Passive information gathering 1.0 - the traditional way
Let us deal with some of the most commonly used techniques for information gathering.
Getting ready
whois, Dig, and Nslookup are the three most basic and simplest steps for gaining initial information about our target. As both are passive techniques of gaining information, hence no connectivity with the target is required. These commands can be executed directly from the terminal of BackTrack. So, launch the terminal window and proceed further.
How to do it...
We will start our information gathering with a simple whois lookup. whois is an in-built command in BackTrack so we can directly invoke it from our terminal.
Let us quickly perform a whois lookup on www.packtpub.com and analyze the output. The output can be big, so here we will only focus on relevant points of the output.
root@bt:~# whois www.packtpub.com Domain Name: PACKTPUB.COM Registrar: EASYDNS TECHNOLOGIES, INC. Whois Server: whois.easydns.com Referral URL: http://www.easydns.com Name Server: NS1.EASYDNS.COM Name Server: NS2.EASYDNS.COM Name Server: NS3.EASYDNS.ORG Name Server: NS6.EASYDNS.NET Name Server: REMOTE1.EASYDNS.COM Name Server: REMOTE2.EASYDNS.COM Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 09-feb-2011 Creation Date: 09-may-2003 Expiration Date: 09-may-2016
Here, we can see that a simple whois lookup has revealed some information about the target website. The information includes the DNS server, creation date, expiration date, and so on. As this information has been gathered from a source other than the target, it is called a passive information gathering technique.
The other way of gaining information passively can be by querying the DNS records. The most common technique is using the dig command, which comes by default in Unix machines. Let us analyze a dig query on www.packtpub.com.
root@bt:~# dig www.packtpub.com ; <<>> DiG 9.7.0-P1 <<>> www.packtpub.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1583 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.packtpub.com. IN A ;; ANSWER SECTION: www.packtpub.com. 1200 IN CNAME packtpub.com. packtpub.com. 1200 IN A 83.166.169.228 ;; AUTHORITY SECTION: packtpub.com. 1200 IN NS remote1.easydns.com. packtpub.com. 1200 IN NS ns2.easydns.com. packtpub.com. 1200 IN NS ns6.easydns.net. packtpub.com. 1200 IN NS ns3.easydns.org. packtpub.com. 1200 IN NS ns1.easydns.com. packtpub.com. 1200 IN NS remote2.easydns.com. ;; ADDITIONAL SECTION: ns3.easydns.org. 5951 IN A 64.68.192.10
Querying the DNS records has revealed some more information about the target. dig can be used to resolve the names of hosts into IP addresses, and in reverse, resolve IP addresses into names. In addition, dig can also be used to gather version information from name servers which may be used to aid in exploitation of the host. As we can see in the output, it is difficult to identify the primary DNS, or in some cases primary mail server or file hosting server, and so on. This is where Nslookup comes into the picture. Nslookup is almost as flexible as dig, but provides a simpler default method of identifying primary hosts, such as Mail and DNS servers.
root@bt:~# nslookup www.packtpub.com Server: 220.226.6.104 Address: 220.226.6.104#53 Non-authoritative answer: www.packtpub.com canonical name = packtpub.com. Name: packtpub.com Address: 83.166.169.228
Nslookup has revealed further information about the target, such as its IP address, server IP, and so on. These passive techniques can reveal some interesting information about the target and can ease our way for penetration testing.
How it works...
dig can be used to find the SPF (Sender Policy Framework) records. SPF records are those records which define the domain's mail sending policy, that is, which servers are responsible for sending mails on its behalf. Incorrect SPF records will always result in phishing / spam mails.
SPF records are published as text format. SPF records are responsible for ensuring that the registered users of a particular domain or partners, of a particular domain, cannot be attacked by phishing mails. Information collected from the dig query can help us in determining such issues in our target.
There's more...
Let us cover more stuff about passive information gathering.
We have used the in-built command to query about our target and gain information. There is an equally good technique of performing similar operations using websites, especially dedicated for such lookups. These websites can also provide information about the geographical location, contact number, admin e-mails, and so on.
Some useful links are: