Difference between revisions of "SEC520/labs/Lab 2"
(Created page with "<a name="Installation Requirements" id="Fedora_16_Installation_.28on_Main_Host_-_f16host.29"></a><h1> <span class="mw-headline">Information Gathering</span></h1> <a name="Intr...") |
m (Protected "SEC520/labs/Lab 2": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | <h1> <span class="mw-headline">Information Gathering</span></h1> | |
− | + | <h2> <span class="mw-headline">Introduction</span></h2> | |
<dl><dd><ul><li>This lab teaches various methods of <b>gathering information</b> from a <b>targeted computer system</b>. Normally, an individual or a company can be hired to perform <b>Penetration Testing</b> in order to detect weaknesses in an organization's computer system. The first phase (called the <b>"reconnaissance phase"</b> | <dl><dd><ul><li>This lab teaches various methods of <b>gathering information</b> from a <b>targeted computer system</b>. Normally, an individual or a company can be hired to perform <b>Penetration Testing</b> in order to detect weaknesses in an organization's computer system. The first phase (called the <b>"reconnaissance phase"</b> | ||
− | is considered to be a "harmless activity", where a person can simply | + | is considered to be a "harmless activity", where a person can simply gather information to be used later in other aspects of penetration |
− | gather information to be used later in other aspects of penetration | ||
testing (network <i>scanning</i> and <i>enumeration</i>). | testing (network <i>scanning</i> and <i>enumeration</i>). | ||
</li></ul> | </li></ul> | ||
Line 27: | Line 26: | ||
<br><br> | <br><br> | ||
− | + | <h2> <span class="mw-headline">Objectives</span></h2> | |
<ol><li>Use the <b>search engine website (google.ca)</b> to obtain computer system information (including IP address). | <ol><li>Use the <b>search engine website (google.ca)</b> to obtain computer system information (including IP address). | ||
</li><li>Use various open-source applications to perform IP address associations with IP address (<b>Link Analysis</b>). | </li><li>Use various open-source applications to perform IP address associations with IP address (<b>Link Analysis</b>). | ||
Line 44: | Line 43: | ||
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2> | |
<ul> | <ul> | ||
<li> <b>SATA Hard Disk</b> (in removable disk tray). | <li> <b>SATA Hard Disk</b> (in removable disk tray). | ||
Line 51: | Line 50: | ||
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Prerequisites</span></h2> | |
− | <ul><li> | + | <ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_1 SEC520 Lab 1] |
</li></ul> | </li></ul> | ||
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Online Tools and References</span></h2> | |
<table cellpadding="12"> | <table cellpadding="12"> | ||
− | + | <tr valign="top"> | |
<td><b>Information Gathering</b></td> | <td><b>Information Gathering</b></td> | ||
<td><b>Foot-printing</b></td> | <td><b>Foot-printing</b></td> | ||
<td><b>User Information</b></td> | <td><b>User Information</b></td> | ||
<td><b>Verification</b></td> | <td><b>Verification</b></td> | ||
− | |||
</tr> | </tr> | ||
Line 71: | Line 69: | ||
<td> | <td> | ||
<ul> | <ul> | ||
− | <li> | + | <li>[http://www.google.ca/ Google Search Engine] (site, filetype, link)</li> |
− | <li> | + | <li>[http://news.netcraft.com/ Netcraft]</li> |
− | <li> | + | <li>[http://github.com/sensepost/BiLE-suite BiLE Utilities]</li> |
</ul> | </ul> | ||
</td> | </td> | ||
<td> | <td> | ||
<ul> | <ul> | ||
− | |||
<li>WHOIS Online Proxies:<br> | <li>WHOIS Online Proxies:<br> | ||
− | ( | + | ([http://whois.domaintools.com/ whois.domaintools.com]) |
</li> | </li> | ||
− | |||
</ul></td> | </ul></td> | ||
<td> | <td> | ||
<ul> | <ul> | ||
− | <li> | + | <li>[http://www.ehacking.net/2011/08/theharvester-backtrack-5-information.html theHarvester.py]</li> |
− | <li> | + | <li>[http://www.ehacking.net/2011/12/metagoofil-backtrack-5-tutorial.html Metagoofil.py]</li> |
</ul> | </ul> | ||
</td> | </td> | ||
<td> | <td> | ||
<ul> | <ul> | ||
− | <li> | + | <li>[http://www.bing.com/ www.bing.com]</li> |
− | <li> | + | <li>[http://www.computerhope.com/unix/unslooku.htm nslookup]</li> |
− | <li> | + | <li>[http://www.ehacking.net/2011/02/dnsmap-dns-network-mapper.html dnsmap]</li> |
</ul> | </ul> | ||
</td> | </td> | ||
