The lab will be run on Linux, using the BackTrack image available here.

• Passive activity - no interaction with the target
• Useful information:
  • External IP addresses
  • Employee phone numbers and e-mails
  • Employee profiles (Facebook, Google+, LinkedIn, …)
  • Active hosts and services (internal penetration testing)
• Techniques:
  • Google hacking
  • Whois and DNS queries
  • Using public databases: Netcraft.com , zone-h.com
  • Web site inspection
  • Network sniffing

• site: restricts the results of the query to the specified site: site:pub.ro “error in your SQL syntax”
• intitle: / allintitle: - the keywords cand be found in the page title: intitle:“index of” intext:“parent directory”
• filetype: specifies the file extension: filetype:doc site:pub.ro
• Explicit Inclusion: +: +123456 “yahoo.com” site:pastebin.com
• Explicit Exclusion: -: +virus –biology
• More at: http://www.google.com/help/operators.html and http://www.hackersforcharity.org/ghdb/

Choose a site: xyz

• Search for all xls files that can be accesed on the xyz site
• Check if directory browsing is possible on the xyz site
• Search for subdomains of xyz
• Search for mysql dump filetype:sql. What is the result?
• Search for live webcams: inurl:/view/index.shtml inurl:viewerFrame?Mode=

Useful information:

• DNS servers
• IP addresses
• Location and address
• Contact persons (name, phone, e-mail)
• Examples:
  • whois cisco.com
  • whois 128.107.241.185

• Identify the IP addresses and location of xyz.

• Tools: dig, host, nslookup
• Query types: A, NS, MX, PTR, AXFR
• Examples:
  • E-mail servers:
    • dig pub.ro mx
    • host –t mx pub.ro
  • Reverse DNS:
    • dig @ns1.roedu.net ptr 60.166.85.141.in-addr.arpa
    • host 141.85.166.60

• What are the DNS servers for xyz?
• For each of the previous servers, request a zone transfer (type=axfr)

• Activities involving interaction with the target
• Repeated queries in order to obtain different information:
  • Live hosts
  • Open ports
  • Service versions
  • Operating systems
  • Network shares
  • Local users

• ARP Ping
• ICMP Ping
• TCP SYN Ping
• UDP Ping

• SYN scan (half-connect)
  • nmap -sS -p 445 192.168.1.1
  • hping -S -p 445 192.168.1.1
• Connect scan (complete 3-way handshake)
  • nmap -sT -p 445 192.168.1.1
  • telnet 192.168.1.1 445
  • netcat 192.168.1.1 445
• ACK scan (checks if a port is filtered by a firewall, does not offer any information regarding the port (open/closed))
  • nmap –sA –p 445 192.168.1.1
• UDP scan
  • nmap –sU –p 53 192.168.1.1

• Target specification
  • nmap 192.168.1-254.1-254
  • nmap 192.168.0.0/16
  • nmap –iL iplist.txt
• Port specification
  • nmap –p21,22,80,445 192.168.1.1
  • nmap –p1-65535 192.168.1.1
  • default: 1660 ports
• Output file:
  • nmap –oN output.txt 192.168.1.1
• Scan speed
  • nmap –T<0-5> 192.168.1.1 (larger number is faster)
• Service version
  • nmap –sV 192.168.1.1
• Operating System detection
  • nmap –O 192.168.1.1

• Using a single nmap command scan the entire vmnet8 subnet and determine:
  • Active hosts
  • Open ports
  • Service versions
  • Operating system
  • The results will be save in an output file