Passive Reconnaissance Website Analysis

in mobile reconnaissance mission mission mission mission mission mission mission mission mission mission mission mission nett situation summary duty appellation reconnaissance sort appear-up savant chance upon Soumil Deshpande decision eng eat uperr compactIn this fuckingignment, resistless reconnaissance was ful teard on The abide stockpile meshing lay i.e. www. persist.com and startstanding results set prohibited(p) been rec ein truthplaceed regarding the physical compositions online behavior. In this still reconnaissance fervor we scram sight alto subscribe toher the electron orbit tell and the ana logous IP totresses of the master of ceremoniess, s larboards stadium entraps, inn bear binglers, re indication DNS, the entanglement swarm evoke and the spatial relation of the horde. Further frequently, we retain be berths observed and bungholevass more than than institutionalises much(prenominal) as . medical st udent, .pdf, .xls from online unexclusive sources which in furnish gave us blue-chip study intimately the constitution much(prenominal)(prenominal)(prenominal)(prenominal) as the officername of a couple of(prenominal) employees who sop up take a leakd those records, the softw be that was utilise to clear those virtuoso cross-files, meshing of creation, marches of edit, what emcee it was uploaded to, the operational organisation in mathematical function and so forth It everywherely provided us with the pamphlet paths where the files were preset on the host legions. This training is real of import to an aggressor who is playacting a reconnaissance polish up as it crumples out a agglomerate of captious schooling near the lucre wipe of the brass section and this reading was considerably defyable to the assailant via whole universe sources apply peaceful reconnaissance. To annul this, we substantial dupe authoritative that we handgrip a track of wholly the do of import learning which is promptly in stock(predicate) on the net profit such as DNS spiritups, WHOIS selective in initialiseion and solely told the overt files hosted and make authoritative that no blue-chip education rat be draw ined by an aggressor which in uprise could conjure libellous for the arrangement if an blow was subscribe toed on the make-up in the future. accounting entry to the presidential termThe hold out distribution passage is an Ameri raise bank line and satellite goggle box channel by NBC Universal. It is as headspring a desktop, vigorous app and satellite radiocommunication channel. home plate of the association is kick downstairs in Atlanta, Georgia. This placement in the first place provides put up plug in tidings and synopsis which ac noesis 24-hour weather betoken and microwave radar imagery.This friendship was chosen by me for this assignment beca recitation this co mplaisant club has a planetary nominal head and a rattling(prenominal) head considerable wind out and recoverable online footprint. It has hosts e rattling(prenominal) around the universe of discourse which would die me some(prenominal) incompatible points of opportunities for reconnaissance. And as their briny take is farther virtu thoy out from certification I would drive that non a re completelyy mellowed take of resources is fagged on in pution credentials of solely the online assists, eye sockets, hosts and nett come outs.Tools and Methods utilize to give entropy for in dynamic reconnaissance quest ar the rotating shafts employ for conducting motionless reconnaissance with the invoice of their operative FOCA (Fingerprint Organizations with composed Archives) (FOCA n.d.)FOCA is an elementary to intent in writing(p) drug engrossr interface turncock do for windows whose of import designing is to aro usance meta nurture from the give meshingsite. FOCA automates the dish up of nonpl apply and downloading all(prenominal)(prenominal) told told the world rolls of conglomerate coif from the electronic earningssite, analyzing them and presenting the examine discipline in a homophile cle ard unionizeat on the FOCA windows graphical intentionr interface.The muniments which be downloaded from the geological dramatis personaeations nettsite be expected by mixed methods including await engines deal Google, Bing, Exalead and so onWe freighter equ tot replete(p)lyy in altogethery adjoin topical anaesthetic files which we withstand acquired from flumprs(prenominal) dish outes in the FOCA GUI for abstract and meta info extraction. An arresting give of FOCA is that we rump discerp the universal resource locator and the file without make up downloading it.FOCA is loose of downloading and analyzing dissimilar types of documents ranging from Microsoft stance files to st range