<td> | <td> | ||
<ul> | <ul> | ||
− | |||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | </tr> | ||
− | + | </table> | |
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Course Notes</span></h2> | |
<ul> | <ul> | ||
− | <li> | + | <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.odp odp]| [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.pdf pdf]| [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w1_l2.ppt ppt](Slides: Reconnaissance)</li> |
− | |||
− | |||
</ul> | </ul> | ||
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h1> <span class="mw-headline">Performing Lab 2</span></h1> | |
− | + | <h2> <span class="mw-headline">Task #1: Using Search Engines to Obtain Target Server Information </span></h2> | |
<p>With the "information gathering" phase of penetration testing, it is | <p>With the "information gathering" phase of penetration testing, it is | ||
recommended to obtain as much data regarding a targeted organization. | recommended to obtain as much data regarding a targeted organization. | ||
Line 123: | Line 116: | ||
the above-mentioned techniques, there are other techniques and tools to | the above-mentioned techniques, there are other techniques and tools to | ||
help gather useful server information of a targeted organization.</p> | help gather useful server information of a targeted organization.</p> | ||
− | + | {{Admon/tip|sensepost.com|This is a website that is dedicated to internet security, and provides a platform to help gather information regarding a server. In fact, | |
− | + | examples from the textbook: <b>Penetration Tester's Open Source Toolkit</b> use examples from this website. We will be using this site for the majority of lab2...}} | |
− | platform to help gather information regarding a server. In fact, | ||
− | examples from the textbook: <b>Penetration Tester's Open Source Toolkit</b> use examples from this website. We will be using this site for the majority of lab2... | ||
<br> | <br> | ||
INSTRUCTIONS: | INSTRUCTIONS: | ||
Line 136: | Line 127: | ||
search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in | search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in | ||
your lab logbook.</li> | your lab logbook.</li> | ||
− | <li>Now, enter the following directive in the Google search box: <b>site:sensepost.com</b><br> | + | <li>Now, enter the following directive in the Google search box: <b>site:sensepost.com</b><br>{{Admon/important|Enter Site Directive in Google Search Textbox|Don't enter the "site" directive in the URL textbox at the top of the web-browser - enter this directive in the Google SEARCH text; otherwise, the directive will not work. Also make certain remain in the google web-page when performing this operation...}}</li> |
− | |||
− | web-browser - enter this directive in the Google SEARCH text; otherwise, | ||
− | |||
− | web-page when performing this operation... | ||
<li>You should notice a change in the display of links. How does this | <li>You should notice a change in the display of links. How does this | ||
search method differ from the previous search method using only the | search method differ from the previous search method using only the | ||
Line 155: | Line 142: | ||
just collected during this lab for penetration testing? (Record your | just collected during this lab for penetration testing? (Record your | ||
answer in your lab log-book)</li> | answer in your lab log-book)</li> | ||
− | <li>Repeat the information-gathering process for the following URL: <b>linux.senecac.on.ca</b> for practice.<br> | + | <li>Repeat the information-gathering process for the following URL: <b>linux.senecac.on.ca</b> for practice.<br>{{Admon/tip|Gathering Information in your Own Server at Home|Just for Interest, it is not that difficult to obtain SOME information regarding your own computer system at home. First, determine your IP address by using the <b>ifconfig</b> command for Linux, or the <b>ipconfig</b> command in windows. One very quick way to determine your IP Address is to simply type <b>IP Address</b> in the URL Window of your web-browser. Knowing your own IP Address at home is useful during the <b>link analysis</b> and <b>domain name expansion</b> steps in the next task...}}</li> |
− | |||
− | regarding your own computer system at home. First, determine your IP | ||
