BUY THIS BOOK
Add to Cart

Print Book $39.99


Add to Cart

PDF $31.99

Safari Books Online

What is this?

Add to UK Cart

Print Book £24.99

What is this?

Looking to Reprint or License this content?

Envelope Tell a friend

Network Security Assessment
Network Security Assessment, Second Edition Know Your Network

By Chris McNab
Book Price: $39.99 USD
£24.99 GBP
PDF Price: $31.99

Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: Network Security Assessment
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
This chapter discusses the rationale behind Internet-based network security assessment and penetration testing at a high level. To retain complete control over your networks and data, you must take a proactive approach to security, an approach that starts with assessment to identify and categorize your risks. Network security assessment is an integral part of any security life cycle.
From a commercial standpoint, information assurance is a business enabler. As a security consultant, I have helped a number of clients in the retail sector secure their 802.11 wireless networks used in stores. By designing and implementing secure networks, these retailers can lower their costs and increase efficacy, by implementing queue-busting technologies, for example.
Shortcomings in network security and user adherence to security policy often allow Internet-based attackers to locate and compromise networks. High-profile examples of companies that have fallen victim to such determined attackers in recent times include:
These compromises came about in similar ways, involving large losses in some cases. Cryptologic is an online casino gaming provider that lost $1.9 million in a matter of hours to determined attackers. In the majority of high-profile incidents, attackers use a number of the following techniques:
  • Compromising poorly configured or protected peripheral systems that are related to the target network
  • Directly compromising key network components using private zero-day exploit scripts and tools
  • Compromising network traffic using redirection attacks (including ARP spoofing, ICMP redirection, and VLAN hacking)
  • Cracking user account passwords and using those credentials to compromise other systems
To protect networks and data from determined attacks, you need assurance and understanding of the technical security of the network, along with adherence to security policy and incident response procedures. In this book, I discuss assessment of technical security and improving the integrity and resilience of IP networks. Taking heed of the advice presented here and acting in a proactive fashion ensures a decent level of network security.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
The Business Benefits
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
From a commercial standpoint, information assurance is a business enabler. As a security consultant, I have helped a number of clients in the retail sector secure their 802.11 wireless networks used in stores. By designing and implementing secure networks, these retailers can lower their costs and increase efficacy, by implementing queue-busting technologies, for example.
Shortcomings in network security and user adherence to security policy often allow Internet-based attackers to locate and compromise networks. High-profile examples of companies that have fallen victim to such determined attackers in recent times include:
These compromises came about in similar ways, involving large losses in some cases. Cryptologic is an online casino gaming provider that lost $1.9 million in a matter of hours to determined attackers. In the majority of high-profile incidents, attackers use a number of the following techniques:
  • Compromising poorly configured or protected peripheral systems that are related to the target network
  • Directly compromising key network components using private zero-day exploit scripts and tools
  • Compromising network traffic using redirection attacks (including ARP spoofing, ICMP redirection, and VLAN hacking)
  • Cracking user account passwords and using those credentials to compromise other systems
To protect networks and data from determined attacks, you need assurance and understanding of the technical security of the network, along with adherence to security policy and incident response procedures. In this book, I discuss assessment of technical security and improving the integrity and resilience of IP networks. Taking heed of the advice presented here and acting in a proactive fashion ensures a decent level of network security.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
IP: The Foundation of the Internet
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
The Internet Protocol version 4 (IPv4) is the networking protocol suite all public Internet sites currently use to communicate and transmit data to one another. From a network security assessment methodology standpoint, this book comprehensively discusses the steps that should be taken during the security assessment of any IPv4 network.
IPv6 is an improved protocol that is gaining popularity among academic networks. IPv6 offers a 128-bit network space (3.4 × 1038 addresses) as opposed to the 32-bit space of IPv4 (only 4 billion addresses) that allows a massive number of devices to have publicly routable addresses. Eventually, the entire Internet will migrate across to IPv6, and every electronic device in your home will have an address.
Due to the large size of the Internet and the sheer number of security issues and vulnerabilities publicized, opportunistic attackers will continue to scour the public IP address space seeking vulnerable hosts. The combination of new vulnerabilities being disclosed on a daily basis, along with the adoption of IPv6, ensures that opportunistic attackers will always be able to compromise a certain percentage of Internet networks.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Classifying Internet-Based Attackers
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
At a high level, Internet-based attackers can be divided into the following two groups:
  • Opportunistic attackers who scour large Internet address spaces for vulnerable systems
