1. Capital Area Cyber Security User Group CLASS 2 Passive Information Gathering

2. Presenter BIO
Strengths
Weakness
Security Interests
Something Fun

3. User group Objective
Give students offensive knowledge to better defend computer networks
Hands-on security training to compliment theory, put theories into practice
“Tell me and I'll forget; show me and I may remember; involve me and I'll understand.”
Knowledge sharing: the power of group learning

4. USER GROUP OBJECTIVE Contd.
Group Exercise: What do you seen in the following pictures?
Face, bridge and women
John Lennon 4

5. USER GROUP OBJECTIVE Contd.
Increase experience with a multitude of security aspects
Network with other security-minded professionals
Play in a safe lab environment not offered at work or home
Earn CPEs to maintain certifications without high costs
For CISSP
Preparing and presenting 2 hour presentation = 8 CPEs
Participating 1 hour = 1 CPE
Updating existing presentation (see ISC2 chart for specifics) 5

6. USER GROUP OBJECTIVE Contd.
Have your questions answered, bring hard issues that require solutions
Improve public speaking and training skills 6

7. CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010
Course Chapters:
Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality
Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering
Chapter 3: Gathering Network and Host Information: Scanning and Enumeration
Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files
Chapter 5: Trojans, Backdoors, Viruses, and Worms
Chapter 6: Gathering Data from Networks: Sniffers
Chapter 7: Denial of Service and Session Hijacking
Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques
Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows
Chapter 10: Wireless Network Hacking
Wi-Fi and Ethernet
Chapter 11: Physical Site Security
Chapter 12: Hacking Linux Systems
Chapter 14: Cryptography
Chapter 15: Performing a Penetration Test
Amazon.com

8. Course Agenda Class 1: Methodologies and Lab Setup
Class 2: Passive Information Gathering
Class 3: Active Information Gathering (Nessus)
Class 4: Wireless and Wired Network Enumeration
Class 5: Target System Penetration
Class 6: Privilege Escalation, Maintaining Access, and Malware
Class 7: Web Application Penetration
Class 8: Covering Tracks, IDS, Reporting, and Cleanup
Class 9: Metasploit
Class 10: Physical Security (Lock Picking etc.)
Class 11: Capture the Flag

9. Agenda Passive Information Gathering Lab Exercises Goals
Key Employee Identification
Wireless Access Point Identification
Website and Web Page Code Analysis
Electronic Dumpster Diving
Google Hacking
Domain Ownership
Lab Exercises

10. DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission!
Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.

11. Information Systems Security Assessment Framework (ISSAF)

12. What is Passive Information Gathering?
The process of searching for information that an attacker could potentially use to exploit the target network
Critical Services
Key Employees
Partner Companies
Company Website, IP and addresses
Physical address and location
Domain names
Types of operating systems, databases, servers, protocols, and programming languages used

13. What is Passive Information Gathering?
Synonyms:
Footprinting
Reconnaissance (Army example and Oceans Eleven)
Oceans 11 clip:
Colditz Castle in Saxony, Germany, on 10 April 1945 just three days before US forces over-ran the area.

14. What is Passive Information Gathering?
Where can the attacker find this information?
Corporate Websites and Job Postings
Electronic Archives
Web Page Code
Search Engines
Domain Name Servers
Social Engineering

15. Why Do Passive Information Gathering?
More information about the target can make the penetration test easier during the later phases
“Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War
“Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves
Increases success rate tenfold.
In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.

16. Why Do Passive Information Gathering?
Subtle vulnerabilities and information leaks may exist in publicly available information
Starting point to dive into the test
Timing the Attack
Example around patch releases Microsoft Patch Tuesday or Oracle CPU etc.
Off hours such as holidays, vacations, or peak hours
Increases success rate tenfold.
In the Art of War the importance of spies to obtain information (watch/listen/report) is stressed, similarly it should not be overlooked as a means to gather information about the target.

17. Active Vs. Passive Information Gathering
Touch the device/network or talk to employees (vulnerability scan)
Passive
Do not communicate/touch the target such as Google searching for publicly available information.