− | address by using the <b>ifconfig</b> command for Linux, or the <b>ipconfig</b> | ||
− | |||
− | to simply type <b>IP Address</b> in the URL Window of your web-browser. Knowing your own IP Address at home is useful during the <b>link analysis</b> and <b>domain name expansion</b> steps in the next task... | ||
<li>Proceed to Task #2<br><br></li> | <li>Proceed to Task #2<br><br></li> | ||
</ol> | </ol> | ||
Line 166: | Line 148: | ||
</p> | </p> | ||
<br><br> | <br><br> | ||
− | + | <h2> <span class="mw-headline">Task #2: Server Detection, Link Analysis & Domain Name Expansion</span></h2> | |
<p>In this section, we will use the site information (obtained from <i>Task #1</i>) | <p>In this section, we will use the site information (obtained from <i>Task #1</i>) | ||
Line 176: | Line 158: | ||
INSTRUCTIONS: | INSTRUCTIONS: | ||
<ol> | <ol> | ||
− | <li>Assuming that your web-browser is still running, click on the following link (which should open in another browser window): <b> | + | <li>Assuming that your web-browser is still running, click on the following link (which should open in another browser window): <b>[http://www.netcraft.com http://www.netcraft.com]</b>.<br /><b>NOTE:</b> Do not worry if you are redirected to another URL (eg. news.netcraft.com) - it will provides the same information we require.<br /><br /></li> |
<li>Let's find out additional information regarding the <b>sensepost.com</b> website. In the <b>What's that site running?</b> box, enter the following:<br><b>sensepost.com</b></li> | <li>Let's find out additional information regarding the <b>sensepost.com</b> website. In the <b>What's that site running?</b> box, enter the following:<br><b>sensepost.com</b></li> | ||
<li>Record the following server information for "sensepost.com" (and record in your lab log-book):<ul><li>IP Address</li><li>Type of Operating System</li><li>Name Server</li><li>Country Origin</li><li>Date First Noticed (Tracked)</li><li>Frequency of Uptimes</li></ul></li> | <li>Record the following server information for "sensepost.com" (and record in your lab log-book):<ul><li>IP Address</li><li>Type of Operating System</li><li>Name Server</li><li>Country Origin</li><li>Date First Noticed (Tracked)</li><li>Frequency of Uptimes</li></ul></li> | ||
Line 183: | Line 165: | ||
categorize relationships between other websites, and the <i>"target"</i> website | categorize relationships between other websites, and the <i>"target"</i> website | ||
called <b>"sensepost.com"</b>. You will be downloading, installing and running | called <b>"sensepost.com"</b>. You will be downloading, installing and running | ||
− | serveral open-source tools (a series of packages packaged as <b>BiLE</b> (which stands for: <i>"Bi-directional Link Extraction"</i> tools) to asssist in obtaining this information.<br><br | + | serveral open-source tools (a series of packages packaged as <b>BiLE</b> (which stands for: <i>"Bi-directional Link Extraction"</i> tools) to asssist in obtaining this information.<br><br> |
− | + | {{Admon/important|Installing Dependencies for BiLE.pl, BiLE-Weigh.pl|You may need to download the <b>BiLE</b> Utilities, consisting of useful Perl Scripts. Your Kali Linux distribution most likely comes with Perl already loaded. On the other hand, prior to running these Perl Scripts, you may be required to first | |
− | + | install the application called <b>HTTrack</b>. You can do this by installing "httrack" via "apt-get" or use a graphical application (such as <b>Synaptic Package Manager</b>)}} | |
− | distribution most likely comes with Perl already loaded. On the other | ||
− | hand, prior to running these Perl Scripts, you may be required to first | ||
− | install the application called <b>HTTrack</b>. You can do this by | ||
− | installing "httrack" via "apt-get" or use a graphical application (such as <b>Synaptic Package Manager</b>) | ||
<br /></li> | <br /></li> | ||
<li>Issue the command: <b>which httrack</b> to confirm that this dependent application has been installed (refer to warning message above).</li> | <li>Issue the command: <b>which httrack</b> to confirm that this dependent application has been installed (refer to warning message above).</li> | ||
− | <li>In a web-browser, go to the following website (which will open in a separate browser window): <b> | + | <li>In a web-browser, go to the following website (which will open in a separate browser window): <b>[http://github.com/sensepost/BiLE-suite http://github.com/sensepost/BiLE-suite]</b></li> |