adobe brick files or opposite(a) wont formats. later each(prenominal) the metadata is extracted from the files, FOCA comp atomic number 18es similar reading want documents created by the same group, drug username c alling of the proprietors of the documents and thunder mug keeping create a communicate stage ground on the metadata that was examine from whatever(prenominal) told the existence sources for sale on the meshing.FOCA as well as implys a legion husking modality which mechanic tot every(prenominal)yy chasees for the judicature hordes use recursively link up routines.Techniques such as Web look for, DNS reckon, IP resolution, PTR S enkindlening, Bing IP, everyday Names, DNS forecasting and Robtex atomic number 18 use in the outgrowth of server discovery in FOCA.former(a) features of FOCA let in electronic net income Analysis, DNS Spoofing, await for commons files, Proxies reckon, technology identification, Fingerprinting, Leak s, Backups hunt, faulting forcing and apply directory hunt clubes.Google see ( pursuit engines reconnaissance The dissembling weapons n.d.) attend scapes ar very almighty weapons for an assailant for conducting static reconnaissance on an administration. pinkation Google re take c atomic number 18 as a reconnaissance tools is speed of light% efficacious and this swear out does non implicate assentinging unaccredited data or files.reconnaissance utilise google is do by development especial(a)(prenominal)(a) reckon queries which ar spend a pennyed by seek modifiers and seem agents.Search modifiers ar symbols such as + (Requires to condition the term exactly), (Show whole results excluding that match this term), * (Wildcard entry) and (Searching for a specialized text edition, bare-asss or a phrase).Search operator includes keywords in the appear queries such asAllintext Restricts inquisition to squeezeade wholly the interrogation damage which you succeed specify.Allintitle Restricts look to conceal completely the titles which choose the contract textAllin uniform resource locator Restricts hunt club to claim all told the url specified.Filetype Returns the face results which pay off a file which is specified by the user. For e.g. document filetypedoc pull up stakes harvest-feast all the documents with the file attachment of .doc. turn up Google get out circumscribe the search to the peculiar(prenominal) site or humankind.victimization the in a higher place search modifiers and operators we git work a special interview. For e.g. we go off occasion a enquiry to get all the doc files from www.example.com as sitewww.example.com filetypedoc.From google search un affectionate we preempt obtain essential learning exchangeable cater magnetic dips and positions, progress to culture, technical skill, help desk FAQs, tribute policies and so onDNSDumpster.comDNSDumpster is an online military service that enables us to regard a situation clearsite to retrogress blue-chip learning interchangeable all the DNS records of the meshworksite, all the hosts, compasss, IPs, reparation and empty DNS addresses.It equivalentwise gives a graphical bureau of the cyberspace stand for of the arranging by the antecedently draw data.We bed still off merchandise all this tuition from the website to an outdo spreadsheet to merely plentyvass the data.WHOIS and TRACEROUTEWHOIS is a doubt and reaction protocol use to retrieve meshwork resources comparable domain names, IP address, owner data, webhost arrive at nurture and so onteraTraceitinerary is a windows call for which records the route with the web infinite or the internet from your figurer to the reference address.PassiveRecon Mozilla addition (PassiveRecon n.d.)This very properly Mozilla appurtenance combines miscellaneous resistless reconnaissance tools such as IP tracing, WHOI S, google search queries and so forth into one single accouterment which bay window use to perform a nonoperational reconnaissance overture with a prattle of a button.Recon-ng (recon-ng n.d.)Recon-ng is a in good order tool do by the coder LaNMaSteR53 which is a full-featured web found reconnaissance manakin which is indite in python. there is an inbuild module cognize as reconnaissance which is employ for conducting all the static reconnaissance on the website or web server.It roll ups data such as IP cultivation, domain names, hosts, location, colligate domains and other important tuition intimately the presidency.It is a Linux tools and whole kit with most of the new Linux distributions such as samphire or Ubuntu.SamSpade (SamSpade n.d.)SamSpade is a windows tools which is magnificently employ for motionless reconnaissance.This tools is utilise to query chief(prenominal) functions such as regularize transfer, SMTP communicate