The previous article
gave
us a base point to begin building our tool chest with two Live CDs that provide
a wide array of security tools. This article is going to cover the first phase
of an assessment: information gathering and reconnaissance. I have put together
a list of the top 10 most useful utilities and websites I use on a daily basis
for security related assessments.
Device and service enumeration -
1. Nmap - Perhaps the most well known security tool ever
created. At its core, Nmap is a port scanner. Over the years it has evolved to
incorporate OS detection, service version detection, and ACL verifier. It is
free, well documented and runs on every major operating system.
(http://www.nmap.org/)
2. Superscan - A feature rich Windows port scanner, pinger,
DNS resolver utility. It may not get as much press as Nmap but it if you are a
more GUI oriented individual and prefer to use as many Windows based tools as
possible Superscan will provide all the features you need in a port scanner.
(http://www.foundstone.com/us/resources/proddesc/superscan4.htm)
Banner capture and port probing -
3. Netcat / Cryptcat – Netcat and cryptcat are two
bare-bones networking tools that allow you to connect to network services and
feed and receive input directly with those services. They are excellent for
interrogating services that use cleartext to communicate. They can also be used
to create communication tunnels between devices for either executing remote
commands or piping other types of traffic out permitted ports through a
firewall. (http://netcat.sourceforge.net/,
http://sourceforge.net/projects/cryptcat/)
4. Banner Grab – Capturing the banners from network services
is a good method to determine which versions is running. Banner Grab supports
most major cleartext and SSL based network services. (http://sourceforge.net/project/showfiles.php?group_id=204334)
DNS Investigation -
5. SamSpade / Whois & dig – SamSpade is a Windows
utility that has become the Swiss army knife of DNS investigations. It
incorporates many of the command line utilities found in a Linux environment
into an easy to use Windows application. It includes dig, nslookup, reverse DNS
lookup, whois queries, zone transfers and more. (http://preview.samspade.org/ssw/download.html)
6. ARIN – The American Registry for Internet Number (ARIN)
allocates and maintains contact records for all the IP address blocks assigned
to organizations within North America. Their
database can help determine the IP subnets assigned to a corporation or
organization. Many organizations do not use generic contact addresses in this
type of registration so often times you are able to identify a point of contact
using these records. (http://www.arin.net/whois/index.html)
Corporate Reconnaissance -
7. LinkedIn – LinkedIn is now the number professional
networking website on the Internet. Through it you can identify individuals who
work for various organizations. Many people post additional personal details on
these types of sites and they can be very useful in creating social engineering
types of exercises against an organization. (http://www.linkedin.com)
8. EDGAR – The Electronic Data Gathering, Analysis and
Retrieval System (EDGAR) database is run by the SEC and collects information
from all publically traded companies. It is a valuable source about corporate
management and business performance. (http://www.sec.gov/edgar.shtml)
9. GHDB & Google – The Google Hacking Database (GHDB) is
a collection of Google queries designed to help location documents and
information that some many not wish to have indexed and be easily searchable
publically. The GHDB has been incorporated into a number of web application
scanning toolkits but can also be used in a more manual process by anyone
wishing to locate certain types of information via Google’s massive index of
the web. (http://johnny.ihackstuff.com/ghdb.php, http://www.google.com)
Vulnerability Identification -
10. CVE & OSVDB – These two web sites hold repositories
of vulnerabilities for a very large number of applications. They are extremely
useful once the version information of services and software running on a
target system have been identified. They also provide a central reference to
all known vulnerabilities and use a well formatted number convention for
convenient use as references. (http://cve.mitre.org/,
http://www.osvdb.org/)
These 10 website and tools are a small sampling of what is
available to use in reconnaissance. However, they will provide anyone with a very
solid foundation and allow you to collect a large and board amount of
information about an organization without ever stepping foot in the door.