− | <li>Download the <i>Perl Scripts</i> called <b>BiLE.pl</b>, <b>BiLE-Weigh.pl</b>, and <b>tld-expand.pl</b> to your Kali Linux system.<br><br> | + | <li>Download the <i>Perl Scripts</i> called <b>BiLE.pl</b>, <b>BiLE-Weigh.pl</b>, and <b>tld-expand.pl</b> to your Kali Linux system.<br><br>{{Admon/important|Perl Scripts Containing Errors When Executed|If errors occur, <b>check to see if that Perl Scripts were |
properly downloaded. If they contain HTML code, an alternative to | properly downloaded. If they contain HTML code, an alternative to | ||
− | downloading is to display the Perl Script in the web-browser, copying and pasting the code to the file on your computer</b> (<i>as opposed to right-clicking link and saving to your computer</i>). | + | downloading is to display the Perl Script in the web-browser, copying and pasting the code to the file on your computer</b> (<i>as opposed to right-clicking link and saving to your computer</i>). }}<br></li> |
<li>Run the following command: <b>perl BiLE.pl sensepost.com output.sensepost.com</b> (assuming BiLE.pl is located in the current directory).<br><br>Note: This process may take serveral minutes to complete.<br><br></li> | <li>Run the following command: <b>perl BiLE.pl sensepost.com output.sensepost.com</b> (assuming BiLE.pl is located in the current directory).<br><br>Note: This process may take serveral minutes to complete.<br><br></li> | ||
<li>When the process has completed, a report called "<b>output.sensepost.com.mine</b>" | <li>When the process has completed, a report called "<b>output.sensepost.com.mine</b>" | ||
Line 208: | Line 186: | ||
target website, as well as the output-file (generated by the BiLE.pl | target website, as well as the output-file (generated by the BiLE.pl | ||
Perl Script.</li> | Perl Script.</li> | ||
− | <li>Issue the following command: <b> perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine</b> (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).<br><br> | + | <li>Issue the following command: <b> perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine</b> (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).<br><br> {{Admon/important|Error: Sort: open failed: +1: No such file or directory|If you run the <b>BiLE-Weigh.pl</b> command, and encounter the above error, then make the following editing changes for this script:<br><br><b>change following line:</b><nowiki> 'cat temp | sort -r -t ";" +1 -n > @ARGV[1].sorted';</nowiki><br><br><b>to read:</b><nowiki> `cat temp | sort -r -t ":" -k 2 -n > @ARGV[1].sorted`;</nowiki><br><br>(Note: ` in this case is "Left-Tick" representing command substitution - not to be confused with a single-quote.<br /><br />}}<br><br></li> |
<li>View the contents of the file "output.sensepost.com.sorted" in your | <li>View the contents of the file "output.sensepost.com.sorted" in your | ||
current directory. Notice the ranking of the relavance of links | current directory. Notice the ranking of the relavance of links | ||
Line 220: | Line 198: | ||
<li> Issue the command: <b>perl tld-expand.pl sensepost.com.domains.txt sensepost.com.domains.variations.txt</b>. What do these variations represent in terms of reconnaissance? Record your finds in your lab log-book.</li> | <li> Issue the command: <b>perl tld-expand.pl sensepost.com.domains.txt sensepost.com.domains.variations.txt</b>. What do these variations represent in terms of reconnaissance? Record your finds in your lab log-book.</li> | ||
<li>Proceed to Task #3<br><br></li> | <li>Proceed to Task #3<br><br></li> | ||
− | + | </ol> | |
<p><b>Answer Task #2 observations / questions in your lab log book.</b> | <p><b>Answer Task #2 observations / questions in your lab log book.</b> | ||
Line 226: | Line 204: | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Task #3: Foot-printing</span></h2> | |
<br> | <br> | ||
− | As opposed to the Information Gathering phase (that collects information | + | As opposed to the Information Gathering phase (that collects information such as IP Addresses), the Foot-printing phase tends to gain a “clearer picture” of the structure of the organization's computer system. This can include <b>relationships among servers</b>, as well as noting <b>IP Address ranges</b>. |
