Penetration Testing mailing list archives
Re: Host discovery
From: Marco Ivaldi <raptor () mediaservice net>
Date: Thu, 25 Feb 2010 18:09:37 +0100 (ora solare Europa occidentale)
Oliver, On Thu, 25 Feb 2010, Oliver Kindernay wrote:
Thank you, very helpful. I test some companies and I found dns subdomain bruteforcing (btw, new version of dnsmap was released few days ago) the most successful method for discovering servers accessible from the internet (probably for gateways/firewalls is better to use the "email" method)
Beside the already suggested techniques (you should really check out the OSSTMM as suggested by Pete, by the way), don't forget the following:
- WHOIS databases. Hint: use the free text searches when available [1] or download the database [2] and build your own custom search tool. - Email headers. Even if their mail exchanger is hosted somewhere else, it might be (mis)configured to leak the "Received:" headers and therefore it could expose the public IP address of their firewall, or even their private IP address space. - Web servers. There are many different vectors to gather useful information. Among those that weren't already mentioned in this thread: web server logs and stats, SSL certificates, HTTP headers. - Google/Bing. Always powerful weapons if you know what you're doing. Hope this helps, [1]. E.g. http://www.ripe.net/db/whois-free.html [2]. E.g. ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz -- ------------------------------------------------------------------------ Marco Ivaldi OPSA, OPST, OWSE Senior Security Advisor Bid Manager @ Mediaservice.net Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://mediaservice.net/disclaimer ------------------------------------------------------------------------ PGP Key - https://keys.mediaservice.net/m_ivaldi.asc ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Host discovery Oliver Kindernay (Feb 22)
- Message not available
- Re: Host discovery Oliver Kindernay (Feb 23)
- Re: Host discovery Pete Herzog (Feb 25)
- Re: Host discovery Adam Mooz (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 23)
- Message not available
- <Possible follow-ups>
- RE: Host discovery Ron Yount (Feb 23)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Marco Ivaldi (Feb 25)
- Re: Host discovery chr1x (Feb 25)
- Re: Host discovery Oliver Kindernay (Feb 25)
- Re: Host discovery YGN Ethical Hacker Group (Feb 25)