  • Focused attackers who attack select Internet-based systems with a specific goal in mind
Opportunistic threats are continuous, involving attackers using autorooting tools and scripts to compromise vulnerable systems across the Internet. Upon placing a vulnerable, default out-of-the-box server installation on the public Internet, researchers have found that it is usually compromised within an hour by automated software being run in this way.
Most Internet hosts compromised by opportunistic attackers are insecure home user systems. These systems are then turned into zombies that run software to log user keystrokes, launch denial-of-service (DoS) flooding attacks, and serve as a platform to attack and compromise other systems and networks.
Focused attackers adopt a more complex and systematic approach with a clear goal in mind. A focused attacker will exhaustively probe every point of entry into a target network, port-scanning every IP address and assessing each and every network service in depth. Even if this determined attacker can't compromise the target network on his first attempt, he is aware of areas of weakness. Detailed knowledge of a site's operating systems and network services allows the attacker to compromise the network upon the release of new exploit scripts in the future.
The networks that are most at risk are those with sizeable numbers of publicly accessible hosts. Having many entry points to a network multiplies the potential for compromise, and managing risk becomes increasingly difficult as the network grows. This is commonly known as the defender's dilemma; a defender must ensure the integrity of every point of entry, whereas an attacker only needs to gain access through one to be successful.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Assessment Service Definitions
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Security vendors offer a number of assessment services branded in a variety of ways. shows the key service offerings along with the depth of assessment and relative cost. Each service type can provide varying degrees of security assurance.
Figure : Different security testing services
Vulnerability scanning uses automated systems (such as Nessus, ISS Internet Scanner, QualysGuard, or eEye Retina) with minimal hands-on qualification and assessment of vulnerabilities. This is an inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn't provide a clear strategy to improve security.
Network security assessment is an effective blend of automated and hands-on manual vulnerability testing and qualification. The report is usually handwritten, accurate, and concise, giving practical advice that can improve a company's security.
Web application testing involves post-authentication assessment of web application components, identifying command injection, poor permissions, and other weaknesses within a given web application. Testing at this level involves extensive manual qualification and consultant involvement, and it cannot be easily automated.
Full-blown penetration testing lies outside the scope of this book; it involves multiple attack vectors (e.g., telephone war dialing, social engineering, and wireless testing) to compromise the target environment. Instead, this book fully demonstrates and discusses the methodologies adopted by determined Internet-based attackers to compromise IP networks remotely, which in turn will allow you to improve IP network security.
Onsite auditing provides the clearest picture of network security. Consultants have local system access and run tools on each system capable of identifying anything untoward, including rootkits, weak user passwords, poor permissions, and other issues. 802.11 wireless testing is often performed as part of onsite auditing. Onsite auditing is also outside the scope of this book.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Network Security Assessment Methodology
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
The best practice assessment methodology used by determined attackers and network security consultants involves four distinct high-level components:
  • Network reconnaissance to identify IP networks and hosts of interest
  • Bulk network scanning and probing to identify potentially vulnerable hosts
  • Investigation of vulnerabilities and further network probing by hand
  • Exploitation of vulnerabilities and circumvention of security mechanisms
This complete methodology is relevant to Internet-based networks being tested in a blind fashion with limited target information (such as a single DNS domain name). If a consultant is enlisted to assess a specific block of IP space, he skips initial network enumeration and commences bulk network scanning and investigation of vulnerabilities.
Various reconnaissance techniques are used to query open sources to identify hosts and networks of interest. These open sources include web and newsgroup search engines, WHOIS databases, and DNS name servers. By querying these sources, attackers can often obtain useful data about the structure of the target network from the Internet without actually scanning the network or necessarily probing it directly.
Initial reconnaissance is very important because it can uncover hosts that aren't properly fortified against attack. A determined attacker invests time in identifying peripheral networks and hosts, while companies and organizations concentrate their efforts on securing obvious public systems (such as public web and mail servers), and often neglect hosts and networks that lay off the beaten track.
It may well be the case that a determined attacker also enumerates networks of third-party suppliers and business partners who, in turn, have access to the target network space. Nowadays such third parties often have dedicated links to areas of internal corporate network space through VPN tunnels and other links.
Key pieces of information that are gathered through initial reconnaissance include details of Internet-based network blocks, internal IP addresses gathered from DNS servers, insight into the target organization's DNS structure (including domain names, subdomains, and hostnames), and details of relationships between physical locations.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