− | |||
− | |||
− | can include <b>relationships among servers</b>, as well as noting <b>IP Address ranges</b>. | ||
<br><br> | <br><br> | ||
Footprinting (in simpler terms) means <b>Network Mapping</b>. | Footprinting (in simpler terms) means <b>Network Mapping</b>. | ||
Line 255: | Line 230: | ||
<br /> | <br /> | ||
− | + | <h2> <span class="mw-headline">Task #4: Obtaining User Information</span></h2> | |
<br> | <br> | ||
You will be using the information collected in Task #1 to assist with obtaining User information in this task. | You will be using the information collected in Task #1 to assist with obtaining User information in this task. | ||
<br> | <br> | ||
− | + | {{Admon/important|Install metagoofil program|<br><br> The harvester program is already installed in your Kali system, but you will need to install the program metagoofil. Issue the command (as root):<br><br><b>apt-get install metagoofil</b><br><br>}}<br><br> | |
− | + | ||
− | |||
<p> | <p> | ||
INSTRUCTIONS: | INSTRUCTIONS: | ||
− | </p><ol> | + | </p> |
+ | <ol> | ||
<li>Issue the command <b>theharvester --help</b>, to learn how to run this script again with the following options:<ul><li>Domain: <b>sensepost.com</b></li><li>Number of limited results: <b>100</b></li><li>Data Source: <b>google</b></li><li>Output filename: <b>~/sensepost.user</b><br><br></li></ul></li> | <li>Issue the command <b>theharvester --help</b>, to learn how to run this script again with the following options:<ul><li>Domain: <b>sensepost.com</b></li><li>Number of limited results: <b>100</b></li><li>Data Source: <b>google</b></li><li>Output filename: <b>~/sensepost.user</b><br><br></li></ul></li> | ||
<li>Record any user information that you consider relevant (for penetration testing) in your lab log-book.</li> | <li>Record any user information that you consider relevant (for penetration testing) in your lab log-book.</li> | ||
Line 283: | Line 258: | ||
</p> | </p> | ||
− | + | <h2> <span class="mw-headline">Task #5: Verification / The "Tank" Server</span></h2> | |
<br> | <br> | ||
− | + | {{Admon/important|Location of dnsmap Utility in Kali Linux|The <b>dnsmap</b> utility is a time-saving method of determining reverse dns lookups in a batch mode involving an input file of collected dns entries.<br><br>This utility is contained in your Kali Linux boot media under the file pathname: <b>/pentest/enumeration/dns/dnsmap</b>}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
<br> | <br> | ||
− | It is important to "double-check" the validity of your collected | + | It is important to "double-check" the validity of your collected information - in particular, your IP addresses. If any servers are no longer running, this can waste a tremendous amount of time during the scanning process. Remember: the longer a scan takes to execute, the more vulnerable you are as the penetration tester to detection. |
− | information - in particular, your IP addresses. If any servers are no | ||
− | longer running, this can waste a tremendous amount of time during the | ||
− | scanning process. Remember: the longer a scan takes to execute, the more | ||
− | |||
<br><br> | <br><br> | ||
Line 319: | Line 285: | ||
<br><br> | <br><br> | ||
− | + | </p><h1> <span class="mw-headline"> Completing the Lab </span></h1> | |
<p><b>Arrange evidence for each of these items on your screen, then ask | <p><b>Arrange evidence for each of these items on your screen, then ask | ||
your instructor to review them and sign off on the lab's completion:</b> | your instructor to review them and sign off on the lab's completion:</b> | ||
Line 337: | Line 303: | ||
<p><br> | <p><br> | ||
</p> | </p> | ||
− | + | <h1> <span class="mw-headline"> Preparing for Quizzes </span></h1> | |
<ol> | <ol> |
Latest revision as of 14:59, 21 July 2023
Information Gathering
Introduction
- This lab teaches various methods of gathering information from a targeted computer system. Normally, an individual or a company can be hired to perform Penetration Testing in order to detect weaknesses in an organization's computer system. The first phase (called the "reconnaissance phase" is considered to be a "harmless activity", where a person can simply gather information to be used later in other aspects of penetration testing (network scanning and enumeration).
