When embarking on a security evaluation, the first stop for security information gathering is the Internet. Only connecting to the target public servers and DNS yields a wealth of information.
So here is an example what can be learned in a couple of minutes of checkup about a company domain from it's public servers, while NOT DOING ANYTHING ILLEGAL.
- Domain Name Servers (DNS) - Name servers are the first target of every information gathering. Once you know the domain name of a company, you should check it's DNS. Here is what it will give you
- The DNS Server provider - by checking who owns the IP you'll know whether it's in-house hosted DNS or outsourced. If it's in-house such a DNS server can be a prime target for inbound attacks, and such servers are less secure simply because the internal IT department is torn between administering all kinds of stuff.
- The level of isolation of zone transfers - A zone transfer is a completely legitimate function of a DNS server which is used to feed domain information from the primary server to the secondary servers. If it's open to any outsider, he/she can collect a list of all hosts registered in the domain for possible attack targets. Most zone transfer attempts will fail, but even the way they fail gives an excellent information
- Failed with message REFUSED or NOAUTH - you can communicate to the server on the appropriate port (TCP 53) but zone transfer is not allowed. Even so, you can try to attack the server via TCP SYN flood on that port
- Failed with message connection failed - you can't connect to the appropriate port, forget about zone transfers and TCP SYN flood
- Mail Exchanger (MX) - Mail exchangers are mail servers specifically dedicated to receiving e-mail for the target company domain. They usually are not the main corporate mail servers, but information from them can be useful to understand what types of adversaries are on the other side if you choose an e-mail vector of attack. And here is the summary of info from the MX
- Mail server provider - by checking who owns the IP you'll know whether it's in-house hosted MX or outsourced. If it's in-house such a MX server can be a good target for inbound attacks.
- Mail server banner - the default banner, unless modified gives the information about the server software, so you'll know what you're up against and search for known vulnerabilities.
- Web server - the same elements that apply to MX apply here, so we won't repeat them again.
- Typical server names - while the generic servers are in scope of the security administrators and usually well secured, a company can have any number of registered servers for testing or internal uses. These servers are in most cases excellent targets for attack, since they are usually 'temporary' and not treated by corporate policies. These server names can include 'www1', 'test', 'dc', 'gc', 'domain', 'mail', 'pop' and the like.
Tools of the trade
There are a lot of tools that can help you in information gathering. I have written a small program that will get you started. Here is a screenshot
Also, to check who owns an IP address, you should make good use the whois services of the Internet registries like RIPE, APNIC, AfriNIC, ARIN and LACNIC
Talkback and comments are most welcome
Check Your DNS Zone Transfer Status
DHCP Security - The most overlooked service on the network