Home‎ > ‎CIS 75‎ > ‎

Lab 9 - Reconnaissance

For this lab you will begin the process of reconnaissance, the process of examining a victim you are about to attack. You will pick a target of your choice. That target may be any company or organization with an internet presence. If you like, pick the organization that you represent so that you can get a good understanding of what hackers know about you. You will use public records to identify as many company computers as possible. 

Step 1: DNS information
Your target must have a domain name (e.g. cabrillo.edu). Every entity that registers a domain name must make some information about themselves public. That information is published in the global WHOIS database. You can search that database on many sites. Here's on example: 


Searching for cabrillo.edu yields: 

Domain Name: CABRILLO.EDU
Registrant:
   Cabrillo Community College District
   6500 Soquel Drive
   Aptos, CA 95003
   UNITED STATES
Administrative Contact:
   Spring Andrews
   Manager of Application Services
   Cabrillo Community College District
   6500 Soquel Drive
   Aptos, CA 95003
   UNITED STATES
   (831) 479-6559
   spandrew@cabrillo.edu
Technical Contact:
   Mikki Adams
   Network Priestess
   Cabrillo Community College District
   6500 Soquel Drive
   Aptos, CA 95003
   UNITED STATES
   (831) 479-6392
   netadmin@cabrillo.edu
Name Servers: 
   LOLA.CABRILLO.EDU      207.62.184.53
   NS1.CSU.NET            
   NS2.CSU.NET            
   NS1.CENIC.ORG          
   NS2.CENIC.ORG          
Domain record activated:    13-Feb-2002
Domain record last updated: 12-Jul-2013
Domain expires:             31-Jul-2014

Make note of every:
  • Postal address
  • Email address
  • Phone number 
  • Name server
There is quite a lot of information you have without really looking. You can use names and email addresses for spear phishing. You can use postal addresses so that you know where to stake out wireless networks. For this assignment, however, you will use the IP addresses and host names you recover. 

Step 2: Dig into email
There is a command line utility in Kali Linux called 'dig'. It is a simple program that queries the DNS system and shows you the information it gathered. You can also use dig to find out what machine handles email for a domain. The machine that handles mail is called the mail exchange. When you give dig the "mx" argument it finds it for you. The command to do that is

# dig mx my_target.com

For example to figure out what server handles Cabrillo's mail do this:

# dig mx cabrillo.edu
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> mx cabrillo.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6343
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cabrillo.edu. IN MX

;; ANSWER SECTION:
cabrillo.edu. 1038 IN MX 100 cabrillo.edu.s7a1.psmtp.com.
cabrillo.edu. 1038 IN MX 400 cabrillo.edu.s7b2.psmtp.com.
cabrillo.edu. 1038 IN MX 200 cabrillo.edu.s7a2.psmtp.com.
cabrillo.edu. 1038 IN MX 300 cabrillo.edu.s7b1.psmtp.com.

;; Query time: 53 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Nov 19 17:35:16 PST 2013
;; MSG SIZE  rcvd: 186

Each one of those servers is a possible target. Make note of them. 

Step 3: Dig deeper
There are other things that dig may tell you. For this step use dig to tell you the IP address of the target's web servers. 

# dig www.your_target.com 

Digging Cabrillo's webserver gives this answer

# dig www.cabrillo.edu
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> www.cabrillo.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58954
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cabrillo.edu. IN A

;; ANSWER SECTION:
www.cabrillo.edu. 527 IN CNAME mundo.cabrillo.edu.
mundo.cabrillo.edu. 527 IN A 207.62.187.8

;; Query time: 33 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Nov 19 17:36:13 PST 2013
;; MSG SIZE  rcvd: 81

Now we know that Cabrillo's webserver is actually an alias for mundo.cabrillo.edu. For some sites we may be able to see that the webserver has MULTIPLE IP addresses. See for yourself by looking up www.google.com. 

Step 4: Keep digging
Not all organizations host their own mail and web pages. Before you attack their services you should know who you're attacking. The best way to do that is to lookup the IP address of each webserver and mail exchanger you discovered in the previous steps. There are many sites that let you do this, including whois.net. Looking up an IP address will show you who it really belongs to. Looking up 207.62.187.8 (a.k.a. mundo.cabrillo.edu) reveals this information:

California State University Network NETBLK-CSUNET-S4 (NET-207-62-0-0-1) 207.62.0.0 - 207.62.255.255
Cabrillo Community College CSU-CABRCC (NET-207-62-184-0-1) 207.62.184.0 - 207.62.187.255

Now we know that the IP address was given to Cabrillo by the CSU system. Interesting. 

Turn In
The amount of information you can gather may vary. Some organizations take steps to hide their private information. If you find that you are missing parts please contact me to make arrangements. Otherwise you must supply me:
  • The organizations postal address (5 points)
  • At least one phone number (5 points)
  • At least one email address (5 points)
  • The IP address or addresses of their web server and who owns them (5 points)
  • The IP address or addresses of their DNS servers and who owns them (5 points)
  • The IP address or addresses of their email servers and who owns them (5 points)
Please submit your information in a single text or word document!


Comments