The Cyclic Assessment Approach
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Assessment of large networks in particular can become a very cyclic process if you are testing the networks of an organization in a blind sense and are given minimal information. As you test the network, information leak bugs can be abused to find different types of useful information (including trusted domain names, IP address blocks, and user account details) that is then fed back into other processes. The flowchart in outlines this approach and the data being passed between processes.
Figure : The cyclic approach to network security assessment
This flowchart includes network enumeration, then bulk network scanning, and finally specific service assessment. It may be the case that by assessing a rogue nonauthoritative DNS service, an analyst may identify previously unknown IP address blocks, which can then be fed back into the network enumeration process to identify further network components. In the same way, an analyst may enumerate a number of account usernames by exploiting public folder information leak vulnerabilities in Microsoft Outlook Web Access, which can then be fed into a brute-force password grinding process later on.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Chapter 2: Network Security Assessment Platform
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
This chapter outlines and discusses the components and tools that make up a professional security consultant's toolkit for performing tasks including reconnaissance, network scanning, and exploitation of vulnerable software components. Many advanced tools can only be run from Unix-based systems, while other Windows-specific tools are required when testing Microsoft-based platforms and environments, and so building a flexible platform is very important.
Although these tools and their respective configurations and uses are discussed in detail throughout the book, they are discussed here at a reasonably high level so that you may start to think about preparing and configuring your assessment platform. At a high level, the tools and components that you need to consider are as follows:
  • Virtualization software to allow you to run multiple virtual systems on one physical machine
  • Operating systems within your assessment platform
  • Reconnaissance tools to perform initial Internet-based open source querying
  • Network scanning tools to perform automated bulk scanning of accessible IP addresses
  • Exploitation frameworks to exploit vulnerable software components and accessible services
  • Web application testing tools to perform specific testing of web applications
With the exception of commercial tools that require licenses, all of the tools listed in this book can be found in the O'Reilly archive at http://examples.oreilly.com/networksa/tools. I have listed the original sites in most cases so that you can freely browse other tools and papers on each respective site.
Most security consultants use server virtualization software to underpin their testing platforms. Virtualization software allows for multiple virtual machines, running different operating systems and tools, to be run in parallel on the same physical system. Virtual machines are also easily frozen, spun-back to a previous known good state, and copied or moved between different physical machines, all of which allows for easy maintenance.
VMware is an extremely useful program that allows you to run multiple instances of operating systems from a single system. You can download VMware Server and VMware Player for free from
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Virtualization Software
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Most security consultants use server virtualization software to underpin their testing platforms. Virtualization software allows for multiple virtual machines, running different operating systems and tools, to be run in parallel on the same physical system. Virtual machines are also easily frozen, spun-back to a previous known good state, and copied or moved between different physical machines, all of which allows for easy maintenance.
VMware is an extremely useful program that allows you to run multiple instances of operating systems from a single system. You can download VMware Server and VMware Player for free from http://www.vmware.com/products/free_virtualization.html for both Windows and Linux. The more powerful VMware ESX and Infrastructure products require commercial licenses.
I run VMware Server from my Windows workstation to run and access Linux and other operating platforms in parallel as needed during a network security assessment. From a networking perspective, VMware can be used in many configurations. I use a virtual NAT configuration that gives my virtual machines access to the network card of my workstation.
Microsoft Virtual PC is available for free from http://www.microsoft.com/windows/virtualpc/default.mspx. Most Linux, BSD, and Solaris platforms run under Virtual PC (a comprehensive list of supported operating platforms can be found at http://vpc.visualwin.com). Virtual PC can also be run from Mac OS X, to run Windows and other platforms. For more information, visit http://www.apple.com/macosx/applications/virtualpc/.
Microsoft Virtual Server is also available, and offers datacenter-class features such as rapid configuration and deployment of virtual machine images. Virtual Server is available from http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx.
Parallels is a Mac OS-specific virtualization solution that allows users to run Microsoft Windows, Linux, and BSD-derived platforms within Mac OS X. Further details are available from the company web site at http://www.parallels.com.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Operating Systems
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
The operating platforms you use during a network security assessment will depend on the type of network you are going to test and the depth to which you will perform your assessment. It is often the case that to successfully launch exploit scripts against Linux or Unix systems, you will require access to a Unix-like platform (usually Linux or BSD-derived) to correctly compile and run specialist exploit tools.
