Wednesday, September 22, 2010

Mapping your target
Once you have your platform in good working order, you will need to know as much as possible about your target. In this chapter we look at "passive" ways to find information about the target. The target might be a company, a organization or a government. Where do you start your attack? This first step is gaining as much as possible information about the target - without them knowing that you are focussing your sniper scope on them. All these methods involve tools, web sites and programs that are used by the normal law abiding netizen.
Websites, MX records…DNS!
For the purpose of this document, let us assume that we want to attack CitiBank. (no hard feelings CitiBank). We begin by looking at the very obvious - www.citibank.com. You would be amazed by the amount one can learn from an official webpage. From the website we learn that Citibank has presence in many countries. Checking that Citibank have offices in Belgium we check the address of www.citibank.be and the Malaysian office www.citibank.com.my. The IP addresses are different - which means that each country' Citibank website is hosted inside the specific country. The website lists all the countries that Citibank operate in. We take the HTML source code, and try to find the websites in each country. Having a look around leaves us with 8 distinct countries. Maybe XXX.citybank.XXX is registered in the other countries? Doing a simple "host www.citibank.XXX" (scripted with all country codes and with .com and .co sub extensions of course) reveals that following sites:
www.citibank.as
www.citibank.at
www.citibank.be
www.citibank.ca
www.citibank.cc
www.citibank.ch
www.citibank.cl
www.citibank.co.at
www.citibank.co.cc
www.citibank.co.cx
www.citibank.co.dk
www.citibank.co.id
www.citibank.co.in
www.citibank.co.io
www.citibank.co.jp
www.citibank.co.ke
www.citibank.co.kr
www.citibank.co.nz
www.citibank.co.pl
www.citibank.co.pt
www.citibank.co.th
www.citibank.co.tv
www.citibank.co.tw
www.citibank.co.uk
www.citibank.co.vi
www.citibank.co.ws
www.citibank.com
www.citibank.com.ar
www.citibank.com.au
www.citibank.com.bh
www.citibank.com.bi
www.citibank.com.br
www.citibank.com.bs
www.citibank.com.co
www.citibank.com.ec
www.citibank.com.gt
www.citibank.com.gu
www.citibank.com.hk
www.citibank.com.ky
www.citibank.com.mo
www.citibank.com.mx
www.citibank.com.my
www.citibank.com.ph
www.citibank.com.pk
www.citibank.com.pl
www.citibank.com.pr
www.citibank.com.py
www.citibank.com.sg
www.citibank.com.tj
www.citibank.com.tr
www.citibank.com.tw
www.citibank.com.ws
www.citibank.cx
www.citibank.cz
www.citibank.de
www.citibank.es
www.citibank.fr
www.citibank.gr
www.citibank.hu
www.citibank.ie
www.citibank.io
www.citibank.it
www.citibank.lu
www.citibank.mc
www.citibank.mw
www.citibank.nl
www.citibank.nu
www.citibank.pl
www.citibank.ro
www.citibank.ru
www.citibank.tv
www.citibank.ws
www.citicorp.com
So much for websites - it is clear that many of these domains are used by cybersquatters - www.citibank.nu for example. We'll filter those. Also, most of above mentioned sites are simply aliases for www.citibank.com. These days most websites are hosted offsite. Mail exchangers are most of the time more closely coupled with the real network. Looking at the MX records for the domains (host -t mx citibank.XX) gives one a better idea of the IP numbers involved. Trying to do a zone transfer would also help a lot (host -l citibank.XXX). After some scripting it becomes clear which domains belongs to the real Citibank - all of these domain's MX records are pointing to the MX record for www.citibank.com, and their websites point to the official .com site. The theory that the MX records for the different branches are closer to the "satellite" network does not apply for Citibank it seems: (these are all MX records).
citibank.at is a nickname for www.citibank.com
citibank.ca is a nickname for www.citibank.com
citibank.ch is a nickname for www.citibank.com
citibank.cl is a nickname for www.citibank.com
citibank.co.at is a nickname for www.citibank.com
citibank.co.kr is a nickname for www.citibank.com
citibank.co.nz is a nickname for www.citibank.com
citibank.co.vi is a nickname for www.citibank.com
citibank.com.br is a nickname for www.citibank.com
citibank.com.bs is a nickname for www.citibank.com
citibank.com.ec is a nickname for www.citibank.com
citibank.com.gt is a nickname for www.citibank.com
citibank.com.gu is a nickname for www.citibank.com
citibank.com.ky is a nickname for www.citibank.com
