1 WHOIS Lookups

LAB 4 - Intelligence Gathering
Craig T. Ciulla
NCS490
Ronny L. Bull
1
Date Assigned: 2015/02/12
Due Date: 2015/02/19
WHOIS Lookups
In this section, I checked several domains using web-based WHOIS Lookup resources. The
websites I used were https://who.is, http://whois.domaintools.com/, and
http://www.betterwhois.com/.
1.1
http://www.Google.com
The first domain I wanted to look into was www.google.com. I chose this website due to its
widespread popularity and familiarity.
1.1.1
https://who.is
The first WHOIS Lookup through https://who.is appeared to pull up a considerable amount
of useful information about the Google domain name. According to the tool, the domain was
originally registered under MARKMONITOR INC on September 15th, 1997. It also lists
the domains expiration date as September 14th, 2020, time stamps the last change in domain
information as July 20th, 2011, active IP addresses, and has the owner as Dns Admin. What
was really interesting was the presence of several alternate addresses and phone numbers under
domain owner contact info.
1.1.2
http://whois.domaintools.com/
The WHOIS Lookup preformed through http://whois.domaintools.com/ brought up even
more information than https://who.is. The search provided an estimate of associated domains
based off company name [ 16,713 for Google Inc], listed the IP addressing history for the domain
[41 unique IPs and 248 IP changes], provided the websites Alexa rank [#1], and identified the
server type [GWS]. This was in addition to providing the same information as https://who.is.
1.1.3
http://www.betterwhois.com/
The WHOIS Lookup preformed through http://www.betterwhois.com/ provided the least
amount of information compared to the previous lookups, but interestingly had one field conflicting with what was reported by the previous two. According to the tool, Google Inc last
updated their domain info in October 28th, 2014. Both http://whois.domaintools.com/
and https://who.is listed July, 20th, 2011 as the date when the domain listing was last updated.
1.2
https://sunypoly.edu/
This was the second domain I wanted to look into. I chose this domain as it was part of several
recent changes at SUNYIT/SunyPoly.
1
1.2.1
https://who.is
The first WHOIS Lookup through https://who.is proved very informative. It contained the
full name of the business, the name, contact information, and job title of the website admin,
the static IP [150.156.24.61] address associated with the domain, its Alexa rank [#1,777,930],
its date of activation [October, 15th, 2014], and the expiry date [July, 31st, 2015].
1.2.2
http://whois.domaintools.com/
The WHOIS Lookup preformed through http://whois.domaintools.com/ didnt bring up
much more information then what I had already found using https://who.is. It does claim
that the server hosting the webpage is running nginx and that there are seven other domains
currently associated with the name SUNY Polytechnic Institute.
1.2.3
http://www.betterwhois.com/
The WHOIS Lookup preformed through http://www.betterwhois.com/ oddly returned no
results. The tool wasnt able to find https://sunypoly.edu/ within its database, and returned
a generic error as its response.
1.3
https://www.albinoblacksheep.com/
This was the third domain I chose to look into, and was one I chose based entirely off personal
ties and curiosity.
1.3.1
https://who.is
The WHOIS Lookup through https://who.is provided useful information about the identity and location of the website admin [STEVEN LERNER: 34 BROCKINGTON CRES,
TORONTO, CA], domain age and expiration [March 01, 2001, March 01, 2017], server identity
and location [Apache: 70.86.118.157], and the websites Alexa rank [#64,795]
1.3.2
The WHOIS Lookup through http://whois.domaintools.com/ provided a lot of the same
information, but did have a few fields in addition that proved informative. The tool had a log
of the servers IP addressing history [5 changes over 3 unique IP addresses], the name server
2
history [17 changes on 12 unique name servers], and the number of domains registered under
the same person [8].
1.3.3
The WHOIS Lookup through http://www.betterwhois.com/ did not provide any information in addition to what was found between the two initial WHOIS Lookups.
1.4
https://www.newgrounds.com/
This was the fourth domain I chose to look into, chosen through a recommendation when asking
about possible targets.
1.4.1
https://who.is
The WHOIS Lookup through https://who.is provided useful information about the location
of the website admin [96 Mowat Ave, Toronto, CA], domain age and expiration [September
17, 1998, September 16, 2022], server identity and location [Nginx: 198.41.187.234], and the
websites Alexa rank [#3,576]. Something else noteworthy was that the domain appeared to be
registered through Contact Privacy Inc in an attempt to hide the owners full identity, putting
even the collected address into question.
1.4.2
http://whois.domaintools.com/
Like with albinoblacksheep.com, the WHOIS Lookup through http://whois.domaintools.com/
provided a lot of the same information as the one previous, but again did have a few fields in
addition that proved informative. The tool had a log of the servers IP addressing history [10
changes on 7 unique IP addresses], the name server history [3 changes on 4 unique name servers],
and the fact that the domain was once registered under a different name beforehand.