- Students will first learn how to gather various documents / information via a web-browser in order to obtain information regarding the structure, relationships and policies of a target company, as well as partners or servers that are associated with that target company (with emphasis on IP addresses). Once the relevant information has been collected, the student will then utilize open-source applications in order to perform link analysis to make connections between various IP addresses.
- Students will then learn how to use Interent-Based tools and technolgies to mine data that pertains more to the internal structure of the targeted organization's server(s), as well as it's specific IP Address ranges (subnets).
- Students will also learn how to use tools to gather information of the users of a targeted server, as well as verifying the targetted IP Addresses immediately prior to the scanning and enumeration phases.
Objectives
- Use the search engine website (google.ca) to obtain computer system information (including IP address).
- Use various open-source applications to perform IP address associations with IP address (Link Analysis).
- Understand the basic concepts of "footprintng" a targeted server with respect to the following open-source technologies:
- DNS Lookup
- WHOIS (Website Service)
- Domain Name Expansion
- HOST
- SMTP
- Using open-source tools in order to focus on technical aspects of the server, in order to be more successful in the scanning and enumeration phase.
- Use tools to gather user information such as e-mail addresses or other information via social networking sites.
- Verify (confirm and narrow-down) valid IP Addresses (and
ranges) to help reduce the time during the scanning and enumeration phases.
- Practice skills learned in this lab to gather information of an educational penetration-testing server at Seneca College (tank.senecac.on.ca).
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab2 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
Information Gathering | Foot-printing | User Information | Verification | |
|
|
|
Course Notes
Performing Lab 2
Task #1: Using Search Engines to Obtain Target Server Information
With the "information gathering" phase of penetration testing, it is recommended to obtain as much data regarding a targeted organization. This would include viewing the website, noting contacts, following-up information from social media sites (eg. facebook, etc). In addition to the above-mentioned techniques, there are other techniques and tools to help gather useful server information of a targeted organization.
INSTRUCTIONS:
- Boot your Kali Linux (host) system, and start a graphical session.
- Open a web-browser and go to the Google website ( http://www.google.ca/ )
- Type in the following URL in the Google search box: sensepost.com
- Note the type of links that are associated with this type of search (i.e total number of links at the top of the search results), and record the total number of links for this type of search in your lab logbook.
- Now, enter the following directive in the Google search box: site:sensepost.com
- You should notice a change in the display of links. How does this search method differ from the previous search method using only the text: "sensepost.com"? Record your findings (including the new total number of links) in your lab log-book.
- We will now be narrowing our search in the sensepost.com website for specific types of files for pdf with the filename keyword hacking
Enter the following directive in the Google search box: site:sensepost.com filetype:pdf hacking - What are the total amount of links? Are all of the links contained in sensepost.com? Record your findings in your log lab-book.
- Issue directives to search for links in the sensepost.com website that contains MS Word documents (doc), and MS Word PowerPoint Presentations (ppt) that contain the pattern hacking. Record these findings in your lab log-book.
- Finally, the link directive is used to display links that are associated with a target website. In order to display all websites that link to the sensepost.com website, issue the following directive in the Google searchbox: link:sensepost.com
- Record the total number of links in your lab log-book. Are there any other links outside the sensepost.com domain that are associated? How do you think this is useful in terms of penetration testing?