As Windows releases (XP, 2003 Server, Vista, etc.) start to mature and become more flexible, many more network assessment and hacking tools that run cleanly on the platform are becoming available. Previous Windows releases didn't give raw access to network sockets, so many tools had to be run from Unix-based platforms. This is no longer the case; increasing amounts of useful security utilities have been ported across to Windows, including Nmap and powerful tools within the Dsniff package, such as arpspoof.
Windows operating platforms are usually required within a network security assessment exercise to use tools that are run against Windows targets, such as Urity's RpcScan, because it uses internal Windows libraries and components that are not easily available or ported to Unix-based platforms.
Linux is the platform of choice for most hackers and security consultants alike. Linux is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols (Bluetooth and IPv6 are good examples at the time of writing). All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems, due to the inclusion of extensive networking libraries such as libpcap.
At the time of writing, the most popular Linux distributions are:
Binary distributions like Ubuntu are useful and reliable, and are updated easily using apt-get or aptitude package management programs. Many large companies, including Google, use Ubuntu on both client workstation and server systems. Maintaining binary Linux distributions is much simpler than using source distributions, such as Gentoo, which require compilation of new software components.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Reconnaissance Tools
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
A number of built-in operating system commands can be used to perform reconnaissance tasks. In particular, under Unix-based platforms (including Linux and Mac OS X), command-line clients such as whois, dig, traceroute, and nslookup are available, whereas Microsoft Windows platforms only have nslookup and tracert commands. Many reconnaissance tasks can also be launched through a web browser, including querying specific Internet WHOIS search engines.
In 2005, SensePost released a Windows tool called BiDiBLAH (http://www.sensepost.com/research/bidiblah/), which is a framework for reconnaissance and assessment tasks, including Google and DNS querying. BiDiBLAH allows consultants to quickly and easily perform bulk reconnaissance tasks. The SensePost Black Hat USA 2005 presentation slides, outlining the tool and its features, are available from http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-sensepost.pdf.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Network Scanning Tools
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Network scanners are used to perform bulk automated scanning of IP ranges to identify vulnerable network service components. The two most popular open source network scanners are Nmap and Nessus.
Nmap is a port scanner used to scan large networks and perform low-level ICMP, TCP, and UDP analysis. Nmap supports a large number of scanning techniques, also offering a number of advanced features such as service protocol fingerprinting, IP fingerprinting, stealth scanning, and low-level network traffic filter analysis. Nmap is available from http://www.insecure.org/nmap. Currently, Nmap can be run under most operating platforms, including Windows, Linux, and Mac OS X.
Nessus is a vulnerability assessment package that can perform many automated tests against a target network, including ICMP, TCP, and UDP scanning, testing of specific network services (such as Apache, MySQL, Oracle, Microsoft IIS, and many others), and rich reporting of vulnerabilities identified.
Having run the Sentinel testing platform and evaluated the security consultants of the world's largest penetration testing providers, I know that all of them use Nessus to perform bulk network scanning and assessment, from which manual qualification and use of specific tools and techniques follows. Nessus has two components (daemon and client) and deploys in a distributed fashion that permits effective network coverage and management.
Nessus reporting is comprehensive in most cases. However, reports often contain a number of false positives and a lot of noise (as issues are often not reported concisely or different iterations of the same issue are reported), so it is important that consultants manually parse Nessus output, perform qualification, and produce an accurate and concise handwritten report. As with many other tools, Nessus uses CVE references to report issues. CVE is a detailed list of common vulnerabilities maintained by the MITRE Corporation (http://cve.mitre.org).
Nessus is available for free download from http://www.nessus.org, and can be run under Linux, Solaris, Windows, Mac OS X, and other platforms. Tenable Security maintains a commercially supported and up-to-date branch of Nessus and its scanning scripts, which has enhanced features relating to SCADA testing and compliance auditing under Windows and Unix. Further information is available from
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Exploitation Frameworks
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Upon identifying vulnerable network services and components of interest by performing network scanning, exploitation frameworks are used to exploit the flaws in these accessible network services and gain access to the target host. Qualification in this way is often important so that a clear and accurate report can be presented to the client. The only exploitation framework that is available for free at the time of writing is Metasploit. Two popular commercial frameworks are CORE IMPACT and Immunity CANVAS.
The Metasploit Framework (MSF) (http://www.metasploit.com) is an advanced open source platform for developing, testing, and using exploit code. The project initially started off as a portable network game and then evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.
The framework and exploit scripts are written in Ruby, and widespread support for the language allows MSF to run on almost any Unix-like system under its default configuration. The system itself can be accessed and controlled through a command-line interpreter or web interface running from a suitable server.