18. Starting at the Source
What information is available on the target company’s website?
The About Us section contains the company headquarters address and the name of the CEO and/or other chief officers
Searching the site could reveal domain names
Attackers could use the information to:
Dumpster dive at the company’s physical location
Wardrive
Wardial
Conducting a pen test against a large company is difficult
Search for vendors, partners, and recent mergers and acquisitions of smaller companies that may have less security
Build Your Own Security Lab

19. Scrutinizing Key Employees
Find a list of key employees
An attacker may visit the published home address of an employee to exploit her wireless connectivity
Sites that list addresses and other personal information:
people.yahoo.com
Research social/corporate networking sites:
Build Your Own Security Lab

20. Scrutinizing Key Employees
Useful information to prepare for social engineering
Debt (payoff)
Disgruntled (layoffs from Mergers)
Vacations
Embarrassing information (blackmail)
How to get this information:
Run a credit report (illegal without permission)
Find out via facebook status etc.
Bugs/Cameras/Spies/Stakeout/Pick Pocket
Positioning of monitors and the use of security/privacy screens
Build Your Own Security Lab

21. Social Engineering Key Employees
Kevin Mitnick – Father of social engineering
At age 12, socially engineered bus driver to circumvent the punch card system for LA buses
Went on to hacking phones, systems etc. and was captured and put in solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone

22. Social Engineering Key Employees
“Amateurs hack systems, professionals hack people. “ — Bruce Schneier
Basic social engineering strategies:
Important person/Angry Boss/Customer = fear
Helpful Helpdesk = help
“Sticks and stones WILL break my bones” = torture
Shoulder Surfing
Impersonation (Palin)
Third person
Shoulder surfing:
listen to key strokes to know number of characters for password
Coating key pad with ultraviolet materials
Third person – so and so said I could do it, and conveniently that person is not around to ask for confirmation.

23. Getting in bed with Robin Sage
Research regarding unquestioned trust
Relationship level of trust based on gender, occupation, credentials, and social network
Results:
Hundreds on connections with government affiliates including NSA, DOD, etc. and top companies.
Offered gifts, jobs, speaking opportunities etc.
Information shared and connections made breaching security policies

24. Wireless Access Points (WAP)
Wireless LANs (WLAN) are made of multiple computers connected to a wireless infrastructure
A WAP can run in different modes:
Normal – client computers connect to a central WAP
Bridge – the WAP communicates directly with clients and other APs
Client – the WAP communicates only with other APs as a client
Repeater – repeats the signal of another AP to extend the signal’s range

25. Wireless Access Points (WAP)

26. WLAN Threat
Wardriving – driving around a target with special equipment to record information about WAPs
Equipment: laptop with a wireless network interface controller, GPS device, antennae and network discovery tools (Kismet)
Warwalking – walking around or sitting near a target with a laptop and other equipment in a backpack
Warflying

27. WLAN Threat - NetStumbler
Windows GUI-based active wireless scanner
Provides information such as:
MAC address
SSID
Access point name
Channel
Vendor
Encryption detection
Signal strength
GPS coordinates (if GPS device is attached)
Build Your Own Security Lab

28. NetStumbler Interface

29. WLAN Threat - Kismet Unix-based passive wireless network detector
Kismet UI Main View
Unix-based passive wireless network detector
Provides:
Basic Intrusion Detection System features
Cisco product detection via CDP
IP block detection
Hidden SSID decloaking
Ethereal file logging
Airsnort-compatible weak key logging
Run-time decoding of WEP packets
SSID grouping and custom naming
A single stream viewable to many client devices
Graphical data mapping
Network device manufacturer identification
Default WAP configuration detection

30. Kismet Interface

31. Wireless LAN Threat NetStumbler Kismet Operating System
Windows 2000 to 7
Linux
BSD
Mac OS X
Windows (limited)
Free software
Wi-Fi
802.11a-g
802.11a-n
Greater functionality UI
GUI
Curses GUI
*Vistumbler is an alternative to NetStumbler for Windows Vista and 7

