1 WHOIS Lookups
Transcription
1 WHOIS Lookups
LAB 4 - Intelligence Gathering Craig T. Ciulla NCS490 Ronny L. Bull 1 Date Assigned: 2015/02/12 Due Date: 2015/02/19 WHOIS Lookups In this section, I checked several domains using web-based WHOIS Lookup resources. The websites I used were https://who.is, http://whois.domaintools.com/, and http://www.betterwhois.com/. 1.1 http://www.Google.com The first domain I wanted to look into was www.google.com. I chose this website due to its widespread popularity and familiarity. 1.1.1 https://who.is The first WHOIS Lookup through https://who.is appeared to pull up a considerable amount of useful information about the Google domain name. According to the tool, the domain was originally registered under MARKMONITOR INC on September 15th, 1997. It also lists the domains expiration date as September 14th, 2020, time stamps the last change in domain information as July 20th, 2011, active IP addresses, and has the owner as Dns Admin. What was really interesting was the presence of several alternate addresses and phone numbers under domain owner contact info. 1.1.2 http://whois.domaintools.com/ The WHOIS Lookup preformed through http://whois.domaintools.com/ brought up even more information than https://who.is. The search provided an estimate of associated domains based off company name [ 16,713 for Google Inc], listed the IP addressing history for the domain [41 unique IPs and 248 IP changes], provided the websites Alexa rank [#1], and identified the server type [GWS]. This was in addition to providing the same information as https://who.is. 1.1.3 http://www.betterwhois.com/ The WHOIS Lookup preformed through http://www.betterwhois.com/ provided the least amount of information compared to the previous lookups, but interestingly had one field conflicting with what was reported by the previous two. According to the tool, Google Inc last updated their domain info in October 28th, 2014. Both http://whois.domaintools.com/ and https://who.is listed July, 20th, 2011 as the date when the domain listing was last updated. 1.2 https://sunypoly.edu/ This was the second domain I wanted to look into. I chose this domain as it was part of several recent changes at SUNYIT/SunyPoly. 1 1.2.1 https://who.is The first WHOIS Lookup through https://who.is proved very informative. It contained the full name of the business, the name, contact information, and job title of the website admin, the static IP [150.156.24.61] address associated with the domain, its Alexa rank [#1,777,930], its date of activation [October, 15th, 2014], and the expiry date [July, 31st, 2015]. 1.2.2 http://whois.domaintools.com/ The WHOIS Lookup preformed through http://whois.domaintools.com/ didnt bring up much more information then what I had already found using https://who.is. It does claim that the server hosting the webpage is running nginx and that there are seven other domains currently associated with the name SUNY Polytechnic Institute. 1.2.3 http://www.betterwhois.com/ The WHOIS Lookup preformed through http://www.betterwhois.com/ oddly returned no results. The tool wasnt able to find https://sunypoly.edu/ within its database, and returned a generic error as its response. 1.3 https://www.albinoblacksheep.com/ This was the third domain I chose to look into, and was one I chose based entirely off personal ties and curiosity. 1.3.1 https://who.is The WHOIS Lookup through https://who.is provided useful information about the identity and location of the website admin [STEVEN LERNER: 34 BROCKINGTON CRES, TORONTO, CA], domain age and expiration [March 01, 2001, March 01, 2017], server identity and location [Apache: 70.86.118.157], and the websites Alexa rank [#64,795] 1.3.2 The WHOIS Lookup through http://whois.domaintools.com/ provided a lot of the same information, but did have a few fields in addition that proved informative. The tool had a log of the servers IP addressing history [5 changes over 3 unique IP addresses], the name server 2 history [17 changes on 12 unique name servers], and the number of domains registered under the same person [8]. 1.3.3 The WHOIS Lookup through http://www.betterwhois.com/ did not provide any information in addition to what was found between the two initial WHOIS Lookups. 1.4 https://www.newgrounds.com/ This was the fourth domain I chose to look into, chosen through a recommendation when asking about possible targets. 1.4.1 https://who.is The WHOIS Lookup through https://who.is provided useful information about the location of the website admin [96 Mowat Ave, Toronto, CA], domain age and expiration [September 17, 1998, September 16, 2022], server identity and location [Nginx: 198.41.187.234], and the websites Alexa rank [#3,576]. Something else noteworthy was that the domain appeared to be registered through Contact Privacy Inc in an attempt to hide the owners full identity, putting even the collected address into question. 1.4.2 http://whois.domaintools.com/ Like with albinoblacksheep.com, the WHOIS Lookup through http://whois.domaintools.com/ provided a lot of the same information as the one previous, but again did have a few fields in addition that proved informative. The tool had a log of the servers IP addressing history [10 changes on 7 unique IP addresses], the name server history [3 changes on 4 unique name servers], and the fact that the domain was once registered under a different name beforehand. 