The lab will be run on Linux, using the BackTrack image available here.

• Passive activity - no interaction with the target
• Useful information:
  • External IP addresses
  • Employee phone numbers and e-mails
  • Employee profiles (Facebook, Google+, LinkedIn, …)
  • Active hosts and services (internal penetration testing)
• Techniques:
  • Google hacking
  • Whois and DNS queries
  • Using public databases: Netcraft.com , zone-h.com
  • Web site inspection
  • Network sniffing

• site: restricts the results of the query to the specified site: site:pub.ro “error in your SQL syntax”
• intitle: / allintitle: - the keywords cand be found in the page title: intitle:“index of” intext:“parent directory”
• filetype: specifies the file extension: filetype:doc site:pub.ro
• Explicit Inclusion: +: +123456 “yahoo.com” site:pastebin.com
• Explicit Exclusion: -: +virus –biology
• More at: http://www.google.com/help/operators.html and http://www.hackersforcharity.org/ghdb/

Choose a site: xyz

• Search for all xls files that can be accesed on the xyz site
• Check if directory browsing is possible on the xyz site
• Search for subdomains of xyz
• Search for mysql dump filetype:sql. What is the result?
• Search for live webcams: inurl:/view/index.shtml inurl:viewerFrame?Mode=

Useful information:

• DNS servers
• IP addresses
• Location and address
• Contact persons (name, phone, e-mail)
• Examples:
  • whois cisco.com
  • whois 128.107.241.185

• Identify the IP addresses and location of xyz.

• Tools: dig, host, nslookup
• Query types: A, NS, MX, PTR, AXFR
• Examples:
  • E-mail servers:
    • dig pub.ro mx
    • host –t mx pub.ro
  • Reverse DNS:
    • dig @ns1.roedu.net ptr 60.166.85.141.in-addr.arpa
    • host 141.85.166.60

• What are the DNS servers for xyz?
• For each of the previous servers, request a zone transfer (type=axfr)