citibank.com.mo is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.my is a nickname for www.citibank.com
citibank.com.pk is a nickname for www.citibank.com
citibank.com.pl is a nickname for www.citibank.com
citibank.com.pr is a nickname for www.citibank.com
citibank.com.py is a nickname for www.citibank.com
citibank.com.sg is a nickname for www.citibank.com
citibank.com.tr is a nickname for www.citibank.com
citibank.cz is a nickname for www.citibank.com
citibank.gr is a nickname for www.citibank.com
citibank.hu is a nickname for www.citibank.com
citibank.ie is a nickname for www.citibank.com
citibank.it is a nickname for www.citibank.com
citibank.lu is a nickname for www.citibank.com
citibank.mc is a nickname for www.citibank.com
citibank.mw is a nickname for www.citibank.com
citibank.nl is a nickname for www.citibank.com
citibank.pl is a nickname for www.citibank.com
citibank.ro is a nickname for www.citibank.com
What about the rest of the countries - are all of them cybersquatter related, or have our friends at Citibank slipped up somewhere? Let's remove above-mentioned countries from our list, and have a look those than remain. Close inspection of all the rest of the domains shows that cyber squatters (in all sizes and forms) have taken the following domains:
citibank.as
citibank.cc
citibank.co.cx
citibank.co.dk
citibank.co.ke
citibank.co.pl
citibank.co.pt
citibank.co.tv
citibank.co.ws
citibank.com.bh
citibank.com.bi
citibank.com.tj
citibank.com.ws
citibank.cx
citibank.io
citibank.nu
citibank.tv
How about the rest? We find the following hosts and services belonging to Citibank (most of this is done with scripting, manual labor, and cross checking):
www.citibank.be has address 195.75.113.39
citibank.be name server ns.citicorp.com
citibank.be name server ns2.citicorp.com
citibank.co.id mail is handled (pri=20) by egate.citicorp.com
citibank.co.in has address 203.197.24.163
www.citibank.co.jp has address 210.128.74.161
citibank.co.jp name server NS2.citidirect.citibank.co.jp
citibank.co.th mail is handled (pri=20) by egate.citibank.com
citibank.com.ar mail is handled (pri=20) by mailer2.prima.com.ar
www.citibank.com.au has address 203.35.150.146
citibank.com.au name server ns.citibank.com
citibank.com.au name server ns2.citibank.com
www.citibank.com.co has address 63.95.145.165
citibank.com.co name server CEDAR1.CITIBANK.COM
citibank.com.co name server CEDAR2.CITIBANK.COM
webp.citibank.com.sg has address 192.193.70.5
citibank.com.mx mail is handled (pri=10) by green.citibank.com.mx
citibank.com.ph mail is handled (pri=20) by egate.citicorp.com
citibank.com.tw name server dns.citibank.com.tw
dns.citibank.com.tw has address 203.66.185.3
www.citibank.com.tw has address 203.66.185.1
citibank.com.tw name server home1.citidirect.citibank.com.tw
citibank.ru has address 194.135.176.81
www.citibank.de has address 195.75.113.49
www.citibank.de has address 195.145.1.166
www.citibank.com has address 192.193.195.132
and the obvious official .com sites and MX records. But the real prize is German Citibank. In the checking scripts we also check if a DNS zone transfer was possible. In all of the domains tested a ZT was denied. All but Germany:
ehbtest.Citibank.DE has address 195.75.113.25
ehbweb.Citibank.DE has address 195.75.113.49
inter.Citibank.DE has address 193.96.156.103
localhost.Citibank.DE has address 127.0.0.1
www.Citibank.DE has address 195.145.1.166
www.Citibank.DE has address 195.75.113.49
ehbdns.Citibank.DE has address 195.145.1.166
public.Citibank.DE has address 193.96.156.104
From all of the above we can now begin to compile a list of IP numbers belonging to Citibank all over the world. We take the list, sort it, and remove any duplicates if there are any. The end result is:
148.242.127.200
192.193.195.132
192.193.195.194
192.193.195.195
192.193.195.210
192.193.196.210
192.193.70.5
192.193.77.166
193.96.156.103
193.96.156.104
194.135.176.81
195.145.1.166
195.75.113.10
195.75.113.11
195.75.113.25
195.75.113.39
195.75.113.49
200.42.0.133
203.197.24.163
203.35.150.146
203.66.185.1
203.66.185.20
203.66.185.3
210.128.74.161
63.95.145.165
Once we have these IP numbers we can go much further. We could see the netblocks these IP numbers belongs to - this might give us more IP numbers. Later these IP numbers could be fed to port scanners or the likes. Another technique is to do "reverse resolve scanning". Here one reverse resolves the subnet to see if there are other interesting DNS entries.

No comments:

Post a Comment

hacking tools