1.4.3 http://www.betterwhois.com/ Like with albinoblacksheep.com, the WHOIS Lookup through http://www.betterwhois.com/ did not provide any information in addition to what was found between the two initial WHOIS Lookups. 1.5 http://www.bigassfans.com/ This was the final domain I decided to look into. Again, choosing this domain was the result of a recommendation. 1.5.1 https://who.is The WHOIS Lookup through https://who.is surprisingly gathered vary little information about the domain. I was only able to identify the domains admin [Charles Anderson], the company the domain represents [Delta T Corporation], the domains age and expiration [November 13, 2000, April 02, 2021], and the webpages Alexa rank [#110,585]. 3 1.5.2 http://whois.domaintools.com/ From the WHOIS Lookup through http://whois.domaintools.com/, I was able to gather a little more information that could prove informative. The tool had the servers static IP address listed [23.253.23.208], a log of the servers IP addressing history [14 changes on 11 unique IP addresses], the name server history [5 changes on 3 unique name servers], the servers fingerprinted OS [Apache/2.2.22 (Ubuntu)] and the fact that the domain was registered through GODADDY.COM. 1.5.3 http://www.betterwhois.com/ The WHOIS Lookup through http://www.betterwhois.com/ did not provide any information in addition to what was found between the two initial WHOIS Lookups. 1.6 Brief Analysis of Information Gathered In this section I over viewed the information gathered throughout the WHOIS Lookups and explained their potential usefulness in a penetration test. 1.6.1 Social Engineering In most of the WHOIS Lookups, the administrators personal location and information were provided alongside the domain and associated business info. This knowledge could be used to convince other business employees within the same company that you have business with the website admin, have the website administrators trust/friendship, or even that you work alongside him. This could further be used to gain access to confidential documents or sensitive equipment. With this information, I could pretend to have been a former student, coworker, or friend of Scott, or I could even use this info as part of a bruit force attack. 1.6.2 Data Mining Using the information gathered, I could also perform further research. In the case of my WHOIS on www.google.com, I was provided with a business locations and phone numbers. Reverse lookups on the phone numbers brought up other registered domains associated with Google INC 4 A search of the addresses used in domain registration revealed the name of the corporate headquarters building [Googleplex], as well as several of its branch offices. Using this additional information, I could find a weakness on a sister website, breach a smaller branch office, or even launch a more sophisticated social engineering attack. 1.6.3 Domain Theft, Vulnerability Testing, and More Using the inflammation gathered, the surface area for attack becomes much more acute and access much more viable. With the information, you could wait until a domain is at expiry and attempt to claim it before the admin is able to renew his lease. You could also use the provided server information [IP and OS version (optional)] to scan for vulnerabilities to construct possible exploits. With this valuable information, there are so many possible angles to view this from. WHOIS is a very powerful tool, and an administrator should approach domain registration with extreme caution to avoid too much information being available. 1.7 CLI WHOIS Lookup With the research preformed using only web-based lookup tools, a curious question arises. How much of the gathered information was pure WHOIS records and how much of it was gathered through different means? To sedate this curiosity, a purely CLI WHOIS Lookup was preformed on a Linux command line via the command whois. 1.7.1 http://www.google.com Preforming a WHOIS on www.google.com from command line shocking supplied very little information. The only thing I was supplied with was a list of connected sub-domains, and a 5 warning that I might need to perform the lookup on one of the sub-domains to retrieve specific information. With this in mind, I reran the lookup on www.google.com.au to check if more information would be provided. The sub-domain lookup provided more information then before, but it was still very little compared to the results that the web-based utilities produced. Though, it should be noted that all of the information provided coincided with the information provided through the web tools. 1.7.2 http://sunypoly.edu Preforming a WHOIS lookup on http://sunypoly.edu yielded nearly as much information as the web based tools. The only information unavailable was the Alexa rank, IP addressing history, domain history, and server OS fingerprint. Like with the CLI lookup on http://www.google.com, 6 all of the information provided coincided with the information gathered through the web-based tools. 