Metasploit exploit modules are reliable and cover exploitation of the most popular vulnerabilities uncovered in Windows- and Unix-based platforms since 2004. A very useful feature in the current version (3.0 at the time of writing) is a reverse VNC server injection mechanism, which is invaluable when repositioning through Windows servers.
Security consultants use commercial exploitation frameworks to perform penetration and repositioning tasks. At the time of writing, the two leading commercially available exploitation frameworks are CORE IMPACT and Immunity CANVAS. These tools are feature-rich, reliable, and commercially supported, offering advanced features such as repositioning using agent software. Also, third-party companies (including Argeniss and GLEG) offer zero-day exploit packs, which can be integrated into these systems to exploit unpublished zero-day vulnerabilities.
These exploitation frameworks are discussed along with Metasploit Framework in . For current details relating to IMPACT and CANVAS, you can visit their respective vendor web sites:
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Web Application Testing Tools
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Web application testing tools are used to perform crawling and fuzzing of accessible web-based applications and components to identify weaknesses such as command injection, cross-site scripting, and poor permissions. Such web application testing tools are run in two ways; either as passive proxies that modify data from a web browser as it is sent to the target web server, or as active scanners that crawl and fuzz input variables directly. Complex web applications (such as those using JavaScript) are difficult to actively scan and crawl, and so a passive proxy must be used in these cases.
Proxy-based open source web application testing tools include:
Active open source web application crawling and fuzzing tools are as follows:
A number of companies offer commercially available web application testing tools. Through running the Matta Sentinel program, we have had exposure to a number of these, and evaluated them accordingly. Three such commercial web application scanners used by professional security consultants are:
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Chapter 3: Internet Host and Network Enumeration
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
This chapter focuses on the first steps you should take when assuming the role of an Internet-based attacker. The first avenue that any competent attacker should pursue is that of querying open sources for information relating to the target organization and its networks. At a high level, the following open sources are queried:
  • Web and newsgroup search engines
  • Domain and IP WHOIS registrars
  • Border Gateway Protocol (BGP) looking glass sites and route servers
  • Public DNS name servers
The majority of this probing is indirect, sending and receiving traffic from sites like Google or public WHOIS, BGP, and DNS servers. A number of direct querying techniques involve sending information to the target network in most cases, as follows:
  • DNS querying and grinding against specific name servers
  • Web server crawling
  • SMTP probing
Upon performing an Internet network enumeration exercise, querying all of these sources for useful information, an attacker can build a useful map of your networks and understand where potential weaknesses may lie. By identifying peripheral systems of interest (such as development or test systems), attackers can focus on specific areas of the target network later on.
The reconnaissance process is often interactive, repeating the full enumeration cycle when a new piece of information (such as a domain name or office address) is uncovered. The scope of the assessment exercise usually defines the boundaries, which sometimes includes testing third parties and suppliers. I know of a number of companies whose networks were compromised by extremely determined attackers breaking home user PCs that were using always-on cable modem or DSL connections, and "piggybacking" into the corporate network.
As search engines scour the Web and newsgroups, they catalog pieces of potentially useful information. Google and other sites provide advanced search functions that allow attackers to build a clear picture of the network that they plan to attack later.
In particular, the following classes of data are usually uncovered:
  • Contact details, including staff email addresses and telephone numbers
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Querying Web and Newsgroup Search Engines
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
As search engines scour the Web and newsgroups, they catalog pieces of potentially useful information. Google and other sites provide advanced search functions that allow attackers to build a clear picture of the network that they plan to attack later.
In particular, the following classes of data are usually uncovered:
  • Contact details, including staff email addresses and telephone numbers
  • Physical addresses of offices and other locations
  • Technical details of internal email systems and routing
  • DNS layout and naming conventions, including domains and hostnames
  • Documents that reside on publicly accessible servers
Telephone numbers are especially useful to determined attackers, who will launch war dialing attacks to compromise dial-in servers and devices. It is very difficult for organizations and companies to prevent this information from being ascertained. To manage this risk more effectively, companies should go through public record querying exercises to ensure that the information an attacker can collect doesn't lead to a compromise.
Google can be used to gather potentially useful information through its advanced search page at http://www.google.com/advanced_search?hl=en. Searches can be refined to include or exclude certain keywords, or to hit on keywords in specific file formats, under specific Internet domains, or in specific parts of the web page (such as the page title or body text).

Enumerating contact details with Google

Google can be used to easily enumerate email addresses and telephone and fax numbers. shows the results of the search string "pentagon.mil" +tel +fax passed to Google to enumerate email addresses and telephone numbers relating to the Pentagon.
Figure : Using Google to enumerate users

Effective search query strings

Google can be queried in many different ways, depending on the exact type of data you are trying to mine. For example, if you simply want to enumerate web servers under the abc.com domain, you can submit a query string of site:.abc.com.
A useful application of a Google search is to list web servers that support directory indexing. shows the results of the following search:
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Querying Domain WHOIS Registrars
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Domain registrars are queried to obtain useful information about given domain names registered by organizations. There are many top-level domains (TLDs) and associated registrars at the time of writing, including generic TLDs and country-code TLDs. ICANN and IANA maintain lists of registrars associated with these generic and country-code TLDs at the following locations:
These TLD registrars can be queried to obtain the following information via WHOIS:
  • Administrative contact details, including names, email addresses, and telephone numbers
  • Mailing addresses for office locations relating to the target organization
  • Details of authoritative name servers for each given domain
Tools used to perform domain WHOIS querying include:
  • The whois client found within Unix-based environments
  • The appropriate TLD registrar WHOIS web interface

Using the Unix whois utility

The Unix whois command-line utility can issue many types of WHOIS queries. In , I submit a query of blah.com, revealing useful information regarding the domain, its administrative contacts, and authoritative DNS name servers.
Example . Obtaining the domain WHOIS record for blah.com
$ whois blah.com

   Domain Name: BLAH.COM
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com
   Name Server: NS1.BLAH.COM
   Name Server: NS2.BLAH.COM
   Name Server: NS3.BLAH.COM
   Status: clientTransferProhibited
   Updated Date: 04-oct-2006
   Creation Date: 20-mar-1995
   Expiration Date: 21-mar-2009

Registrant:
blah! Sociedade Anonima Serv e Com
   Avenida das Americas, 3434
   Bloco 6 - 7 andar
   Rio de Janeiro, RJ 22640-102
   BR

   Domain Name: BLAH.COM

   Administrative Contact:
      blah! Sociedade Anonima Serv e Com   regdom@dannemann.com.br
      Avenida das Americas, 3434
      Bloco 6 - 7 andar
      Rio de Janeiro, RJ 22640-102
      BR
      55-21-4009-4431 fax: 55-21-4009-4542

   Technical Contact:
      Domain Manager, DSBIM                regdom@dannemann.com.br
      Dannemann Siemsen Bigler & Ipanema Moreira
      Rua Marques de Olinda, 70
      Rio de Janeiro, RJ 22251-040
      BR
      55-21-25531811 fax: 55-21-25531812

   Record expires on 21-Mar-2009.
   Record created on 20-Mar-1995.
   Database last updated on 5-Feb-2007 01:10:19 EST.

   Domain servers in listed order:

   NS1.BLAH.COM                 200.244.116.14
   NS2.BLAH.COM                 200.255.59.150
   NS3.BLAH.COM                 198.31.175.101
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Querying IP WHOIS Registrars
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Regional Internet Registries (RIRs) store useful information (primarily as network, route, and person objects) relating to IP network blocks. IP WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse.
There are a number of geographic and logical regions under which all public Internet-based address spaces fall. The following RIRs can be queried to glean useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):
Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas.
Tools used to perform IP WHOIS querying include:
  • The whois client found within Unix-based environments
  • The appropriate RIR WHOIS web interface

