Slashdot Mirror
Reconnaissance In Virtual Space
An anonymous reader writes "Whitedust Security have released an interesting article discussing online reconnaissance techniques. From the article: 'Sometimes thirty-two bits are all you need. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet'."
A guide to internet reconnaissance? WHERE? This is just an overview of the whois command! And it made the frontpage on /.
How sad.
Global warming is a cube.
I, for one, is happy to have a 64-bit, twice as difficult ;-)
The article is moronic and only discusses the ip-address, the easiest thing to hide if you really want to. I guess this would be a life-changing article if you don't know anything about networks, other than that, it's not worth the click.
If you mod me down, I *will* introduce you to my sister!
To sum up the article:
1) You can use the DNS system to resolve IP addresses to hostnames, which may tell you something about the organisation they belong to.
2) For more information, perform a whois query.
That's news? Seriously, people, that's like saying that you can control your car with the help of this "steering wheel"...
quidquid latine dictum sit altum videtur.
TTL based routing analysis (traceroute), whois retrieval and plain DNS lookups, is that all? And not even a rundown of the nmap commandline, just nslookup(.exe) and tracert(.exe).
Where is all the other TTL based stuff like, oh I don`t know figuring out what packet filters ("firewalls" for the mysticism fans) are dropping along the way? What about OS fingerprinting, simple googleing, what about DNS zone transfers, how about looking for published traffic graphs? How about simply connecting and letting something (mail, or webserver) give you its information?
kids these days can`t stalk a mainframe walking down a shopping mall.
Yeah, the post was about as lame as they get. But here are a sample of some of my tricks:
1) probe port 80 on the last few addresses you find, and if you get a web page out of there, look at the page source to see if there are other IPs to look up. Nothing like a badly configured chain to cough some more info from. Probe for other common ports at the end of the chain to see if there's a mail server there; maybe you can make it cough more data.
2) do google or dogpile searches of the IP address, and both the dns names and reverse names; follow each hit until it ends somewhere. Always take notes.
3) try to find email addresses through index engines using the various domain names, and also its NS records, MX records and anything else in DNS that might point to hidden servers in the route(s). Take notes.
4) check various rbls, spamhaus, and so on to see if there are other complaints. Sometimes you can have fun.
5) check any phone numbers; search on those, too. Heaven loves a toll-free # in a spam.
And now, your tips?
---- Teach Peace. It's Cheaper Than War.
To triangulate the source of spoofed IP packets, to (theoretically) sniff a keyboard by recording TCP sequence numbers, and even how to build a distributed computer out of covert channels, see Michal Zalewski's Silence On The Wire. It's less practical than nslookup and whois but it's a glorious romp through the fun parts of information security. Read it for inspiration and to jar you into thinking outside the box.
(Disclosure: I got a free review copy.)