The blocks not marked with a "none" are routed on the Internet today. Where are these plus the smaller blocks routed? Since a complete class C network is routed to the same place, we can traceroute to a arbitrary IP within the block. We proceed to do so, tracerouting to the next available IP in the block (e.g. for netblock 62.157.214.240 we would trace to 62.157.214.241) in each netblock. Looking at the last confirmed hop in the traceroute should tell us more about the location of the block. Most of the European blocks are clearly defined - but what about the larger blocks such as the 192.193.0.0 block and the 193.32.0.0 block? The information gained is very interesting:
62.157.214.240-62.157.214.247 Germany
62.184.117.0/24 Not routed
62.200.100.0-62.200.100.31 Germany
62.225.11.144-62.225.11.151 Germany
63.236.56.224-63.236.56.255 USA
63.67.86.0/24 USA
63.71.124.192-63.71.124.255 USA
63.72.243.0/24 USA
63.74.88.64-63.74.88.79 USA
63.80.165.128-63.80.165.159 USA
192.132.9.0/24 Not routed
192.148.191.0/24 Not routed
192.193.172.0/24 USA
192.193.180.0/24 USA
192.193.182.0/24 USA
192.193.183.0/24 USA
192.193.184.0/24 USA
192.193.186.0/24 USA
192.193.187.0/24 USA
192.193.188.0/24 USA
192.193.192.0/24 USA
192.193.193.0/24 USA
- 16 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
192.193.194.0/24 USA
192.193.195.0/24 USA
192.193.196.0/24 USA
192.193.201.0/24 USA
192.193.208/24 USA
192.193.210.0/24 USA
192.193.211.0/24 USA
192.193.70.0/24 Singapore
192.193.71.0/24 USA
192.193.73.0/24 Singapore
192.193.74.0/24 Philippines
192.193.75.0/24 Singapore
192.193.77.0/24 Japan
192.209.110.0/24 Not routed
192.209.111.0/24 Not routed
192.209.120.0/24 Not routed
192.246.55.0/24 Not routed
192.48.247.0/24 Not routed
193.32.128.0/24 Not routed
193.32.161.0/24 UK
193.32.176.0/20 UK
193.32.192.0/20 UK
193.32.208.0/23 UK
193.32.254.0/23 UK
194.108.183.32-194.108.183.47 Czech Republic
194.50.218.0/24 Not routed
194.69.69.160-194.69.69.167 Not routed
195.183.49.128-195.183.49.143 Not routed
195.235.80.200-195.235.80.207 UK
195.75.113.0/24 Germany
196.28.49.0-196.28.49.31 USA
200.42.11.80-200.42.11.87 Argentina
203.197.24.0/24 India
203.66.184.0/24 Taiwan
203.66.185.0/24 Taiwan
205.147.21.161-205.147.21.168 USA
208.132.249.0-208.132.249.31 USA
208.138.110.0/24 USA
208.231.68.0/24 USA
208.44.107.32-208.44.107.63 USA
208.46.142.160-208.46.142.175 USA
208.58.129.224-208.58.129.239 USA
213.25.206.44-213.25.206.47 Poland
213.61.189.96-213.61.189.127 Germany
216.233.123.104-216.233.123.111 USA
216.233.22.128-216.233.22.135 USA
216.233.56.176-216.233.56.183 USA
216.233.56.184-216.233.56.191 USA
216.233.97.64-216.233.97.71 USA
It is interesting to note that none of the 192.193 IP blocks are routed to Europe. Citibank has thus registered unique individual blocks for Europe based branches, and are routing some of its 192.193 class B class Cs to Asia. It seems that many of the Citibank websites are running on "ISP blocks". If the idea is to get to the core of Citibank these sites might not be worthwhile to attack, as we are not sure that there is any connection with back-ends (sure, we cannot be sure that the Citibank registered blocks are more interesting, but at least we know that Citibank is responsible for those blocks).
Taking all mentioned information into account, we can start to build a map of Citibank around the globe. This exercise is left for the reader :)).
