Passive information gathering 2.0 - the next level
Every security professional is aware of the information gathering techniques discussed in the previous recipe. But there are some techniques which analysts neglect because of their reduced popularity and awareness, but they can produce results as good as the previous techniques. The techniques we will discuss here will involve a deeper analysis of our target, though we will still be using a passive technique. These techniques do not require the use of Metasploit, but since information gathering is an important field for penetration testing, we will discuss it here.
Getting ready
We will understand three techniques here in this recipe:
- Zone transfer: This can be performed using the terminal.
- SMTP header: For this technique, we will require an e-mail that is sent by the target to the penetration tester.
- Google dork: This is a simple, yet useful, technique of gaining information through a search engine.
Let us start with zone transfer.
How to do it...
Zone Transfer is a special method used by the DNS server to exchange authoritative records for a domain between multiple servers. This method is responsible for transferring bulk lists of domain information between primary and secondary servers. A misconfigured DNS server can respond to client query and provide information about the queried domain.
Consider the following example in which a query dig @ns1.example.com example.com axfr returns a list of IP addresses and their corresponding host names:
This query has identified ten host names, out of which eight unique hosts belong to example.com. We can see that the host names are descriptive enough to give a clear understanding about the type of service that is running.
Analyzing the SMTP header can be another potential source of collecting information about the target. It can provide us with information about the mail server, its IP address, version, and so on. The only drawback of this method is that we need an e-mail that is sent from the target location to analyze it. The following screenshot shows the part of the header of a mail sent from the target.
Careful analysis of the header shows that the IP address of the mail server is 83.166.169.248. The mail server uses the ESMTP service and the user uses the IMAP service. This additional information can be very useful in further exploring the target.
The last technique is using Google dorks. This method can work only in some cases but it is worth giving it a try as you never know what secret information it can reveal. Many times Google crawlers reach certain files or documents that are stored on the target server for internal use, but due to internet access; the crawler indexes the document in the search results. In that case, we can look for such files by using some Google search tricks. The combination of site and filetype in search results can reveal some exciting stuff.
For example, perform the following search queries in Google:
www.target .com filetype:xlswww.target.com filetype:pdfsite:www.target.com filetype:db
Similarly, we can try several different combinations to dig out results from Google search.
How it works...
The dig query basically returns the data that is provided by the IP or domain owner while it is being registered. The zone transfer information is particularly provided to the DNS servers in order to build a proper mapping of registered domains. The dig query can help in fetching this information. The SMTP header is the original data body of an e-mail. Since it is the main data representation of e-mails, it contains lots of information about the sender of the e-mail.
Google dorks are nothing but the search results of various files that the Google crawler indexes. Once the file has been indexed in a Google search, it can be viewed by using some specific search types.
There's more...
www.jhony.ihackstuff.com is the most comprehensive guide for Google dorks where you can find a complete list of dorks that can reveal lots of hidden information about your target.