32. Mapping Wireless Access Points
Use website such as to geographically map points or to locate existing known access points

33. Dumpster Diving (Electronic)
Process of looking for old electronic data (once posted it is always available!!)
One place to look is an Internet archive
The Wayback Machine at contains about 85 billion archived web pages
Archived pages may contain leaked information or security vulnerabilities
provides site statistics and some domain information
Unhappy employees may leak sensitive information
contains documents that are often for employees’ eyes only*
Robots.txt will prevent archiving and site ripping.
*Internalmemos.com no longer exists but there are still other websites such as wikileaks and Google forums, blogs, etc.
web.archive.org

34. lockheedmartin.com Through The Years

35. Dumpster Diving (Electronic)
Wiki leaks –
Password sites –
Good Old Fashion Dumpster Diving
Bring trash can…
Extreme coupon dumpster dive
How to dumpster dive
web.archive.org

36. Analyzing Web Page Code
Web sites can provide more information in their source code
Use a site ripper to duplicate the web pages onto a local hard disk
BlackWidow displays HTML and source code, addresses on the site, and site links
Teleport Pro
Wget
Instant Source
Look for hidden fields embedded in the source code
Hidden fields contain information, such as addresses, using only security by obscurity
Example:
<INPUT TYPE=HIDDEN NAME="name" VALUE="Omega Seamaster">
<INPUT TYPE=HIDDEN NAME="price" VALUE="$ ">
<INPUT TYPE=HIDDEN NAME="wa" VALUE="1">
<INPUT TYPE=HIDDEN NAME="return" VALUE=" cgi- bin/cart.pl?db=Omega.dat&category=&search=watch&method=&begin= &display=&price=&merchant=">
<INPUT TYPE=HIDDEN NAME="add2" VALUE="1">
<INPUT TYPE=HIDDEN NAME="image" VALUE=" images/omega-bond.jpg">
Build Your Own Security Lab

37. Mining Job Ads and Analyzing Financial Data
Job postings may contain technologies and infrastructure the organization uses
Postings on the organization’s website
CareerBuilder
Monster
Dice
The IT Job Board
Federal and state government agencies keep financial and business records for organizations in the United States
SEC Edgar database contains annual reports and corporate prospects that may list mergers
Sec.gov, google.com

38. Google Hacking Father of Google Hacking = Johnny Long aka j0hnnyhax
Google Hacking Database
Books:
Google Hacking for Penetration Testers, Syngress Publishing, ISBN
Google Hacking for Penetration Testers, Volume 2, Syngress Publishing, ISBN

39. Using Google to Mine Sensitive Information
Google Hacking uses Google’s search engine and certain operators to make searches more efficient and to find security flaws in websites
Most prominent operators
Description
Site
Searches for the specified term based only on the domain or specified place
Link
Directs Google to search within hyperlinks for the specific term
Intitle
Searches for a term within the title of a document
Inurl
Directs Google to only search within the specified URL of a document
Intext
Search for the indicated term anywhere on the page
Inanchor
The results will be restricted to pages containing the query terms
Cache
Searches for the specified term in the cache version of the site that Google stores on its servers
Filetype
Searches within the text of a particular type of file
Insubject
Searches for a concrete expression in the subject of a message within the search in Google newsgroups

40. Google Hacking Example - filetype
Provide 3-4 examples
List Google hacking links for more info etc.
Google.com

41. Google Hacking Example - inurl
Google.com

42. Remote access connection with default HTML page

43. Pages containing results from a vulnerability scan

44. Exploring Domain Ownership
Who owns a specific domain?
The Internet Assigned Numbers Authority (IANA) is an Internet controlling authority that manages domain names and global IP address use
It is one place that can serve as a good starting point to find out more information about domain ownership
Regional Internet Registries (RIRs) distribute IP addresses to individual organizations within a geographical region
American Registry for Internet Numbers (ARIN) 
RIPE Network Coordination Centre (RIPE NCC) 
Asia-Pacific Network Information Centre (APNIC) 
Latin American and Caribbean Internet Address Registry (LACNIC) 
African Network Information Centre (AfriNIC) 

