Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing Reconnaissance 2

Published byBeatrix Horn Modified over 6 years ago

Similar presentations

Presentation on theme: "Penetration Testing Reconnaissance 2"— Presentation transcript:

1 Penetration Testing Reconnaissance 2
CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou

2 Acknowledgement Content from the book:
“The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy”, Second Edition

3 Attack Reconnaissance
Httrack: Website copier Harvester: find addresses in website Netcraft.com: find target website information Fierce: find all sub web domains belonging to target Metagoofil: Find documents from target and download them, extract useful metadata

4 HTtrack Included in Kali Linux Usage: Clone a target website
Command line based website copier GUI place: Applications  Web Application Analysishttrack, will give you help manual Run ‘httrack’ in command line, it asks settings step-by-step Mostly use default options Input target website URL It maybe slow to download an entire URL

5 HTtrack

6 Harvester Included in Kali Linux Command line:
Gather Accounts, Subdomains, Hosts, Employee Names – Information Gathering Tool Command line: theharvester –d cs.ucf.edu –l 100 –b google -d: define target domain name Search all possible websites inside that domain Pro: Can be used to find out all possible websites in the target place Useful for further reconnaissance Con: Only websites, not other online machines

7 Harvester It searches search engines, not the target website
Means that it will not generate noisy traffic to the target! theharvester –d cs.ucf.edu –l 100 –b google -d: define target domain name -l: limit the number of results returned -b: define which search engine to use -b all: use all search engines A youtube video:

8 Netcraft.com Type target website URL into the box
“what’s that site running?” Provide results of: Organization Webserver OS, webserver software version Webserver technologies Pro: scans generated from netcraft.com, not your machine Con: very basic information of the target, only about target web server

9 Fierce Available in Kali Linux
Find out all possible domain names under a target domain By conducting DNS enumeration queries Example: fierce –dns example.com It will find out possible domain names end with “example.com” Careful: Fierce will use brute force DNS queries to try many different names ending with the target domain The above example tries 2280 possible names! So be careful

10 Fierce Some online tutorials: fierce –dns example.com
with-fierce-in.html fierce –dns example.com Will use a default name list (2280 entries) to search possible domain names end with ‘example.com’ You can edit the enumeration name list: Con: Too much DNS noise! Con: may not be complete

11 Fierce Make reverse DNS lookup for a subnet space
You must provide option –dnsserver to specify which DNS server to send the queries to Google provides high-speed public DNS servers that anyone can use: and Pro: Reverse lookup is better to find all domain names in an IP space without much DNS noise So first find out the IP space of a target, then do reverse Fierce to a public DNS server (no alert traffic to the target)

12 Metagoofil Available in Kali Linux
Not in our current version, but you can install it by typing in terminal: apt-get install metagoofil Find documents, download them, and extract useful metadata from target.

13 Metagoofil Usage: metagoofil options          -d: domain to search          -t: filetype to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)          -l: limit of results to search (default 200)          -h: work with documents in directory (use "yes" for local analysis)          -n: limit of files to download (important to limit running time)          -o: working directory (location to save downloaded files)          -f: output file metagoofil -d cs.ucf.edu -t pdf -l 100 -n 5 -o cspdf -f cspdf.html

14 Metagoofil Besides files downloaded, metadata extracted are useful for reconnaissance User name windows or unix or mac? Account name

15 Ethnical Attention Some of today’s tools could be invasive and could generate a large amount of traffic (especially the Metagoofil) Try target with care Try small amount of downloads Try small target first Do not try on sensitive targets

16 Indepth Question: Fierce probing mechanism?
fierce –dns cs.ucf.edu It will find out all domain names end with “cs.ucf.edu” The above example tries 2280 possible names! Please modify the Fierece ‘hosts.txt’ file before you try to reduce DNS queries! How does it try those many DNS queries? Investigation: Using Wireshark for monitoring Kali Linux has preinstalled wireshark Setup capturing option to only capture UDP or DNS traffic Again, make sure you greatly shorten the ‘hosts.txt’ to reduce generated traffic

17 Understanding Fierce DNS Query Traffic
Reverse DNS lookup Find domain name by query IP address DNS type PTR record: An opposite of the type A record Dig -x IPaddress Example: dig -x ;; QUESTION SECTION: ; in-addr.arpa. IN PTR ;; ANSWER SECTION: in-addr.arpa. 600 IN PTR

18 A Few More Words on DNS Query
Dig any cs.ucf.edu: find all records for target Specify DNS server for query: Nslookup searchName DNS-server-IP searchName But most DNS reject outside query! We can use google’s public DNS server IP: or

Download ppt "Penetration Testing Reconnaissance 2"

Similar presentations

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
Project – 564 Presented by Abu Sayeed Saifullah Student Id. 101876890.

Project – 564 Presented by Abu Sayeed Saifullah Student Id
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Chromium OS is an open-source project that aims to build an operating system that provides a fast, simple, and more secure computing experience for people.

Chromium OS is an open-source project that aims to build an operating system that provides a fast, simple, and more secure computing experience for people.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Name Resolution Domain Name System.

Name Resolution Domain Name System.
LANDesk Management Gateway

LANDesk Management Gateway
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
bWAPP – Bee Bug – Installation

bWAPP – Bee Bug – Installation
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada

DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.

CIS 450 – Network Security Chapter 3 – Information Gathering.
General rules 1. Rule: 2. Rule: 3. Rule: 10. Rule: Ask questions ……………………. 11. Rule: I do not know your skill. If I tell you things you know, please stop.

General rules 1. Rule: 2. Rule: 3. Rule: 10. Rule: Ask questions ……………………. 11. Rule: I do not know your skill. If I tell you things you know, please stop.
Footprinting and Scanning

Footprinting and Scanning

Similar presentations

Ads by Google