discussed in this chapter are like taking files out of a filing cabinet, DNS Zone transfers are like taking the entire drawer of files out. DNS servers perform zone transfers to keep themselves up to date with the latest information. In a secured environment, these zone transfers should be restricted to DNS servers that need to exchange information; however, in most environments, this is not the case. A zone transfer of a target domain gives you a list of all public hosts, their respective IP addresses, and the record type.
Although you can use command-line tools like Dig to perform zone transfers, you might prefer a graphical tool like SamSpade (http://www.samspade.org). SamSpade is a free Windows tool created by Steve Atkins. It can perform a plethora of functions, including DNS lookups, mail relay checking, and website parsing. SamSpade can also attempt to do zone transfers. In the words of SamSpade's creator, however, "zone transfers are impolite." As such, they are disabled by default. To enable zone transfer functionality, you need to go to the Edit menu and select Options. From there, select the Advanced tab, as shown in Figure 5-11. Check the Enable zone transfers check box to enable this option.
Figure 5-11 SamSpade Advanced Options: Enable Zone Transfers
Before you can perform a zone transfer, you need to know what the authoritative name server is, which you can find out by querying your own name server. Enter the IP address of your DNS server by going to the Basics screen, as shown in Figure 5-12. Under TCP/IP settings, you can choose either to learn your DNS information via DHCP or statically enter in your DNS server IP address. After that, click OK to exit out of the Options screen.
Figure 5-12 SamSpade Basic Options
Now you can perform a DNS lookup by entering the website domain name in the Address box. In Figure 5-13, the domain name www.dawnsecurity.com is entered. The output reveals the name of the company that registered this domain name in addition to administrative and technical contact information. Not shown in the graphic is the authoritative DNS server address of PARK15.SECURESERVER.NET, which is also included in DNS lookups. Equipped with this address, you can attempt a DNS zone transfer.
Figure 5-13 SamSpade DNS Lookup
Begin your attempt by going to the Tools menu and choosing Zone Transfer. You are shown a screen like that in Figure 5-13. Enter the domain name of your target and the IP address of the authoritative DNS server that you discovered in the previous step. You have the option of displaying the output within SamSpade or saving the output to a file. First view the information within SamSpade to determine if you can perform a zone transfer. Then, if you are successful, you can save the output to a file for later viewing.
Although SamSpade provides excellent output and should be part of any penetration tester toolkit, it does not provide graphical maps or detailed information of hops along the way to the destination. To see a representation of a packet traveling across the Internet to a target destination, you need a tool like Visual Route. Visual Route (http://www.visualware.com) runs on Linux, Windows, Solaris, and Mac OS X.
Figure 5-14 shows the Visual Route screen. A trace is run from a computer in London to the website http://www.hackmynetwork.com. Visual Route lists each hop along the way to the site, along with the IP addresses and millisecond delay.
Figure 5-14 Visual Route
What makes Visual Route interesting is that you can double-click on any of the hops along the way and perform a Whois query. The information is the same as you get in a Whois lookup, but Visual Route is more graphically appealing and makes it easy to quickly look up information. You can save both the Whois lookups and the visual map in .jpg or .png format, making it perfect for penetration testers who are preparing reports for clients.