Querying WHOIS databases to enumerate objects for a given company

The whois command-line client is used to perform WHOIS queries. In , I submit a query of nintendo to enumerate all the objects in the ARIN database for Nintendo.
Example . Enumerating the Nintendo objects in ARIN
$ whois nintendo -h whois.arin.net
Nintendo North America (NNA-21)
Nintendo of America (TEND)
Nintendo of America (NINTEN-1)
Nintendo Of America inc. (NINTEN)
Nintendo of America, Inc. (NINTE-1)
Nintendo of America, Inc. (NINTE-2)
Nintendo Network Administration  (NNA12-ARIN) netadmin@noa.nintendo.com
+1-425-882-2040
Nintendo Of America inc. (AS11278) NINTENDO 11278
Nintendo North America SAVV-S233299-1 (NET-207-149-2-192-1) 207.149.2.192 -
207.149.2.199
Nintendo North America SAVV-S263732-2 (NET-209-67-111-168-1) 209.67.111.168 -
209.67.111.175
Nintendo North America SAVV-S233299-2 (NET-216-74-145-64-1) 216.74.145.64 -
216.74.145.127
Nintendo of America NET-NOA (NET-206-19-110-0-1) 206.19.110.0 - 206.19.110.255
Nintendo of America NINTENDO-COM (NET-205-166-76-0-1) 205.166.76.0 - 205.166.76.255
Nintendo Of America inc. NOA (NET-192-195-204-0-1) 192.195.204.0 - 192.195.204.255
Nintendo of America, Inc. SAVV-S263732-3 (NET-216-32-20-248-1) 216.32.20.248 -
216.32.20.255
Nintendo of America, Inc. SAVV-S263732-3 (NET-209-67-106-128-1) 209.67.106.128
- 209.67.106.255
NINTENDO ABOV-T461-209-133-66-88-29 (NET-209-133-66-88-1) 209.133.66.88 -
209.133.66.95
NINTENDO ABOV-T461-209-133-66-72-29 (NET-209-133-66-72-1) 209.133.66.72 -
209.133.66.79
Nintendo MFN-N389-64-124-44-48-29 (NET-64-124-44-48-1) 64.124.44.48 - 64.124.44.55
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
BGP Querying
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Traffic between Internet-based networks is routed and controlled using BGP in particular. BGP uses Autonomous System (AS) numbers to define collections of IP networks and routers that present a common routing policy to the Internet.
AS numbers are assigned by the IANA, which also allocates IP addresses to Regional Internet Registries in blocks. RIRs allocate AS numbers to ISPs and large organizations so they can manage their IP router networks and upstream connections.
The WHOIS query in revealed the following AS number relating to Nintendo:
Nintendo Of America inc. (AS11278) NINTENDO 11278
We can cross-reference AS11278 at http://fixedorbit.com/search.htm to reveal the IP blocks associated with the AS number, as shown in .
Figure : Cross-referencing AS numbers to reveal IP blocks
Nintendo has a number of other network block; however, these are the only two associated with this AS number. Other details, such as upstream peers, can also be enumerated using the Fixed Orbit site (http://fixedorbit.com). Domain names and IP addresses can also be entered to reveal useful information. If an AS number is unknown, you can retrieve it by providing a known IP address.
Many BGP looking glass sites and route servers can be queried to reveal this information. Route servers are maintained by ISPs and can be connected to using Telnet to issue specific BGP queries. A list of looking glass sites and route servers is maintained by NANOG at http://www.nanog.org/lookingglass.html.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
DNS Querying
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
Utilities such as nslookup, host, and dig are used to issue DNS requests relating to domains and IP address blocks identified. Specific DNS testing tools also perform reverse DNS sweeping and forward DNS grinding attacks against accessible name servers.
DNS requests and probes are launched to retrieve DNS records relating to specific domains and IP network blocks. DNS servers can be quizzed to reveal useful information, including:
  • Authoritative DNS server information, from Name Server (NS) resource records
  • Domain and subdomain details
  • Hostnames from Address (A), Pointer (PTR), and Canonical Name (CNAME) resource records
  • Details of SMTP mail servers from Mail Exchanger (MX) resource records
In some cases, poorly configured DNS servers also allow you to enumerate:
  • Operating system and platform information from the Host Information (HINFO) resource record
  • Names and IP addresses of internal or nonpublic hosts and networks
You can very often uncover previously unknown network blocks and hosts during DNS querying. If new network blocks are found, I recommend launching a second round of WHOIS queries and web searches to get further information about each new network block.
Forward DNS records are required for organizations and companies to integrate and work correctly as part of the Internet. Two examples of legitimate forward queries are when an end user accesses a web site and during the receipt of email when SMTP mail exchanger information is requested about the relevant domain. Attackers issue forward DNS queries to identify mail servers and other obvious Internet-based systems.
Tools that query DNS servers directly include:
  • The nslookup client found within most operating systems
  • The dig client found within Unix environments