1.4.3
http://www.betterwhois.com/
Like with albinoblacksheep.com, the WHOIS Lookup through http://www.betterwhois.com/
did not provide any information in addition to what was found between the two initial WHOIS
Lookups.
1.5
http://www.bigassfans.com/
This was the final domain I decided to look into. Again, choosing this domain was the result
of a recommendation.
1.5.1
https://who.is
The WHOIS Lookup through https://who.is surprisingly gathered vary little information
about the domain. I was only able to identify the domains admin [Charles Anderson], the company the domain represents [Delta T Corporation], the domains age and expiration [November
13, 2000, April 02, 2021], and the webpages Alexa rank [#110,585].
3
1.5.2
http://whois.domaintools.com/
From the WHOIS Lookup through http://whois.domaintools.com/, I was able to gather
a little more information that could prove informative. The tool had the servers static IP
address listed [23.253.23.208], a log of the servers IP addressing history [14 changes on 11
unique IP addresses], the name server history [5 changes on 3 unique name servers], the servers
fingerprinted OS [Apache/2.2.22 (Ubuntu)] and the fact that the domain was registered through
GODADDY.COM.
1.5.3
http://www.betterwhois.com/
The WHOIS Lookup through http://www.betterwhois.com/ did not provide any information in addition to what was found between the two initial WHOIS Lookups.
1.6
Brief Analysis of Information Gathered
In this section I over viewed the information gathered throughout the WHOIS Lookups and
explained their potential usefulness in a penetration test.
1.6.1
Social Engineering
In most of the WHOIS Lookups, the administrators personal location and information were
provided alongside the domain and associated business info. This knowledge could be used
to convince other business employees within the same company that you have business with
the website admin, have the website administrators trust/friendship, or even that you work
alongside him. This could further be used to gain access to confidential documents or sensitive
equipment.
With this information, I could pretend to have been a former student, coworker, or friend of
Scott, or I could even use this info as part of a bruit force attack.
1.6.2
Data Mining
Using the information gathered, I could also perform further research. In the case of my WHOIS
on www.google.com, I was provided with a business locations and phone numbers. Reverse
lookups on the phone numbers brought up other registered domains associated with Google
INC
4
A search of the addresses used in domain registration revealed the name of the corporate headquarters building [Googleplex], as well as several of its branch offices.
Using this additional information, I could find a weakness on a sister website, breach a smaller
branch office, or even launch a more sophisticated social engineering attack.
1.6.3
Domain Theft, Vulnerability Testing, and More
Using the inflammation gathered, the surface area for attack becomes much more acute and
access much more viable. With the information, you could wait until a domain is at expiry and
attempt to claim it before the admin is able to renew his lease. You could also use the provided
server information [IP and OS version (optional)] to scan for vulnerabilities to construct possible
exploits. With this valuable information, there are so many possible angles to view this from.
WHOIS is a very powerful tool, and an administrator should approach domain registration with
extreme caution to avoid too much information being available.
1.7
CLI WHOIS Lookup
With the research preformed using only web-based lookup tools, a curious question arises. How
much of the gathered information was pure WHOIS records and how much of it was gathered
through different means? To sedate this curiosity, a purely CLI WHOIS Lookup was preformed
on a Linux command line via the command whois.
1.7.1
http://www.google.com
Preforming a WHOIS on www.google.com from command line shocking supplied very little
information. The only thing I was supplied with was a list of connected sub-domains, and a
5
warning that I might need to perform the lookup on one of the sub-domains to retrieve specific
information.
With this in mind, I reran the lookup on www.google.com.au to check if more information
would be provided. The sub-domain lookup provided more information then before, but it was
still very little compared to the results that the web-based utilities produced. Though, it should
be noted that all of the information provided coincided with the information provided through
the web tools.
1.7.2
http://sunypoly.edu
Preforming a WHOIS lookup on http://sunypoly.edu yielded nearly as much information as
the web based tools. The only information unavailable was the Alexa rank, IP addressing history,
domain history, and server OS fingerprint. Like with the CLI lookup on http://www.google.com,
6
all of the information provided coincided with the information gathered through the web-based
tools.
7
1.7.3
http://www.albinoblacksheep.com
Preforming a WHOIS on http://www.albinoblacksheep.com oddly enough yielded no
results. The record for the website was not found in the database.
Worried that the domain may no longer exist and that the web tools might be the ones out of
date, I preformed a ping test on the main page.
With the website main page resolving and responding to ping, I attempted to navigate to the
page.