Reverse DNS entries
As promised, the next step would be reverse resolve scanning some nets. By doing this we could possibly see interesting reverse DNS names that might give away information about the host. We proceed to reverse scan all the mentioned blocks, as well as the corresponding class C block of the IPs that does not fall in above mentioned blocks (the ISP-like blocks). Extracts of the reverse scan looks like this:
- 17 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
1.195.193.192.IN-ADDR.ARPA domain name pointer global1.citicorp.com
2.195.193.192.IN-ADDR.ARPA domain name pointer global2.citicorp.com
3.195.193.192.IN-ADDR.ARPA domain name pointer global3.citicorp.com
4.195.193.192.IN-ADDR.ARPA domain name pointer global4.citicorp.com
119.195.193.192.IN-ADDR.ARPA domain name pointer arrow1.citicorp.com
119.195.193.192.IN-ADDR.ARPA domain name pointer arrow1-a.citicorp.com
120.195.193.192.IN-ADDR.ARPA domain name pointer global120.citicorp.com
150.195.193.192.IN-ADDR.ARPA domain name pointer fw-a-pri.ems.citicorp.com
151.195.193.192.IN-ADDR.ARPA domain name pointer fw-b-pri.ems.citicorp.com
192.195.193.192.IN-ADDR.ARPA domain name pointer egate3.citicorp.com
194.195.193.192.IN-ADDR.ARPA domain name pointer egate.citicorp.com
232.195.193.192.IN-ADDR.ARPA domain name pointer iss-pix11.citicorp.com
233.195.193.192.IN-ADDR.ARPA domain name pointer iss-pix12.citicorp.com
234.195.193.192.IN-ADDR.ARPA domain name pointer nr1.citicorp.com
121.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb1.pbg.citicorp.com
122.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb1b.pbg.citicorp.com
123.196.193.192.IN-ADDR.ARPA domain name pointer qapbgweb3a.pbg.citicorp.com
231.196.193.192.IN-ADDR.ARPA domain name pointer iss2.citicorp.com
232.196.193.192.IN-ADDR.ARPA domain name pointer iss-pix21.citicorp.com
233.196.193.192.IN-ADDR.ARPA domain name pointer iss-pix22.citicorp.com
190.74.128.210.IN-ADDR.ARPA domain name pointer telto-gw.dentsu.co.jp
190.74.128.210.IN-ADDR.ARPA domain name pointer citibank-gw.dentsu.co.jp
192.74.128.210.IN-ADDR.ARPA domain name pointer webby-gcom-net.dentsu.co.jp
10.38.193.192.IN-ADDR.ARPA domain name pointer pbgproxy1a.pbg.citicorp.com
11.38.193.192.IN-ADDR.ARPA domain name pointer pbgproxy1b.pbg.citicorp.com
12.38.193.192.IN-ADDR.ARPA domain name pointer pbggd1a.pbg.citicorp.com
53.73.193.192.IN-ADDR.ARPA domain name pointer www.citicommerce.com
Most of the non-192.193 block does not resolve to anything. Some of the 192.193 reverse DNS names tells us about the technology used. There are PIX firewalls (nr-pix21.citicorp.com_), possible ISS scanners or IDS systems (iss2.citicorp.com) and proxy servers (cd-proxy.citicorp.com). We also see that there are other Citibank-related domains - citicorp.com, citicorpmortgage.com, citimarkets.com, citiaccess.com and citicommerce.com. It can clearly be seen that most of the IP numbers reverse resolves to the citicorp.com domain. There are sub-domains within the Citicorp domain - ems.citicorp.com, pki.citicorp.com, pbg.citicorp.com and edc.citicorp.com.
How do we get reverse entries for hosts? Well – there is two ways. Just as you can do a Zone Transfer for a domain, you can do a Zone transfer for a netblock. Really. Check this out:
#host -l 74.128.210.in-addr.arpa
74.128.210.in-addr.arpa name server www.inter.co.jp
74.128.210.in-addr.arpa name server ns1.iij.ad.jp
126.74.128.210.in-addr.arpa domain name pointer cabinet-gw.dentsu.co.jp
128.74.128.210.in-addr.arpa domain name pointer telto-net.dentsu.co.jp
etc. etc.
And just as some Zone Transferes are denied on some domains, some ZTs are also denied on netblocks. This does not keep us from getting the actual reverse DNS entry. If we start at getting the reverse DNS entry for 210.128.74.1 and end at 210.128.74.255 (one IP at a time), we still have the complete block. See the script reversescan.pl at the end of the chapter for how to do it nicely.
Summary
To attack a target you must know where the target is. On numerous occasions we have seen that attacking the front door is of no use. Rather attack a branch or subsidiary and attack the main network from there. If a recipe exists for mapping a network from the Internet it would involve some or all of the following steps:
• Find out what "presence" the target has on the Internet. This include looking at web server-, mail exchanger and NS server IP addresses. If a zone transfer can be done it is a bonus. Also look for similar domains (in our case it included checks for all country extensions
- 18 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
(with .com and .co appended) and the domain citicorp.com) It might involve looking at web page content, looking for partners and affiliates. Its mainly mapping known DNS names to IP address space.
• Reverse DNS scanning will tell you if the blocks the target it is contains more equipment that belongs to the target. The reverse names could also give you an indication of the function and type of equipment.
• Finding more IP addresses - this can be done by looking if the target owns the netblock were the mail exchanger/web server/name server is located. It could also include looking at the Registries (APNIC,RIPE and ARIN) for additional netblocks and searches where possible.