- How do you think that you could use this information that you have just collected during this lab for penetration testing? (Record your answer in your lab log-book)
- Repeat the information-gathering process for the following URL: linux.senecac.on.ca for practice.
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: Server Detection, Link Analysis & Domain Name Expansion
In this section, we will use the site information (obtained from Task #1) to gain more detailed information regarding the targeted organization's server (eg. IP address, Type of operating system, History of uptimes, name server information , Related IP addresses of other servers).
INSTRUCTIONS:
- Assuming that your web-browser is still running, click on the following link (which should open in another browser window): http://www.netcraft.com.
NOTE: Do not worry if you are redirected to another URL (eg. news.netcraft.com) - it will provides the same information we require. - Let's find out additional information regarding the sensepost.com website. In the What's that site running? box, enter the following:
sensepost.com - Record the following server information for "sensepost.com" (and record in your lab log-book):
- IP Address
- Type of Operating System
- Name Server
- Country Origin
- Date First Noticed (Tracked)
- Frequency of Uptimes
- The next step in the reconnassaince phase involves Linux Analysis, which will list and
categorize relationships between other websites, and the "target" website
called "sensepost.com". You will be downloading, installing and running
serveral open-source tools (a series of packages packaged as BiLE (which stands for: "Bi-directional Link Extraction" tools) to asssist in obtaining this information.
- Issue the command: which httrack to confirm that this dependent application has been installed (refer to warning message above).
- In a web-browser, go to the following website (which will open in a separate browser window): http://github.com/sensepost/BiLE-suite
- Download the Perl Scripts called BiLE.pl, BiLE-Weigh.pl, and tld-expand.pl to your Kali Linux system.
- Run the following command: perl BiLE.pl sensepost.com output.sensepost.com (assuming BiLE.pl is located in the current directory).
Note: This process may take serveral minutes to complete. - When the process has completed, a report called "output.sensepost.com.mine" (contained in the current directory) will be created that display associated links with the sensepost.com website. Using a text editor, view the contents of that file. Write in your lab log-book the number of lines in the file "output.sensepost.com.mine".
- If there is not enough information in this file, run the BiLE.pl script for the URL: linux.senecac.on.ca to be sorted in the file called output.linux.senecac.on.ca
- Another Perl Script called BiLE-weigh.pl is used to rank the significance (relevance) of the related links with higher ranking links near the bottom of the file. This Perl Script requires the URL of the target website, as well as the output-file (generated by the BiLE.pl Perl Script.
- Issue the following command: perl BiLE-weigh.pl sensepost.com output.sensepost.com.mine (Assuming BiLE.pl Script and "output.sensepost.com" are contained in the current directory).
- View the contents of the file "output.sensepost.com.sorted" in your current directory. Notice the ranking of the relavance of links associated with "sensepost.com" website. Record the number of lines in this file in your lab log-book. What conclusions can you draw in terms of link analysis? Write this information down in your lab log-book.
- Run the BiLE-weigh.pl perl script for the URL: linux.senecac.on.ca and using the file: output.linux.senecac.on.ca.mine
- The final step in the information gathering process is to perform Domain Name Expansion. There are two parts to this process:
- Variations in the DNS Name (use host command)
- Variations in the Top Level Domain (use tld-expand.pl Perl Script)
- Open a shell terminal, and type the following command: host -t ns sensepost.com (If there is a long list of variations, you can redirect stdout to a text file).
- Record the various name servers that are listed in your lab log-book.
- Create an input file called sensepost.com.domains.txt, and place any domain names that you have discovered, and then save and exit editing session.
- Issue the command: perl tld-expand.pl sensepost.com.domains.txt sensepost.com.domains.variations.txt. What do these variations represent in terms of reconnaissance? Record your finds in your lab log-book.
- Proceed to Task #3
Answer Task #2 observations / questions in your lab log book.
Task #3: Foot-printing
As opposed to the Information Gathering phase (that collects information such as IP Addresses), the Foot-printing phase tends to gain a “clearer picture” of the structure of the organization's computer system. This can include relationships among servers, as well as noting IP Address ranges.
Footprinting (in simpler terms) means Network Mapping.