7 1.7.3 http://www.albinoblacksheep.com Preforming a WHOIS on http://www.albinoblacksheep.com oddly enough yielded no results. The record for the website was not found in the database. Worried that the domain may no longer exist and that the web tools might be the ones out of date, I preformed a ping test on the main page. With the website main page resolving and responding to ping, I attempted to navigate to the page. Still not having any difficulty, I came to the conclusion that the CLI-based lookup tool may not have as large a database as the web-based tools utilized earlier on. 1.7.4 http://www.newgrounds.com Like with http://www.albinoblacksheep.com, http://www.newgrounds.com was not within the tools database and I was unable to find any information from it as such. 1.7.5 http://www.bigassfans.com Again, the website was not within the database and I could not gather any information using the tool as a result. 8 1.8 http://www.netcraft.com Similar to the previously used web-based WHOIS lookup tools, Netcraft is a website with WHOIS Lookup capabilities. Where the website excels is by performing their own active website monitoring in addition to supplying the usual WHOIS records. I reran the WHOIS lookups for the five previously tested domains. 1.8.1 http://www.Google.com While the lookup provided a commendable amount of information, I found that there wasn’t too much displayed that I did not already gather from the previous WHOIS lookups. Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the type of privacy management framework in use [P3P], the version of HTML/CSS in use [HTML5/CSS Media Quarry], and the plugin required to access hosted content on the website [JavaScript]. 1.8.2 http://sunypoly.edu Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the services being run on it [PHP, SSL. RSS], the version of HTML/CSS in use [HTML5/CSS Media Quarry], that the server was using HTML compression [Gzip based], and the plugins required to access hosted content on the website [JavaScript, jQuery]. 1.8.3 http://www.albinoblacksheep.com Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the services being run on it [XML, PHP, RSS], the version of HTML/CSS in use [HTML/HTML5/CSS Media Quarry], that the server was using HTML compression [Gzip based], and the plugins required to access hosted content on the website [JavaScript, jQuery]. 1.8.4 http://www.newgrounds.com Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the services being run on it [SSL, PHP, ASP.NET], the version of HTML/CSS in use [HTML/HTML5], that the server was using HTML compression [Gzip based], the plugins required to access hosted content on the website [JavaScript, jQuery], and that the we3bsite relied on a content delivery network [CloudFire]. 9 1.8.5 http://www.bigassfans.com Outside of previous WHOIS lookups, I now had information about what programming language was being used within the server [PERL], the services being run on it [PHP, WordPress], WordPress plugins running on the server [Google COOP Onsite, WordPress Super Cache, NextGEN WordPress Gallery, Modernizr, Click-to-Call Mobile], the version of HTML/CSS in use [HTML/HTML5], that the server was using HTML compression [Gzip based], and the plugins required to access hosted content on the website [JavaScript, jQuery]. 1.9 IP Based WHOIS When performing a WHOIS using an IP address from each of the websites, the results returned always matched the earlier lookups. The only fact from this test worth noting is the results were not as excessive as when the websites were lookup based on domain name. 1.10 Closing Thoughts While I feel that using CLI based WHOIS to perform lookups should be superior to using a simplified web-variant, my experience with it leads me to believe that its usability is largely hindered by the fact that its default database included with it is excessively small. The only drawback I encountered while using web-based WHOIS services for lookups was the validity of the information provided, and, unlike the drawback faced with CLI WHOIS lookups, common sense and good data mining practices could minimize the risk of accepting falsified data. With that in consideration, there was only ever one instance where the data gathered was of questionable validity. In the case of the CLI-based WHOIS lookups, there were three instances out of a set of five tests where the tool did not contain the necessary records to produce useful information. 2 NSlookups In this section, I checked the same domains used in the WHOIS lookup again, this time using NSLookup to determine the machines name servers. Again, these websites were http://www.google.com, http://sunypoly.edu, http://www.albinoblacksheep.com, http://www.newgrounds.com, and http://www.bigassfans.com. 10 2.1 http://www.google.com Interactive lookup, default DNS: Interactive lookup, Google DNS: Noninteractive lookup, default DNS: 11 Noninteractive lookup, Google DNS: 2.2 http://sunypoly.edu Interactive lookup, default DNS: Interactive lookup, Google DNS: 12 Noninteractive lookup, default DNS: Noninteractive lookup, Google DNS 13 2.3 http://www.albinoblacksheep.com Interactive lookup, default DNS: Interactive lookup, Google DNS: Noninteractive lookup, default DNS: Noninteractive lookup, Google DNS: 14 2.4 http://www.newgrounds.com Interactive lookup, default DNS: Interactive lookup, Google DNS: 15 Noninteractive lookup, default DNS: Noninteractive lookup, Google DNS: 16 2.5 http://www.bigassfans.com . Interactive lookup, default DNS: Interactive lookup, Google DNS: Noninteractive lookup, default DNS: Noninteractive lookup, Google DNS: 17 2.6 Basic Output Analysis In all of the DNS lookups, the default name server used for the lookups was the default for the machine the lookup was run from. 3 NMap In this section I practiced utilizing port scanners to discover running services and machine vulnerabilities. For the purposes of these tests, my Windows XP and Metasploitable VMs were utilized. 