• Tracerouting to IP addresses within the block to find the actual location of the endpoints. This helps you to get an idea which blocks bound together and are physically located in the same spot.
• Look at routing tables on core routers. Find out which parts of the netblocks are routed - it makes no sense to attack IP numbers that is not routed over the Internet.
The tools used in this section are actually quite simple. They are the Unix "host" command, "traceroute", and a combination of PERL, AWK, and standard Unix shell scripting. I also used some websites that might be worth visiting:
• APNIC http://www.apnic.net (Asian pacific)
• RIPE http://www.ripe.net/cgi-bin/WHOIS (Euopean)
• ARIN http://www.arin.net/WHOIS/index.html (American)
For completeness sake I put the (really not well written) shell and PERL scripts here. They are all very simple...:
Reversescanner.pl:
(the input for this script is a IP range e.g. 160.124.19.0-160.124.19.100. Output is sent to STDOUT so >& it...)
#!/usr/bin/perl
# Usage: perl reversecanner.pl 160.124.19.0-160.124.19.100
$|=1;
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
@ip2=split(/\./,@een[$#een]);
for ($a=@ip1[0]; $a<1+@ip2[0]; $a++) {
for ($b=@ip1[1]; $b<1+@ip2[1]; $b++) {
for ($c=@ip1[2]; $c<1+@ip2[2]; $c++) {
for ($d=@ip1[3]; $d<1+@ip2[3]; $d++) {
print "$a.$b.$c.$d : ";
system "host $a.$b.$c.$d";
}}}}
Tracerouter.pl:
Input is a network or subnet e.g. 160.124.19.10. Output is to STDOUT so >& it. It takes the next IP in the specified input block and trace to it. (the script also provides for the a.b.c.d-w.x.y.z input format as the reversescanner)
#!/usr/bin/perl
# Usage: perl tracerouter.pl 160.124.21.92
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
my $string;
$string=@ip1[0].".".@ip1[1].".".@ip1[2].".".(1+@ip1[3]);
system "traceroute -m 50 $string";
Domain_info.sh:
- 19 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
All the domains you want to investigate should be in a file called "domains". Output is appended to file called "all". Change as you wish...:)
#!/usr/local/bin/tcsh
foreach a (`cat domains`)
echo " " >> all
echo ====Domain: $a >> all
echo --Zone transfer: >> all
host -l $a >> all
echo --Webserver: >> all
host www.$a >> all
echo --Nameservers: >> all
host -t ns $a >> all
echo --Mailservers: >> all
host -t mx $a >> all
continue
end
Get_routes.pl:
This perl script logs into core router route1.saix.net and displays to STDOUT the routing tables that matches any given net. Input field is the route search term (makes use of the Net::Telnet module that can be found on CPAN).
#!/usr/local/bin/perl
#Usage: perl get_routes.pl 192.193
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 25,Prompt=>'/\>/');
$t->open("route1.saix.net");
$soeker=@ARGV[0];
$t->waitfor('/>/');
@return=$t->cmd("terminal length 0");
@return=$t->cmd("show ip route | include $soeker");
print "@return\n";
The rest of the results were compiled using these tools in scripts or piping output to other ad hoc scripts, but this is not worth listing here.
Added later: hey! I wrote a script that does a lot of these things for you automatically. It uses a nifty tool called “The Geektools proxy”, written by a very friendly chap named Robb Ballard
#!/usr/bin/perl
use Socket;
$domain=@ARGV[0];
$nameserver="196.4.160.2";
sub qprint
{
open(db,">>$domain.report") || die "Couldnt open quickwrite\n";
print db @_;
close (db);
}
open (IN,"@ARGV[1]") || die "Couldnt open brute force DNS names file\n";
while (
chomp;
@tries[$i]=$_;
$i++;
}
qprint "==Report begin\n";
###############################first get the www record
@results=`host -w www.$domain $nameserver`;
if ($#results<1) {qprint "No WWW records\n";}
else
{
foreach $line (@results) {
if ($line =~ /has address/) {
- 20 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
@quick=split(/has address /,$line);
$www=@quick[1]; chomp $www;
qprint "Webserver have address $www\n";
}
}
}
$counter=0;
##################################### MX records
$counter=0; @mxdb=();
@results=`host -w -t mx $domain $nameserver`;
if ($#results<1) {qprint "No MX records\n";}
else {
foreach $line (@results) {
@quick=split(/by /,$line);
@pre=split(/pri=/,$line);
@pre1=split(/\)/,@pre[1]);
$mx=@quick[1];
chomp $mx;
if (length($mx)>0) {
@resolve=`host -w $mx $nameserver`;
foreach $line2 (@resolve) {
chomp $line2;
if ($line2 =~ /has address/) {