45. Exploring Domain Ownership
BAD Versus Good
WHOIS
A tool for querying databases that have registered users or assignees of an Internet resource, such as a domain name or an IP address block
Gives information about administrative contacts, domains, and physical address
Many web-based tools can query domain information from
Sam Spade — 
Geektools — 
Better-Whois — 
DSHIELD — 
Iptools –
Geektools.com

46. Exploring Domain Ownership
Domain Name Server
Matches known domain names to unknown IP addresses and store DNS records to locate addresses
Structured as a hierarchy of domain servers:
Build Your Own Security Lab

47. Exploring Domain Ownership
DNS record names and types:
Gather information from a DNS using dig and nslookup tools
nslookup - provides server name and address information
Access nslookup from the command line of a Linux or Windows computer by typing nslookup and an IP address or domain name
dig – newer, more powerful domain zone transfer tool
Build Your Own Security Lab

48. Dig and nslookup
Dig
nslookup

49. Dig
Mail server query
Name server query

50. Exploring Domain Ownership
Identifying Web Server Software
Common web server software:
Apache Web Server
Microsoft IIS Server
Sun One Web Server
Netcraft runs a service called “What's That Site Running?” that gathers information about web servers (

51. Exploring Domain Ownership
Where is the web server located?
The organization's facility
A remote server farm
A virtual system hosted by a third party
Use previously found information in combination with a traceroute to find the location of servers
traceroute increments the TTL field of the IP header by one for each sequence of hops until it reaches the target
If the TTL hits zero before reaching the target, an Internet Control Message Protocol (ICMP) error message is returned
NeoTrace, VisualRoute, Hping, and tcptraceroute
C:\>tracert
Tracing route to [ ] over a maximum of 30 hops:
1. 10 ms <10 ms 10 ms PROXY [ ]
2. 10 ms <10 ms gen.twtelecom.net [ ]
3. 10 ms <10 ms
4. 10 ms 10 ms core-dlfw.twtelecom.net [ ]
5. 10 ms 10 ms tran-dlfw.twtelecom.net [ ]
6. 10 ms 10 ms sl-gw40-fw-4-2.sprintlink.net [ ]
7. 10 ms 10 ms sl-bb22-fw-4-3.sprintlink.net [ ]
8. 20 ms 10 ms
9. 10 ms 10 ms dal-core-01.inet.qwest.net [ ]
ms 10 ms iah-core-02.inet.qwest.net [ ]
ms 10 ms iah-core-01.inet.qwest.net [ ]
ms 40 ms tpa-core-02.inet.qwest.net [ ]
ms 30 ms cntr-02.tpf.qwest.net [ ]
ms 30 ms ms msfc-02.tpf.qwest.net [ ]
ms 40 ms ms [ ] 51
Build Your Own Security Lab

52. Bouncing
Sending a bogus to a company and reviewing the return header for useful information
The date and time the message was bounced,
The identity of the mail server that bounced it,
The reason that it was bounced (e.g. user unknown or mailbox full),
The headers of the bounced message, and
Some or all of the content of the bounced message.
while talking to smtp.store.example [ ] >>> RCPT <<< 550 No such user here

53. Lab: Passive Information Gathering

54. Lab Overview Lab setup Exercises/Tools Whois lookup
Netcraft.com lookup
Nslookup query
Dig query
Job listings
Traceroute
Neotrace
trackingpro

55. Course Lab Setup Host Operating System = Ubuntu (Linux)
Virtual Machine = Virtual Box
VM’s = Backtrack, Windows (Guest)
Each laptop has its own separate standalone lab environment
How to start the lab environment…
1) Open Virtual Box
2) Ensure that the Backtrac VM is powered on
3) Save everything to the ~Desktop/Lab2 folder 55

56. Exercise Questions
Use a Word Document or Notepad to write down gathered information and the answers to the questions provided in the exercises
Once you have completed an exercise, have the presenter review your answers

57. Lab Scenario
In the following Scenario, you will need to gather as much information about your target as possible that can be used in planning the attack.
Your target is example.com. The company has hired you to confirm that there security awareness programs and policies are working as intended. In other words, they want you to confirm that employees do not post sensitive information online and that the company is safe from social engineering etc.

