Internet Host and Network Enumeration
The systematic enumeration of an organisations internet presence will allow a security tester to create a profile of an organisations security stance. By using a combination of tools and techniques the organisations internet presence can be broken down to a range of domain names, network blocks and IP addresses of systems connected to the internet.
The first steps taken to determine the clients environment during a security test would involve attempts to gather as much information as possible about the selected network and hosts. Internet-based network enumeration and reconnaissance could take two forms, active and passive enumeration.
Passive Network Enumeration
A passive network enumeration would involve attempts to discover and query publicly available information using common web access methods, for information about the clients organisation and their networks. Some of the high level sources queried could include:
- Web and newsgroup search engines
- Domain and IP WHOIS registrars
- Border Gateway Protocol
- Public DNS name servers
The majority of this probing is indirect, sending and receiving traffic from sites such as Google or public WHOIS, BGP and DNS servers.
Active Network Enumeration
An active network enumeration would involve attempts to decide the security stance of the network by attempting to interact directly with the clients environment. A number of direct querying techniques involve sending information to the customers network using methods which could include the following:
- DNS querying and grinding against specific name servers
- Web server crawling
- SMTP probing
- Document security
Having performed an internet network enumeration exercise, querying these sources for relevant information the security tester can build a map of the customers internet facing network. By identifying any peripheral systems such as development or test systems the tester can decide if there are any useful avenues which may be protected to a lesser degree than the core systems.
Information Gathering Techniques
Web and newsgroup search engines:
Search engines crawl networks and index potentially useful pieces of information to a security tester. Google and other search engines provide advanced search functions that may allow testers to build a picture of the clients network. Some of the types of information that can may be identified include:
- Contact details, including staff email addresses and phone numbers
- Physical addresses of offices and other customer premises
- Technical details of internal email systems and routing
- DNS layout and naming conventions, including domains and host names
- Documents residing on publicly available servers
Domain and IP WHOIS registrars:
Domain registrars can be queried to get information about domain names registered by organisations. There are many top-level domains with associated registrars, including generic and country code top-level domains. These registrars can be queried to get varying levels of information through the WHOIS facility, some of the information that may be retrieved includes:
- Administrative contact details, including names, email addresses and telephone numbers
- Physical Mail addresses for office locations and premises belonging to the customer
- Details of authoritative name servers for the customer domains
Border Gateway Protocol:
Traffic between internet facing networks is routed and controlled using the Border Gateway Protocol (BGP), BGP uses Autonomous System (AS) numbers to define collections of IP networks and routers that present a common routing policy to the internet. AS numbers and IP addresses are allocated in blocks, the AS numbers can be cross referenced with IP blocks to find network IP address ranges. This information can be obtained from publicly available sources on the internet.
Public DNS name servers:
DNS requests and probes can be issued to retrieve DNS records for specific domains and IP network blocks. It may be possible to find previously unknown network blocks and host names by querying a DNS server. Some of the information that may be found from a DNS server includes:
- Authoritative DNS server information from name server resource records
- Domain and sub-domain details
- Host names from varying resource records
- Details of SMTP email servers
DNS querying and grinding:
One of the most popular methods for obtaining information from a name server involves requesting a DNS zone transfer, a DNS zone file has all the naming information that the name server holds for a given domain, often including details of internal networks and other non-public information.
If a zone transfer is not permitted by the name server it may be possible to attempt a brute force against the server using a dictionary of potentially valid host names or a reverse lookup against the IP address range in use.
Web server crawling:
Having identified the web sites owned by the client a tester can crawl and mirror these websites to show the directory structure and potentially discover any hidden linked directories available on the server. Again a dictionary brute force against the directory structure is also possible to find any directories that have no links from the website but still exist on the web server itself.
An organisation would use SMTP email gateways to send and receive email messages across the internet as SMTP is the standard for email transmission on the internet. An email sent to a non-existent email address belonging to the client would typically receive a ‘bounce’ email response from the clients email system, this reply may show useful internal network and email routing information.
This reply may include host names and IP addresses of each host between the host which attempted to deliver the email and the gateway email server.
Publicly available documents hosted on the clients website may prove to contain useful information in the form of document metadata. This information can lead to exposure of information about the client such as email addresses, server and workstation names and software versions.
Indimon Internet Services
While performing Internet-based infrastructure and web applications testing, Indimon Internet Services will leverage any information obtained from the internet reconnaissance phase to find and report on any security risk to the client from any of the information obtained.