Forward DNS querying through nslookup

Using nslookup in an interactive fashion (from either a Windows or Unix-based command prompt), you can identify the MX addresses and hostnames for the Central Intelligence Agency (CIA) domain at cia.gov, as shown in . Note that this process reveals ucia.gov as the internal domain used for the CIA's network space.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Web Server Crawling
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
By querying web sites such as Google and Netcraft, hackers can get an idea of accessible web servers for the target organization. Attackers then crawl and mirror these web servers using automated tools to identify other web servers and domains that are associated with the company. Useful web crawling and spidering tools include:
The Wikipedia entry for web crawlers at http://en.wikipedia.org/wiki/web_crawler is very useful, containing a lot of up-to-date information and a large list of open source crawlers, including those listed above.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Automating Enumeration
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
A number of next-generation Microsoft .NET and C# graphical tools can be used to perform initial Internet-based network and host enumeration from a single interface, using many of the techniques and approaches outlined in this chapter. Two popular tools are:
SpiderFoot accepts domain names, which are fed into enumeration processes involving Google and Netcraft querying and web spidering to reveal useful web-derived data. Enumeration at a lower level is not easily performed with such tools, and so manual processes should still be applied to perform specific DNS and WHOIS querying.
The SpiderFoot and BiDiBLAH user interfaces are similar. shows SpiderFoot being used to enumerate hosts, domains, and users associated with Sony Corporation.
Figure : Using SpiderFoot to perform host, domain, and user enumeration
SpiderFoot is available for free download and use, but it requires a valid Google API key to perform querying. BiDiBLAH also requires a Google API key to use, and is a commercial tool that requires a license to use beyond an evaluation period. BiDiBLAH has many advanced features, including Nessus client functionality so that full vulnerability assessments can be run using the BiDiBLAH output.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
SMTP Probing
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
SMTP gateways and networks of mail relay servers must exist for organizations and companies to send and receive Internet email messages. Simply sending an email message to a nonexistent address at a target domain often reveals useful internal network information. shows how an email message sent to a user account that doesn't exist within the ucia.gov domain bounces to reveal useful internal network information.
Example . An undeliverable mail transcript from the CIA
The original message was received at Fri, 1 Mar 2002 07:42:48 −0500
from ain-relay2.net.ucia.gov [192.168.64.3]

   ----- The following addresses had permanent fatal errors -----
<blahblah@ucia.gov>

   ----- Transcript of session follows -----
... while talking to mailhub.ucia.gov:
>>> RCPT To:<blahblah@ucia.gov>
<<< 550 5.1.1 <blahblah@ucia.gov>... User unknown
550 <blahblah@ucia.gov>... User unknown

   ----- Original message follows -----

Return-Path: <hacker@hotmail.com>
Received: from relay2.net.ucia.gov
        by puff.ucia.gov (8.8.8+Sun/ucia internal v1.35)
        with SMTP id HAA29202; Fri, 1 Mar 2002 07:42:48 −0500 (EST)
Received: by relay2.net.ucia.gov; Fri, 1 Mar 2002 07:39:18
Received: from 212.84.12.106 by relay2.net.ucia.gov via smap (4.1)
        id xma026449; Fri, 1 Mar 02 07:38:55 −0500
In particular, the following data in this transcript is useful:
  • The Internet-based relay2.ucia.gov gateway has an internal IP address of 192.168.64.3 and an internal DNS name of relay2.net.ucia.gov.
  • relay2.ucia.gov is running TIS Gauntlet 4.1 (smap 4.1, a component of TIS Gauntlet, is mentioned in the via field).
  • puff.ucia.gov is an internal SMTP mail relay system running Sun Sendmail 8.8.8.
  • mailhub.ucia.gov is another internal mail relay running Sendmail (this can be seen from analyzing the SMTP server responses to the RCPT TO: command).
In the overall scheme of things, SMTP probing should appear later in the book because it is technically an intrusive technique that involves transmitting data to the target network and analyzing responses. I mention probing here because when users post email to Internet mailing lists, SMTP routing information is often attached in the headers of the email message. It is very easy for a potential attacker to then perform an open and passive web search for mail messages originating from the target's network space to collect SMTP routing information.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Enumeration Technique Recap
Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter
It is an interesting and entirely legal exercise to enumerate the CIA and other organizations' networks from the Internet by querying public records. As a recap, here is a list of public Internet-based querying techniques and their applications:
Web and newsgroup searches
Using Google to perform searches against established domain names and target networks to identify personnel, hostnames, domain names, and useful data residing on publicly accessible web servers.
WHOIS querying
Querying domain and IP registrars to retrieve network block, routing, and contact details related to the target networks and domain names. IP WHOIS querying gives useful information relating to the sizes of reserved network blocks (useful later when performing intrusive network scanning) and AS number details.
BGP querying
Cross-referencing AS numbers with BGP looking glass sites and route servers to enumerate the associated IP blocks under the AS, and then feeding these details back into other query paths (such as DNS or further WHOIS querying).
DNS querying
Querying publicly accessible DNS servers to enumerate hostnames and subdomains. Misconfigured DNS servers are also abused to download DNS zone files that categorically list subdomains, hostnames, operating platforms of devices, and internal network information in severe cases.
Web server crawling
Accessible web servers are crawled using automated spidering software to identify associated servers, domains, and useful information, such as web server software details, enumerated users, and email addresses.
SMTP probing
Sending email messages to nonexistent accounts at target domains to map internal network space by analyzing the responses from the SMTP system.
Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!
Enumeration Countermeasures
Content preview·Buy PDF of this chapter|