Note: You will be using information that you gathered from the server: sensepost.com in order to assist you with this lab.
INSTRUCTIONS:
- In a shell window, issue the following command: host sensepost.com
- Record the results in your lab log-book.
- Issue the same command with following options: host -t ns sensepost.com
- Record the results in your lab log-book.
- Issue the following command: nslookup sensepost.com
- How does this information differ from the other 2 commands previously issued?
- Issue the following command: whois sensepost.com
- List the additional general information that is provided from your all three previous commands.
- How do you think that this recently collected information can help you "map" the target computer's network?
- Proceed to Task #4
Answer the Task #3 observations / questions in your lab log book.
Task #4: Obtaining User Information
You will be using the information collected in Task #1 to assist with obtaining User information in this task.
INSTRUCTIONS:
- Issue the command theharvester --help, to learn how to run this script again with the following options:
- Domain: sensepost.com
- Number of limited results: 100
- Data Source: google
- Output filename: ~/sensepost.user
- Record any user information that you consider relevant (for penetration testing) in your lab log-book.
- For user information collected so far, use this information to see if you can access their profiles or other information on social media sites (eg. Facebook, Classmates, MySpace, Twitter, etc.).
- Finally, we will be obtaining documents from the targeted network (via Google) that may help provide more information regarding the users.
- Issue the following command: metagoofil --help to learn how to run this script again with the following options:
- Domain: sensepost.com
- Number of limited results: 10
- Number of files to download (-n option): 10
- Filetype: pdf,ppt
- output directory: sensepost.docs
- Check to see if any files were downloaded. If so, write the filenames in your lab log-book.
- Proceed to Task #5
Answer Task #4 observations / questions in your lab log book.
Task #5: Verification / The "Tank" Server
It is important to "double-check" the validity of your collected information - in particular, your IP addresses. If any servers are no longer running, this can waste a tremendous amount of time during the scanning process. Remember: the longer a scan takes to execute, the more vulnerable you are as the penetration tester to detection.
INSTRUCTIONS:
- Open a web-broswer and go to the website: www.bing.com
- Enter the IP addresses that you have gathered during your reconnaisance phase for sensepost.com. Verify that each IP address is valid, and it currently operational.
- For each of the related IP address information you have gathered regarding sensepost.com, use the nslookup command to verify it's existence.
- Change to the directory that contains dnsmap utility.
- Run the dnsmap utility with an input file containing your collected IP_ADDRESSES.
- Seneca College has a special server (called tank) that is used for penetration testing. No only is this server intended for educational purposeses only, but students are NOT
allowed to perform penetration testing unless that have completed a
form that is distributed and collected by your instructor to permit
students to perform testing on that server for the semester!
Once you have signed and given the tank server consent form your your instructor, try gathering information regarding this server called "tank", and record your findings in your lab log-book. - Proceed to "Completing the Lab"
Answer Task #5 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:
- Reconnaissance Information from sensepost.com:
- Basic information from sensepost.com website via the Netcraft utility site.
- Reports from running BiLE.pl and BiLE-Weigh.pl for sensepost.com
- Main DNS information (Footprint) for sensepost.com
- User information (e-mail addresses) for the sensepost.com site.
- Verification of DNS information for sensepost.com site.
- Completed Lab 2 notes (including common commands, etc).
Preparing for Quizzes
- List the major phases contained in penetration testing.
- Explain the difference between reconnaissance and footprinting.
- List 3 open-source tools to assist in the Footprinting phase of penetration testing.
- Briefly describe the process to obtain key documents from a server using google.ca
- Briefly describe the steps to obtain IP, operating system information from a website called linux.senecac.on.ca. Indicate how this information might be useful in future stages of penetration testing.
- Define the term link analysis. What open-source tools can be used to perform link analysis?
- Define the term Footprinting as it relates to penetration testing.
- List the steps (using open source tools) to obtrain user account information of a targeted server. Indicate how this information might be usedful in future stages of penetration testing.
- Why do you think that verification of gathered information (such as IP address (IP address ranges) is critical prior to proceeding to the scanning and enumeration phases?