Still not having any difficulty, I came to the conclusion that the CLI-based lookup tool may not
have as large a database as the web-based tools utilized earlier on.
1.7.4
http://www.newgrounds.com
Like with http://www.albinoblacksheep.com, http://www.newgrounds.com was not
within the tools database and I was unable to find any information from it as such.
1.7.5
http://www.bigassfans.com
Again, the website was not within the database and I could not gather any information using
the tool as a result.
8
1.8
http://www.netcraft.com
Similar to the previously used web-based WHOIS lookup tools, Netcraft is a website with
WHOIS Lookup capabilities. Where the website excels is by performing their own active website
monitoring in addition to supplying the usual WHOIS records. I reran the WHOIS lookups for
the five previously tested domains.
1.8.1
http://www.Google.com
While the lookup provided a commendable amount of information, I found that there wasn’t
too much displayed that I did not already gather from the previous WHOIS lookups. Outside of
previous WHOIS lookups, I now had information about what programming language was being
used within the server [PERL], the type of privacy management framework in use [P3P], the
version of HTML/CSS in use [HTML5/CSS Media Quarry], and the plugin required to access
hosted content on the website [JavaScript].
1.8.2
http://sunypoly.edu
Outside of previous WHOIS lookups, I now had information about what programming language
was being used within the server [PERL], the services being run on it [PHP, SSL. RSS], the
version of HTML/CSS in use [HTML5/CSS Media Quarry], that the server was using HTML
compression [Gzip based], and the plugins required to access hosted content on the website
[JavaScript, jQuery].
1.8.3
http://www.albinoblacksheep.com
Outside of previous WHOIS lookups, I now had information about what programming language
was being used within the server [PERL], the services being run on it [XML, PHP, RSS], the
version of HTML/CSS in use [HTML/HTML5/CSS Media Quarry], that the server was using
HTML compression [Gzip based], and the plugins required to access hosted content on the
website [JavaScript, jQuery].
1.8.4
http://www.newgrounds.com
Outside of previous WHOIS lookups, I now had information about what programming language
was being used within the server [PERL], the services being run on it [SSL, PHP, ASP.NET], the
version of HTML/CSS in use [HTML/HTML5], that the server was using HTML compression
[Gzip based], the plugins required to access hosted content on the website [JavaScript, jQuery],
and that the we3bsite relied on a content delivery network [CloudFire].
9
1.8.5
http://www.bigassfans.com
Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the services being run on it [PHP, WordPress],
WordPress plugins running on the server [Google COOP Onsite, WordPress Super Cache,
NextGEN WordPress Gallery, Modernizr, Click-to-Call Mobile], the version of HTML/CSS
in use [HTML/HTML5], that the server was using HTML compression [Gzip based], and the
plugins required to access hosted content on the website [JavaScript, jQuery].
1.9
IP Based WHOIS
When performing a WHOIS using an IP address from each of the websites, the results returned
always matched the earlier lookups. The only fact from this test worth noting is the results
were not as excessive as when the websites were lookup based on domain name.
1.10
Closing Thoughts
While I feel that using CLI based WHOIS to perform lookups should be superior to using a
simplified web-variant, my experience with it leads me to believe that its usability is largely
hindered by the fact that its default database included with it is excessively small. The only
drawback I encountered while using web-based WHOIS services for lookups was the validity
of the information provided, and, unlike the drawback faced with CLI WHOIS lookups, common sense and good data mining practices could minimize the risk of accepting falsified data.
With that in consideration, there was only ever one instance where the data gathered was of
questionable validity. In the case of the CLI-based WHOIS lookups, there were three instances
out of a set of five tests where the tool did not contain the necessary records to produce useful
information.
2
NSlookups
In this section, I checked the same domains used in the WHOIS lookup again, this time using
NSLookup to determine the machines name servers. Again, these websites were http://www.google.com,
http://sunypoly.edu, http://www.albinoblacksheep.com, http://www.newgrounds.com,
and http://www.bigassfans.com.
10
2.1
http://www.google.com
Interactive lookup, default DNS:
Interactive lookup, Google DNS:
Noninteractive lookup, default DNS:
11
Noninteractive lookup, Google DNS:
2.2
http://sunypoly.edu
Interactive lookup, default DNS:
Interactive lookup, Google DNS:
12
Noninteractive lookup, default DNS:
Noninteractive lookup, Google DNS
13
2.3
http://www.albinoblacksheep.com
Interactive lookup, default DNS:
Interactive lookup, Google DNS:
Noninteractive lookup, default DNS:
Noninteractive lookup, Google DNS:
14
2.4
http://www.newgrounds.com
Interactive lookup, default DNS:
Interactive lookup, Google DNS:
15
Noninteractive lookup, default DNS:
Noninteractive lookup, Google DNS:
16
2.5
http://www.bigassfans.com
. Interactive lookup, default DNS:
Interactive lookup, Google DNS:
Noninteractive lookup, default DNS:
Noninteractive lookup, Google DNS:
17
2.6
Basic Output Analysis
In all of the DNS lookups, the default name server used for the lookups was the default for the
machine the lookup was run from.
3
NMap
In this section I practiced utilizing port scanners to discover running services and machine
vulnerabilities. For the purposes of these tests, my Windows XP and Metasploitable VMs were
utilized.
3.1
Windows XP VM
The first VM I tested was my Windows XP VM located at 10.110.65.42.
3.1.1
Finding running services
To find all running services on the target machine, I first ran an NMap port scan on the IP
The scan reviled the ports open on the machine. It can be assumed that each one of these
ports are allocated to a service, and as such the services that usually use the ports by default
are listed beside the port. With the knowledge of running services on the target machine, an
attacker can probe the service ports for further information or immediately use the services as
part of an attack. The scan also identified the target machines MAC address, which can be
18
used in attacks as well.
Following the general port scan, I used a targeted port scan to identify more information about
a specific port. The scan was on port 25 and revealed that the hostname of the machine was
ciullac-WinXP, that the version of SLmail running behind the port was 5.5.0.4433, and that the
machine would accept ESMTP.
While I used nc to probe a specific port, NMap could also be used with the correct flags.
This is useful for an attacker as the version number of a service could be used to lookup known
vulnerabilities for that service.
Expanding this, I did another NMap scan on the target machine. This time I used the V flag
to attempt to detect service versions. Similar to the port specific scan, this scan will probe the
service behind an open port to identify information about the version number, only on all open
ports instead of just one.
19
3.2
Metasploitable VM
The second VM I tested was my Metasploitable VM located at 10.110.65.42.
3.2.1
Finding running services
To find all running services on the target machine, I first ran an NMap port scan on the IP
Like with the Windwos XP VM, the scan reviled the ports open on the machine as well as the
target machines MAC address.
Following the general port scan, I again used a targeted port scan to identify more information
about a specific port. The scan was on port 22 and revealed that the version of SSH running
behind the port was OpenSSH 4.7p1.
20
Again, this is useful for an attacker as the version number of a service could be used to lookup
known vulnerabilities for that service.
Expanding this, I did another NMap scan on the target machine. This time I used the V flag
to attempt to detect service versions. Similar to the port specific scan, this scan will probe the
service behind an open port to identify information about the version number, only on all open
ports instead of just one.
21
4
OSINT
In this section I was tasked with gathering information about myself with my full name as the
only lead.
4.1
www.google.com
The first place I checked for information on myself was google. The first four results were links
to my CS homepage, where I have all of my past LAB write-ups stored for potential employers.
Knowing that I have hosted content at sunyit.edu, I already had my next target.
4.2
web.cs.sunyit.edu/ ciullac
Going up to my root directory from the labs found from www.google.com, I had access to
all my finished labs and assignments. From these write-ups, quite a bit of information could
be gathered. As the information was hosted on sunyit.edu, it could be discerned that I have a
22
sunyit.edu based email account. This, compounded with the use of the username ciullac within
the labs write-ups, points to a possible email address being [email protected]. With that email
and the use of ciullac as a username, I proceeded to the next resource.
4.3
http://namechk.com/
With the username ciullac, I ran a username availability check to determine what accounts were
occupied under that name. I did this to potentially find more leads
As shown by the screenshots, only a few were occupied and following those links proved
useless. This lead was declared a dead end and the sunyit.edu homepage was revisited.
4.4
Reverse Image Lookup
Also found on the CS department webpage was an image of my standing next to someone. A
reverse image lookup was performed on this image to determine of it had any other sources. As
shown by the screenshot, this was another dead end.
23
4.5
Facebook
With a likely picture of myself, I went to Facebook to search my name with a picture for identity
verification. As shown by the screenshot, this was successful.
I was able to find a lot of information about myself too. From favorite movies to liked pages.
I even gathered potential relationships between myself and others on Facebook based off my
cover photo and comments lift on it.
24
4.6
https://ncsclub.sunyit.edu/
Going back to my write-ups from the CS webpage, I also stumbled upon a reference to the
Sunypoly NCS Club.
This reference led me to the NCS Club homepage, where I found the section listing me as head
of the club fundraiser. This gave away my active status within the club.
4.7
www.linkedin.com
With basic academic info from the sunypoly.edu and no other leads in mind, I searched for
a matching profile on linkedin. As shown by the screenshot, this was successful and provided
information about past work experience.
25