58. Lab 2.1 Whois Lookup
We are going to perform some whois lookups to gather DNS information. Open a web browser and go to
Search for google.com, umd.edu, and lockheedmartin.com
List the following for each domain if given:
Administrative contact and physical address
Registrar name
Domain name servers
What can we do with this information?
Google.com – 1600 Amphitheatre Parkway, Mountain View, CA 94043; Markmonitor.com; ns1.google.com, ns2.google.com, ns3.google.com, ns4.google.com
Umd.edu – Bldg224, Room 3309-C, College Park, MD 20742; N/A; noc.umd.edu , ns1.umd.edu , ns2.umd.edu
Lockheedmartin.com – 1401 Del Norte Street, Denver, CO 80221; N/A; ns1.lmco.com , ns2.lmco.com , ns3.lmco.com

59. Lab 2.2 Find Network Ranges – Arin.net
Navigate to
In the top right corner enter IP into the Search Whois box and hit enter
Review the information
Repeat the steps above for IP
Compare and contrast the information. Which company took extra security measures in posting information.

60. Lab 2.3 Netcraft.com
We are going to use netcraft.com to gather information about domain servers. Open a web browser and go to
Search for google.com, virginia.edu, and aboutweb.com in the search bar at the top middle of the page
List the most recent OS and server type and IP address
Compare the information listed over time for each site
What does this information tell us?
Google.com – Linux; gws (Google Web Server); ; Jun 15,2011
Virginia.edu – Windows Server 2008; Microsoft-IIS/7.5; , ; Jun 30, 2011; Jul 15, 2011
aboutweb.com – Linux; Apache/ (Ubuntu); 8-Feb-2012; ; Amazon.com, Inc

61. Lab 2.4 (a) Timing the Attack
Review vulnerabilities at US Cert: cert.gov/cas/bulletins/ (released every Monday, always one week behind)
Pick a vulnerability to review and note the following items:
The CVE reference number
Impact Scores (the higher the score the greater the impact)
Vulnerable Versions
Identify desirable dates for the attack based on the target products (Zero day)
Hint: Patch Tuesday, Oracle CPU, prior to US Cert release etc.
National Vulnerability Database (nvd.nist.gov)
Exploit-Database (exploit-db.com)
Securitytracker (
Securiteam (
Hackerstorm Vulnerability Research (
Hackerwatch (
SecurityFocus (
Security Magazine (
SC Magazine (
Impact Score:
Metric: AV = AccessVector (Related exploit range) Possible Values: L = Local access, A = Adjacent network, N = Network Metric: AC = AccessComplexity (Required attack complexity) Possible Values: H = High, M = Medium, L = Low Metric: Au = Authentication (Level of authentication needed to exploit) Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances Metric: C = ConfImpact (Confidentiality impact) Possible Values: N = None, P = Partial, C = Complete Metric: I = IntegImpact (Integrity impact) Possible Values: N = None, P = Partial, C = Complete Metric: A = AvailImpact (Availability impact) Possible Values: N = None, P = Partial, C = Complete

62. Lab 2.4 (b) Timing the Attack
Use Hackerstorm to review vulnerabilities
Go to to start the OSVDB hackerstorm tool
Click the OSVDB search button at the bottom of the home screen. Scroll through the vendors and choose Putty, and then click the view button.
From the next screen choose view all. Review the vulnerabilities listed and click one to view details. From the tool you can see the description, solution, references, etc.
Note that this tool make it easy to search for vulnerabilities both old and new by vendor etc.

