Friday, 28 December 2012

Information Gathering Techniques: Dig and DNS Servers

"information is the negotiators greatest weapon"
...especially those who negotiate with network security ;)
I used to think a security blog is all about writing about brand new attacks and dropping info on the coolest 0days. But if that's what security blogging was all about then we would not leave much opportunity for beginners to start out and experts to recap. So posts like this will always be necessary!  

This brings me to a new theme of post I'll be writing. I'll be talking about penetration testing and general assessment skills stuff that wanna be security professionals will consider valuable information, but don't fret those of you who are seasoned security researchers and penetration testers I'll make sure my perspective is quite orignal and encompasses things most security blogs don't cover too extensively.

So I hope you guys enjoy these posts!

This post in particular will be introducing the mindset(s) you should have when engaging on information gathering efforts. I also discuss retrieving information using Dig and DNS.



Where do you start?

A journey of a thousand miles starts with one step
 So theres tons of places to gather information new ones spring up all the time, internet is a market place of information! How you collect your information, when and how much depends on how much information you need and what kind you need.

Point being, before you can start collecting information you need to know:
  1. What information you are already aware of. This is because the information you have will always help you gain more informaion
  2. What context you are attacking you target from. You may be missing the forest for the trees, where are you at the moment? What is accessible to you and how can it be used MOST effectively.
  3. What is the scope of your interest? If you are only to assess a portion of the DMZ---De-Militarized Zone, the part of the network facing the public---how do you get information without abusing any of the other services and devices that belongs to the target
  4. What information are you after? What are you trying to achieve with this exercise? 
There may be other routing questions you should ask yourself but I feel these are applicable to almost any situation. Cracking on!


Using the information you already have 

So what information types could you posses or be given before you engage?
  1. an IP address range or Autonomous System number
  2. a list of domain names
  3. a physical address
  4. general contact details
    1. a list of email addresses
    2. a list of names
    3. a list of telephone numbers
I know the 4th item is a little extensive, why would a soliciting client only give you a list of telephone numbers, email addresses or names to do your assessment from? Well in reality they wouldn't but again practically you will need to attain information pertinent to your penetration tests effectiveness when all the rabbit hole lead you to---soz about the Martix/Alice In Wonderland reference---was a facebook, linkedin or twitter account, leaving you asking yourself how the fuzz this is useful to you as a penetration tester. So all things considered I think its a good idea to discuss how you make social information useful in a penetration test.

The aim of the game is trying to make a list of other information that is linked to what ever information you already have and doing this recursively until you end up where you started or have all the information you need.

Before writing an entire book on the philosophy of information gathering, I need to clarify that there are two kinds of information gathering:
  1. Active when you directly engage the targets within your scope to solicit information e.g if you are pentesting a.b.c your active information gathering phase will encompass directly port scanning or bruteforcing a.b.c
  2. Passive when you don't explicitly or directly involve yourself with the target. You communicate through side channels and other methods that make sure you remain un-detectedable and unidentifiable
Some penetration engagements will require you not to be detected! Clients will often want to observe the effectiveness of their prized intrusion detection systems---IDSs.

 I'll now discuss passive and active information retrieval techniques based on the list I've detailed above.

What to do with an IP address

So you have a bunch of IP addresses, what kind of information can you get using these IP addresses and how can you obtain this information?
 Using the little trick I discussed a couple of paragraphs ago, you can ask yourself, what information is linked directly to IP addresses here's a list I made off the top of my head---Well there's a lot but the most obvious ones would be...:
  1. Domain Names
  2. Mail Servers
  3. Autonomous System numbers
  4. TCP,UDP,etc. Ports/Services
  5. More IP addresses
  6. WhoIs data
Hang on, whats an Autonomous System number? 
 Within the Internet, an Autonomous System (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.[1]
---Autonomous System (Internet)
 
Autonomous System numbers are the unique numbers associated to each Autonomous System
The next step is to decide how you can use the IP addresses you have to obtain the related information.

IP Addresses to Domain Names and Name Servers:  

Mapping IP addresses to domain names is one of the oldest technologies in use on the web. To do this we need to fire off a couple of DNS queries.

So how do you do DNS queries then? Querying a DNS server deserves a book on its own but to make sure those of you who don't know anything know enough to get by after reading this post I'll go through the basics you need, I'll even though in a couple of books at the end of the post.
ProTip: If you don't know something about a protocol hunt down the RFC and some books that define its behavior and read everything very attentively. The DNS RFC has been added to the reading list at the end of this post.
The tool I'll be using is dig and I'll be doing whats called reverse querying---DNS exists to translate names to numbers, I am doing this in reverse---.

