Information Gathering
Learning Objectives
- Perform a host discovery scan
- Perform DNS enumeration
- Recognize the differences between Nmap scan options
- Identify how to detect the presence of a Firewall
Recommended tools
- Nmap
- dig
- nslookup
- dnsenum
Note: IP/domain shown below are for example purpose only .
Step 1: Host Discovery – Ping sweep
Perform a ping sweep (not a port scan) on the entire netblock and write down the discovered hosts.
Ping sweepings can be performed in many ways. The Nmap command is the following:
nmap -sn 1.1.1.1/24Note: You can also use other tools, such as fping, and get almost the same results.
Nmap -sn uses ICMP requests, and a TCP scan on ports 80 and 443. The result of the scan are as follows:
Host IP Address
1.1.1.4
1.1.1.5
1.1.1.6
1.1.1.7
1.1.1.8If you want to do an ICMP only scan, you have to use the -PE argument instead of -sn.
Extra credit: You can verify nmap’s behavior with Wireshark.
Step 2: Host Discovery – No ping
Once you have found the live hosts, try again with other techniques. i.e. this time use TCP packets, but don’t scan the entire port range, use the most common ports.
Important: This is the first phase of information gathering, so we don’t need to know services or OS’s running on the remote hosts. Just list the live hosts.
Instead of using an ICMP scan, we can use TCP scanning techniques. Since we don’t want to generate too much traffic, we will perform the scan using the -PS argument. The following is the command we want to run:
nmap -n -sn -PS22,135,443,445 1.1.1.1/24Step 3: Differences between the two scans
Did you find any difference between the two scans? If yes think why it happened and provide a response.
As you have seen from the above tests, the two scans produced different results. This happens because some hosts are protected by firewalls and do not respond to pings. In this specific case, the firewall was set up to filter any kind of ping to 1.1.1.1. That is why the first scan didn’t discover the host (Windows Firewall drops pings by default and chances are that an Application based firewall is on the host).
Step 4: DNS Discovery
How many DNS servers exists in the network and how you can get this information?
In order to discover DNS servers on the network, we have to perform a specific scan. We know that DNS work on port 53 (TCP/UDP). We can run a scan against that specific port. Nmap has many options that allow us to do that. In this case, we used a SYN Scan:
nmap -sS -sU -p53 -n 1.1.1.1/24The scan reports that there are two hosts (already discovered with Ping Sweep) that are running services on port 53 (1.1.1.1 and 1.1.1.3). We can now focus on them, using DNS enumeration techniques in order to discover more information about the network.
Step 5: Name Server
You already know the domain name, and at this point you should also have the DNS servers address. Try to find how many Name Server exists.
We can get a lot of useful information from DNS records. In this case, in order to know the Name Server(s) serving Foocampus.com, and relatives IP address(es), we can use many tools explained in this course. One of the simplest and powerful is nslookup. In order to get the list of name servers we can use the following command:
1) >>nslookup
2) >>server 1.1.1.3
3) >>set q=NS
4) >>helloworld.comHere is the explanation:
(1) we start the interactive shell of nslookup, then
(2) set the default server to query
(3) set the querytype to NS (since we want to know only NS records)
(4) type the domain.
The result of these steps is the following:
helloworld.com nameserver = ns.helloworld.com.
helloworld.com nameserver = ns1.helloworld.com.We can now use the following commands to get the IP address of each domain:
>> nslookup
>> server 1.1.1.3
>> ns.helloworld.comreturns the address: 1.1.1.10
>> ns1.helloworld.comreturns the address: 1.1.1.11
Step 6: MX Record
Try to perform an MX lookup. Can you find other IP addresses in the network?
In the same way as before we can check for MX records. We can do so by setting the querytype to MX as follows:
>> nslookup
>> server 1.1.1.3
>> set q=MX
>> helloworld.comWe obtain the following name:
helloworld.commail exchanger = 10 pop3.helloworld.com.with the following IP address: 1.1.1.20
As you can imagine you can easily change the record type in order to get different information, such as all A records, or to get IP address from hostnames.
Step 7: Zone Transfer
Check if zone transfer is enabled in order to eventually get more IP addresses.
Zone transfers are usually misconfigurations of a DNS server. They should be enabled, if required, only for trusted IP addresses (usually trusted downstream name servers). When zone transfers are open to anyone, we can enumerate the whole DNS record for that zone.
To do that we can use many tools. Here we will see how to perform a zone transfer with the dig and host commands (Linux).
Dig command:
>>dig @1.1.1.3 helloworld.com -t AXFR +nocookieHost command:
>>host -t axfr helloworld.com 1.1.1.3We should now have the following information:
| Name Server | Record Type | Data or IP Address |
|---|---|---|
| helloworld.com | NS | ns.helloworld.com |
| helloworld.com | NS | ns1.helloworld.com |
| helloworld.com | MX | pop3.helloworld.com |
…and other info
Task 9: Report Your Findings
In this stage, you should have all the details with network diagram. Draft all of them in a report.
You May Also Like
Critical Slack Vulnerability Exposes User Data
Leveraging PowerShell During Exploitation – Empire