63. Lab 2.5 Nslookup vs. Dig
We will be conducting an nslookup and dig query for DNS information. Open two command line terminals in BackTrack
In one type nslookup google.com
In the other type dig google.com
Compare the results
What IP addresses are shown?
In the dig terminal, type dig mx google.com
What IP addresses are shown now?
What does the mx mean?
How can we use these IP addresses and domain names?
Note: dig –h and nslookup ? Will show help information for the commands

64. Lab 2.6 Understanding DNS Problems
From the windows VM, go to the DNS entry will now be cached
From a command prompt type:
ipconfig /displaydns
Ipconfig /flushdns
Close the browser and open explorer to navigate to c:\Windows\System32\drivers\etc
Create a backup of the hosts file named hots_bak and then Open the hosts file in notepad
In the host file under the last line enter
Save and exit the file
Open a web browser to
What do you see?
Hint: Note that the host file is redirecting Google requests to yahoo
Make sure you clear the added entry to the host file when finished with the exercise!

65. Lab 2.7 Traceroute
We will now trace the network route between your computer and aboutweb.com. Open a command line terminal in backtrack
Type traceroute –I aboutweb.com
Type traceroute –T aboutweb.com
Compare the results
What is the final IP address?
How many hops did it take to get to the target?
Note that * * * Request time out, usually means there is a firewall, router, or layer 3 switch. Use a packet capture to see if Type 11, code 0 (TTL expired) or Type 3, Code 13 (Administratively Blocked)
Note from Linux it is traceroute and windows it is tracert

66. Lab 2.8 Visual Traceroute Tools (VisualRoute)
We will now trace the network route between your computer and about.com using a visual trace route tool. Navigate to and click the “live demo” to start a live demo of the tool.
Choose the region to perform the test from on the map (Dulles VA)
In the “perform connection test to box”, type the name of the target and then click the “start” button.
Visualware.com

67. Lab 2.8 Visual Traceroute Tools (VisualRoute) Contd.
Review the “Summary”, “Table”, “Map”, “Analysis”, and the “Performance Graph” tabs.
Are there any firewalls indicated in the graph? If so, where?
On the “table” tab
Note the starting and ending location.
Click on the node name and review the whois information.
Click on the Network items and review the arin.net information
What additional information is provided with this tool?
Note: the tool can perform the work of multiple tools and therefore reduce time etc.
Visualware.com

68. Lab 2.9 Link Extractor - iWEBTOOL
Navigate to
Enter the target website
Ensure that “HTML Code” is checked and press “Extract”
Review the returned links
Consider starting the search again using one of the third party links as the new starting point.

69. Lab 2.10 Site Ripping - Wget From Backtrack, open a terminal window
Type: cd Desktop/lab2
Then Type: wget –r –k zero.webappsecurity.com
Use the grep command to search for hidden fields
Type: grep –r “hidden” ~Desktop/lab2/zero.webappsecurtiy.com
Review the search results to see if there are any hidden fields and if they contain sensitive data (discount codes) or data that can be changed such as price etc.
wget -H -r --level=1 -k -p
This command says, "Download all the pages (-r, recursive) on plus one level (—level=1) into any other sites it links to (-H, span hosts), and convert the links in the downloaded version to point to the other sites' downloaded version (-k). Oh yeah, and get all the components like images that make up each page (-p).“

70. Lab 2.11 Find Wireless Access Points – Wardriving
Navigate to
Click on “browse interactive map”
Put in the targets zip code or street address
Read the “Notes” on the page to better understand the key.
Identify an access point with a strong signal
Identify an access point with a week signal
Start the search again and check the box “Possible FreeNet”
Are there any free access points?

