The previous article gave us a base point to begin building our tool chest with two Live CDs that provide a wide array of security tools. This article is going to cover the first phase of an assessment: information gathering and reconnaissance. I have put together a list of the top 10 most useful utilities and websites I use on a daily basis for security related assessments.
Device and service enumeration -
1. Nmap - Perhaps the most well known security tool ever created. At its core, Nmap is a port scanner. Over the years it has evolved to incorporate OS detection, service version detection, and ACL verifier. It is free, well documented and runs on every major operating system. (http://www.nmap.org/)
2. Superscan - A feature rich Windows port scanner, pinger, DNS resolver utility. It may not get as much press as Nmap but it if you are a more GUI oriented individual and prefer to use as many Windows based tools as possible Superscan will provide all the features you need in a port scanner. (http://www.foundstone.com/us/resources/proddesc/superscan4.htm)
Banner capture and port probing -
3. Netcat / Cryptcat – Netcat and cryptcat are two bare-bones networking tools that allow you to connect to network services and feed and receive input directly with those services. They are excellent for interrogating services that use cleartext to communicate. They can also be used to create communication tunnels between devices for either executing remote commands or piping other types of traffic out permitted ports through a firewall. (http://netcat.sourceforge.net/, http://sourceforge.net/projects/cryptcat/)
4. Banner Grab – Capturing the banners from network services is a good method to determine which versions is running. Banner Grab supports most major cleartext and SSL based network services. (http://sourceforge.net/project/showfiles.php?group_id=204334)
DNS Investigation -
5. SamSpade / Whois & dig – SamSpade is a Windows utility that has become the Swiss army knife of DNS investigations. It incorporates many of the command line utilities found in a Linux environment into an easy to use Windows application. It includes dig, nslookup, reverse DNS lookup, whois queries, zone transfers and more. (http://preview.samspade.org/ssw/download.html)
6. ARIN – The American Registry for Internet Number (ARIN) allocates and maintains contact records for all the IP address blocks assigned to organizations within North America. Their database can help determine the IP subnets assigned to a corporation or organization. Many organizations do not use generic contact addresses in this type of registration so often times you are able to identify a point of contact using these records. (http://www.arin.net/whois/index.html)
Corporate Reconnaissance -
7. LinkedIn – LinkedIn is now the number professional networking website on the Internet. Through it you can identify individuals who work for various organizations. Many people post additional personal details on these types of sites and they can be very useful in creating social engineering types of exercises against an organization. (http://www.linkedin.com)
8. EDGAR – The Electronic Data Gathering, Analysis and Retrieval System (EDGAR) database is run by the SEC and collects information from all publically traded companies. It is a valuable source about corporate management and business performance. (http://www.sec.gov/edgar.shtml)
9. GHDB & Google – The Google Hacking Database (GHDB) is a collection of Google queries designed to help location documents and information that some many not wish to have indexed and be easily searchable publically. The GHDB has been incorporated into a number of web application scanning toolkits but can also be used in a more manual process by anyone wishing to locate certain types of information via Google’s massive index of the web. (http://johnny.ihackstuff.com/ghdb.php, http://www.google.com)
Vulnerability Identification -
10. CVE & OSVDB – These two web sites hold repositories of vulnerabilities for a very large number of applications. They are extremely useful once the version information of services and software running on a target system have been identified. They also provide a central reference to all known vulnerabilities and use a well formatted number convention for convenient use as references. (http://cve.mitre.org/, http://www.osvdb.org/)
These 10 website and tools are a small sampling of what is available to use in reconnaissance. However, they will provide anyone with a very solid foundation and allow you to collect a large and board amount of information about an organization without ever stepping foot in the door.
Remember Me