But before we go mindlessly querying name servers I think its important to get a little perspective, Why would we need to get the domain names? Here's a couple reasons:
  1. To look cool---always important!
  2. Often domain names mean popular web services like ssh,ftp,http,etc because admins usually have to memorize a million IP addresses having a nifty domain to associate with a given administration service is very helpful!
  3. Gives you perspective on the naming conventions in use
    1. If push comes to shove you could use the character data from these domains to help brute force other domain names, like dnsenum
    2. Its always a good idea to use domain names during password brute-forcing. For instance one good idea is to take all the domain names associated with a given application, stick them in a list and generate all the permutations of these words to build a wordlist for JtR---John the ripper. It won't hurt your hit rate to through in words like admin,login or other common passwords so they can mangled with the domain names, these usually make very good guesses.
another general tip for generating good wordlist fodder is to not only to try and guess possible passwords, but to try and enumerate which words or pieces/types of written information would likely be used as mnemonics, company names, admins' names, admins' wife's names, street names etc and build wordlists from these sources, how you manage all this information is a story for another day.
 Back to reverse dns querying!

So lets set up a simple example and say I was given the IP address of 82.94.164.162, this is what you would do with dig, to retrieve the associated domain name:
dig -x [ip address]
-x would tell dig to do a reverse look up.
Reverse Lookup with dig, the place you want to focus on is labelled "ANSWER SECTION:"

The second command I issue is the same except it returns only the associated domain name and none of the other fodder. +short cuts all the nonsense! This may be helpful to all you bash scripting sorcerers out there.

So we can lookup domain names what else can we do? Well we know that today large internet based services like twitter often have more than one domain name and are often served from many IPs. How do we get all the IPs associated with one domain name? 
To do this we need the name servers in charge of translating a given domain to an IP address. This is how you do that
dig -t ns twitter.com
dig shows us that twitter.com appears in the records of a couple name servers
It's always a good idea to find out which name server is in charge of your target, DNS servers are incredible sources of information, DNS is not only about making letters into numbers!

So all we know now is who we should ask to find out about the 'twitter.com' domain,  what we do next is actually direct our question at these name servers. The difference between the query we are going to see now and the preveious one is that the previous one leaves your local DNS server---probably your router, like mine is in the example above---to find the appropriate authority to resolve the IP to name query.
So lets ask some of these names servers about 'twitter.com'
'@' directs the query at a given name server, -t specifies the record type we seek, and A record is a name record, there are many other types of records and msot of the time they prove useful, so I suggest reading the DNS RFC asap. Oh and we would need to query each of the DNS servers in charge of these records to get an extensive list
So now we've extracted some more IP's associated to twitter.com. Why would this be useful? Well it gives you a little insight into the network infrastructure, they most probably do this to combat DOS attacks, it also tells you that if you ever get behind this DMZ you can expect some system to be syncing the data being collected from each of these seperate IPs if they are infact seperate machines---nowadays its most likely a bunch of machines all being referenced from the same group of IPs, or a cloud as they call it---. So try to think a little about the information you gather try to see behind just want it intends to tell you.

Before we move on, a quick recap:
  • Translating IP addresses to domain names:
    • dig -x [ip address]
  • Finding name servers incharge of a given domain:
    • dig -t ns [domain name]
  • Querying a given name server for all IPs associated to a given domain:
    • dig @[name server] [domain name] -t A
That's about all I've discussed for now please remember if you ever find your self sitting with an IP address and need to get info on domain names or need to find more IPs these techniques are the ones you'll be looking for.

In closing I should mention that there are many different types of DNS records, each of which you can query a DNS server for, I suggest you check out the DNS RFC listed at the end of the post also you can check out the list here.

Now that I've basically covered a basic crash course in dig, I can show you guys some more dig based tricks, namely finding mail servers for a given domain.


Domain Names to Mail server domain names:

Mail servers often turn out to be gold mines of information allowing you to figure out things like usernames, internal IPs and other very very valuable information. So finding mail servers should be a trivial task for any aspiring penetration tester.

As it turns out domain name servers hold records regarding mail servers as well! Is also very easy to find the mail servers for a given domain, all you need to do is feed dig the type switch and ask it for MX---mail exchange---record types, like so:
dig -t MX [domain name]
Looking up the mail servers for google.com, the next command you see is me verifying that that domain does infact host a SMTP server
Of course if you are going to be doing some penetration testing for clients, you will need accept that the internet often lies to you! So an important skill you need master is verifying information, this is what I'm doing in the last command.

Before This post becomes way too long for you to cover during your morning coffee I thought I'd call it a day and end here. Expect posts on more advanced information gathering via Dig and DNS and information retrival using the WHOIS service in the next post.

If you're completely new to this, please check out all the items on the reading list, get this information down now because its quite important background for people who wish to become professionally involved in infoSec!

Reading List

  1. ASN FAQs
  2. Border Gateway Protocol
  3. WhoIS Protocol Specification
  4. Whois and Network Information Lookup Service
  5. DIG Tutorial
  6. RFC 1035: DNS Protocol
  7. DOMAIN NAMES - CONCEPTS AND FACILITIES
Thanks for reading ;) 
Please mind the spelling mistakes lols