71. Lab 2.12 Finding a Needle in a Haystack: Google Hacking
Test out the following searches:
Most prominent operators
Description
Site
Searches for the specified term based only on the domain or specified place
Link
Directs Google to search within hyperlinks for the specific term
Intitle
Searches for a term within the title of a document
Inurl
Directs Google to only search within the specified URL of a document
Intext
Search for the indicated term anywhere on the page
Inanchor
The results will be restricted to pages containing the query terms
Cache
Searches for the specified term in the cache version of the site that Google stores on its servers
Filetype
Searches within the text of a particular type of file
Insubject
Searches for a concrete expression in the subject of a message within the search in Google newsgroups

72. Lab 2.12 Google Hacking Continued
Go to
master-list-28302
Find an interesting search and test it out?
Share with the group which search terms you used and what was displayed.

73. Lab 2.13 Default Passwords
Once you know what operating systems, applications, etc. that are in the environment search for known default passwords.
Go to
Search for a product that is in the environment
Note the default password

74. Lab 2.14 Valuable Keywords - Spyfu
Go to
Type a target address into the search box (google.com) and hit enter
Review the following items:
Best paid keywords
Top ad competitors
Top organic competitors
View the sub domains
Repeat the same steps for one of the top competitors
How can this information be used?
Competitors (attackers)
Sub domains for additional enumeration
XSS attacks and timing and words to attract

75. Lab 2.15 Find More Info - Anywho.com
Navigate to
Note that the website can be used to find businesses, people, phone numbers etc.
Find the home address and phone number for a key employee
Find a phone number on the website and perform a reverse lookup, is spousal information displayed? Age information?
Use Google maps satellite and street view to recon the company location and employee home (dumpsters?)
Note the proximity of the company to the police/fire department
From search for the price of real-estate in the area (company/employee)
Relatives can be used for important passwords such as Mothers maiden name

76. Lab 2.16 Find More Info - Google Finance
Use Google finance:
Type yahoo in the search box
Review the results:
News about the company
Competitors
Company Description
Company Events
Address
Company Links
Officers and Directors
External Links (such as SEC)

77. Lab 2.17 Find More Info - Hoovers
Go to
Enter Yahoo into the search box
Review the information about the company:
Overview tab
People tab (note age, number of employees etc.)
Competition tab
Financials tab
Identify information that is listed on Hoovers.com but not on Google Finance
Age, number of employees, job openings, etc.
Age of Executives can indicate a soon to be successor and a vulnerable transition period, layoffs due to new successor and finances.
Number of employees = number of ways to get in and possible number of people to socially engineer
Competitors = people willing to pay for information and possible corporate espionage
Info on Hoovers but not Google finance = age, number of employees, job openings, etc.

78. Lab 2.18 Find More Info – Homepage
Visit the target’s home page
Look for the following information:
About us
Contact us ( , phone, names)
Customers
Job openings
User Groups
Events
Locations

79. Lab 2.19 Find More Info – Social Networking
Search facebook and linkedin for
Company sites
Key employees
Connections “friends”
Personal information (hobbies, education, qualifications, etc.)
Vacation Status
Videos and pictures of key people
Etc. Etc. Etc.

80. Lab 2.20 Find More Info - Zoominfo
Navigate to
Enter the full name of one of the target companies key employees
Mouse over the employee and note the information
Name, , Number
Job history, education, certifications, web references
Mouse over the employees company and note the information
Location, Contact info
Revenue
Number of Employees
Similar companies

81. Lab 2.21 Find More Info – Archive.org
When information is posted digitally it becomes permanent. Often times people place too much information on the web and latter take it down, but don’t realize that the information is archived
Navigate to (aka Waybackmachine)
Type the target address
Determine the available archived pages (how many years are available)
Compare the site from the inception, middle, to the current time period and see how the site has evolved
Review the pages to see if there is any information that should not be on the site (contact us, about us etc.)
Contact us might have old employees that can be contacted (disgruntled etc.)