@quicker=split(/has address/,$line2);
}
}
$mxip=@quicker[1];
$mxip=~s/ //g;
chomp $mxip;
@ip[$counter]=$mxip;
qprint "MX record priority @pre1[0] : $mxip\n";
$counter++;
}
}
}
#Check Zonetransfer
@results=`host -w -l $domain`;
if ($#results<2) {
qprint "==Could not do ZT - going to do brute force\n";
#########################################Brute force
foreach $try (@tries){
@response=`host $try.$domain`;
foreach $line (@response){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
}
######################################## normal ZT
else {
qprint "==Zone Transfer\n";
foreach $line (@results){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
###################################### PART II ###############Now we want to check the class Cs
# we have names in @name and ips in @ip
@sip=sort @ip;
@sname=sort @name;
###################################class Cs & uniq:
- 21 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "\n";
foreach $line (@sip){
if (!($line =~ /127.0.0.1/)){
@splitter=split(/\./,$line);
$classc=@splitter[0].".".@splitter[1].".".@splitter[2];
$justc{$classc}++;
}
}
$counter=0;
@sclassc=sort (keys (%justc));
foreach $line (@sclassc){
@class[$counter]=$line;
qprint "ClassC with $justc{$line} : $line\n";
$counter++;
}
foreach $line (@sname){
$justnames{$line}=1;
}
$counter=0;
@namesl=sort (keys (%justnames));
foreach $line (@namesl){
@nam[$counter]=$line;
qprint "names: $line\n";
$counter++;
}
######################### do some whois - GEEKTOOLS
foreach $subnet (@class){
qprint "==Geektools whois of block $subnet:\n";
@response=`perl whois.pl $subnet`;
qprint @response;
}
################################reversescans
#first try quick way
foreach $subnet (@class){
@splitter=split(/\./,$subnet);
$classr=@splitter[2].".".@splitter[1].".".@splitter[0].".in-addr.arpa";
@results=`host -l $classr`;
if ($#results<1) {
qprint "==No reverse entry for block $subnet - have go manual\n";
for ($d=1; $d<255; $d++) {
@response=`host $subnet.$d`;
foreach $line (@response){
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
else
{
qprint "==Reverse lookup for block $subnet permitted\n";
foreach $line (@results) {
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
################################### ping sweeps
foreach $subnet (@class){
qprint "\n==Nmap pingsweep of subnet $subnet\n\n";
@results=`nmap -sP -PI $subnet.1-255`;
qprint @results;
}
#system "rm *.dat";
#############################search the webpage
qprint "\n==Doing WWW harvest\n";
@dummy=`lynx -accept_all_cookies -crawl -traversal http://www.$domain`;
- 22 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "http://www.$domain\n";
@response = `cat ./reject.dat`;
foreach $line (@response){
chomp $line;
if ($line =~ /http/){
@splitter=split(/\//,$line);
$uniql{@splitter[2]}++;
}
if ($line =~ /mailto/){
@splitter=split(/:/,$line);
$uniqm{@splitter[1]}++;
}
}
foreach $links (keys (%uniql)){
qprint "External link $uniql{$links} : $links\n";
}
foreach $links (keys (%uniqm)){
qprint "External email $uniqm{$links} : $links\n";
}
The file “common” looks like this (its used for guessing common DNS names within a domain(its not really in 3 columns, I just save some trees. )
www
ftp
ns
3com
aix
apache
back
bastion
bind
border
bsd
business
chains
cisco
content
corporate
cvp
debian
dns
domino
dominoserver
download
e-bus
e-business
e-safe
esafe
external
extranet
firebox
firewall
freebsd
front
ftp
fw
fw-
fwe
fwi
gate
gatekeeper
gateway
gauntlet
group
help
hop
hp
hp-ux
hpjet
hpux
http
https
hub
ibm
ids
info
inside
internal
internet
intranet
ipchains
ipfw
irix
jet
list
lotus
lotusdomino
lotusnotes
lotusserver
mailfeed
mailgate
mailgateway
mailgroup
mailhost
maillist
mailmarshall
mailpop
mailrelay
mandrake
mimesweeper
ms
msproxy
mx
nameserver
news
newsdesk
newsfeed
newsgroup
newsroom
newsserver
nntp
notes
noteserver
notesserver
ns
nt
openbsd
outside
pix
pop
pop3
pophost
popmail
popserver
printer
printspool
private
proxy
proxyserver
public
qpop
raptor
read
redcreek
redhat
route
router
router
scanner
screen
screening
secure
seek
slackware
smail
smap
smtp
smtpgateway
smtpgw
sniffer
snort
solaris
sonic
spool
squid
sun
sunos
suse
switch
transfer
trend
trendmicro
unseen
vlan
wall
web
webmail
webserver
webswitch
win2000
- 23 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
win2k
win31
win95
win98
winnt
write
ww
www
xfer
No comments:
Post a Comment
hacking tools