3.1 Windows XP VM The first VM I tested was my Windows XP VM located at 10.110.65.42. 3.1.1 Finding running services To find all running services on the target machine, I first ran an NMap port scan on the IP The scan reviled the ports open on the machine. It can be assumed that each one of these ports are allocated to a service, and as such the services that usually use the ports by default are listed beside the port. With the knowledge of running services on the target machine, an attacker can probe the service ports for further information or immediately use the services as part of an attack. The scan also identified the target machines MAC address, which can be 18 used in attacks as well. Following the general port scan, I used a targeted port scan to identify more information about a specific port. The scan was on port 25 and revealed that the hostname of the machine was ciullac-WinXP, that the version of SLmail running behind the port was 5.5.0.4433, and that the machine would accept ESMTP. While I used nc to probe a specific port, NMap could also be used with the correct flags. This is useful for an attacker as the version number of a service could be used to lookup known vulnerabilities for that service. Expanding this, I did another NMap scan on the target machine. This time I used the V flag to attempt to detect service versions. Similar to the port specific scan, this scan will probe the service behind an open port to identify information about the version number, only on all open ports instead of just one. 19 3.2 Metasploitable VM The second VM I tested was my Metasploitable VM located at 10.110.65.42. 3.2.1 Finding running services To find all running services on the target machine, I first ran an NMap port scan on the IP Like with the Windwos XP VM, the scan reviled the ports open on the machine as well as the target machines MAC address. Following the general port scan, I again used a targeted port scan to identify more information about a specific port. The scan was on port 22 and revealed that the version of SSH running behind the port was OpenSSH 4.7p1. 20 Again, this is useful for an attacker as the version number of a service could be used to lookup known vulnerabilities for that service. Expanding this, I did another NMap scan on the target machine. This time I used the V flag to attempt to detect service versions. Similar to the port specific scan, this scan will probe the service behind an open port to identify information about the version number, only on all open ports instead of just one. 21 4 OSINT In this section I was tasked with gathering information about myself with my full name as the only lead. 4.1 www.google.com The first place I checked for information on myself was google. The first four results were links to my CS homepage, where I have all of my past LAB write-ups stored for potential employers. Knowing that I have hosted content at sunyit.edu, I already had my next target. 4.2 web.cs.sunyit.edu/ ciullac Going up to my root directory from the labs found from www.google.com, I had access to all my finished labs and assignments. From these write-ups, quite a bit of information could be gathered. As the information was hosted on sunyit.edu, it could be discerned that I have a 22 sunyit.edu based email account. This, compounded with the use of the username ciullac within the labs write-ups, points to a possible email address being [email protected]. With that email and the use of ciullac as a username, I proceeded to the next resource. 4.3 http://namechk.com/ With the username ciullac, I ran a username availability check to determine what accounts were occupied under that name. I did this to potentially find more leads As shown by the screenshots, only a few were occupied and following those links proved useless. This lead was declared a dead end and the sunyit.edu homepage was revisited. 4.4 Reverse Image Lookup Also found on the CS department webpage was an image of my standing next to someone. A reverse image lookup was performed on this image to determine of it had any other sources. As shown by the screenshot, this was another dead end. 23 4.5 Facebook With a likely picture of myself, I went to Facebook to search my name with a picture for identity verification. As shown by the screenshot, this was successful. I was able to find a lot of information about myself too. From favorite movies to liked pages. I even gathered potential relationships between myself and others on Facebook based off my cover photo and comments lift on it. 24 4.6 https://ncsclub.sunyit.edu/ Going back to my write-ups from the CS webpage, I also stumbled upon a reference to the Sunypoly NCS Club. This reference led me to the NCS Club homepage, where I found the section listing me as head of the club fundraiser. This gave away my active status within the club. 4.7 www.linkedin.com With basic academic info from the sunypoly.edu and no other leads in mind, I searched for a matching profile on linkedin. As shown by the screenshot, this was successful and provided information about past work experience. 25