82. Lab 2.22 Job Listings
We are trying to find technical information from a job listing. Open a web browser and go to
In the search box under Job Search, type BR
Click on the job title and read the job description
List specific software and technologies mentioned in the description
Lockheed Martin Listing
Experience using some of the Programming Languages listed: Adobe Flex™, C#TM, C++, Java™, Perl, PL/SQL, Python®, Shell scripting. • Experience with some of the COTS products listed: AutoCAD, BMC® Remedy®, Citrix® ICA, Composite Information Server™ (CIS), I2 Analyst Notebook, IBM®/Rational® Suite,Jetty, LDAP, MS Office Suite & Project, MS Management Console Remote Server, MS SQL & BizTalk® Server, Oracle®, PowerDesigner®, Primavera®, Spotlight™, TIBCO Suite, TeamWare, Toad™, Visualization Tools, VERITAS®,or VersionOne®. • Experience with some of the Web Implementation listed: Apache® Webserver/Tomcat, Firefox™ & IE, or Web Portals. • Experience on the Operating Systems listed: Linux®/Red Hat®/UNIX or Windows® 2003 and • Experience on the Development Environments listed: Agile Development, Cloud Computing, or Globally Distributed. Desired skills • Minimum three years with Intelligence Community or SIGINT activity. • Experience with some Database Methodologies listed: • Cloud Database • Database Clustering • Data Warehousing • Data Mining Algorithm • Dimension Data Modeling • Relational Data Modeling • Very Large Spatial Databases

83. Lab 2.23 Maltego Open Maltego from Backtrack
Go to Applications-->Backtrack-->Information Gathering-->Network Analysis-->DNS Analysis-->Maltego
Click the New button (+ plus sign)
Drag and drop the “internet website” item to the center of the page and then change the website address to the target
Rich click and choose to run “all transforms”
After the search completes, find an item of interest and run “all transforms” for the item
Look for relationships, articles, facebook pages, phone numbers, names, etc. (the detail view shows more details)
Review the entity list. Look for “built with technology” to see if Linux or Windows etc. is being used.

84. Lab 2.24 Social Engineering Toolkit
Navigate to engineer.org/framework/Computer_Based_Social_Engineering _Tools:_Social_Engineer_Toolkit_(SET)
Read the first paragraph introducing SET.
From the table of contents click on 3.1 Spear-Phishing Attack Vector and review how an example of how SET can be used.
Note: after gathering all the recon info, it is easy to use the SET to conduct computer based social engineering.
(download SET)

85. Lab 2.25 Tracking Emails: mailtracker.com
Register for an account at
Log in to the account and note that there are no messages being tracked
Create an and send an by appending .mailtracker.com to the address (ex.
Refresh the mailtracker.com page
The should be displayed on the page
Once the has been read you can see when it was read etc via the mailtracker.com webpage

86. Lab 2.26 Tracking Emails: emailtrackingpro
Go to at
Watch the demo and see how to track where an has originated from to see if it is a suspicious .

87. Lab 2.27 Report
Stay organized and compile all the information in an orderly fashion.
Add intelligence to the aggregated information to make predictions and form conclusions.

88. Summary
After this phase, you should know general information about the target’s location, employees, corporate partners, domain names, and server IP addresses
This information is the starting point for more aggressive and specific information gathering
Next class: Active Information Gathering
Questions?

89. Resources http://www.dc-cybersecurity.com/
Guide/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1
Lab/dp/ /ref=sr_1_1?s=books&ie=UTF8&qid= &sr=1-1
Oceans 11 clip:
photos-go-online-in-new-archive html?action=gallery&ino=6
people.yahoo.com

90. Resources http://www.backtrack-linux.org/ http://www.de-ice.net/
National Vulnerability Database (nvd.nist.gov)
Exploit-Database (exploit-db.com)
Securitytracker (
Securiteam (
Hackerstorm Vulnerability Research (
Hackerwatch (
SecurityFocus (
Security Magazine (
SC Magazine (
surveillance/ 90

91. Resources
surveillance/
Sarah Palin 91

92. Resources http://www.hackerstorm.com/start.html
engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Too lkit_(SET) 92

93. CEH Certified Ethical Hacker
List of Tools
PDF mapping tools to the different phases of Pen testing.
Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about.
CEH Certified Ethical Hacker
All-in-One Exam Guide
Amazon.com

94. Parking lot Topics
TBD

95. Suggestions for Improvement
TBD