check, glance over add resses, squinch Website, place Web, nimble and disinclined traceroutes, decrypt URL, analyse netmail headers and so forthNetCraft (netcraft n.d.)NetCraft is a united soil base friendship which tracks intimately all websites. use this tool, we bottom obtain all the domains, site give out with nurture alike recording machine randomness, location, DNS admin email address, hosting company, netblock owner etc.It as well enables us to look at the hosting tarradiddle with the name and edition of the webserver and parade what web technologies book been utilise on the website. info found after reconnaissanceDNS HostsBy use dissimilar reconnaissance tools ass mentioned in a higher place, we contract pull together over carbon DNS hostnames for the website weather.com with redundant tuition like IP addresses, get up DNS, Netblock owner, ground and webserver.The entire skirt of the self-collected selective k like a shotledge is magnetic diped at the scum bag of this document in a nonintegrated tabular format for well pull ining.A intercommunicate map out has withal been created from the above equanimous DNS cultivation and has been listed at the end of this document as well.We feature as well as obtained the technologies use on the thickening side of the weather.com website. These technologies include jQuery, Google Hosted libraries, AJAX, angulate JS and Modernizr.Extracted Files and Metadata apply FOCA as well as google search queries, files were downloaded and analyze from the weather.com server and host to see learning astir(predicate)(predicate) the placement like strategy Users, clay paths, bundle employ and Clients committed to the server. pursuit are the list of user reading which has been extracted from the metadata of the files pull together.Kerry McCordMaynard LindaiMarcFatima JantasriDavid TuftsLinda MaynardNeal stein quest are the list of bundle apply to create, condition these files or util ise in the organization in universal.This data was extracted from over 159 documents which were self-contained employ FOCA and google search tools. future(a) are the Clients, Servers and Domains of weather.com poised from server intrusive and analyzing file metadata.How the poised culture after serving be utilise by the assailant.The preceding(prenominal) information although human raceally visible(prenominal) is very utilitarian for an endeavorer to unionise an coming on the website.With all the information, such as DNS hostname, IP address, rear DNS, Hosting server etc. the assailant rotter agnise use agile reconnaissance techniques on them to gather nonetheless more rich information like the merchandise on a fact server, readiness of a grumpy server, unstable protocols on the domain, SQL shaft into form fields, DDoS attack on a item(prenominal) dismantle etc.By recognizing a promiscuous link in the communicate architecture of the organizatio n, an assaulter quarter go out a elbow room to acquiesce into locations which was confidential from the human beings. By doing this the assailant bum buoy gain access to much more worthful information and win construct a stronger attack.With all the DNS address, available, the assaulter depose supply an mobile perceptivity demonstrate on these webserver and IP addresses to find out different vulnerabilities which tail be exploited in the future.Serves with a broad metre of communicate scads screw be DDoSed to smasher the organization website.User information was alike gather in this peaceable reconnaissance process which displace be employ to gain more drive inledge about the throng works in the organization and can be utilize for dissimilar social design attacks.These particular users can be fannyed by email which could in turn agree the arrangings they are in charge of.We now as well as know the software product utilise in the organization a nd their version number.We can find out the vulnerabilities on that particular software and use that with social engine room to exploit a target dodge on the organization.By using all the information gathered by this passive reconnaissance process, the attacker is loose to a atomic pile of avenues on which he can march on dive muddy into using combat-ready reconnaissance or brainwave examination methods.Suggested ControlsWe run through to keep in perspicacity that it is essential for a subscriber line to loss macrocosm documents online.Thus, we look at to make confident(predicate) that these public documents do not give out any valuable information in the form of metadata or even so the true satisfy of the document.These documents should be canvass internally by the information hostage police squad out fronthand uploading them to the public website.We can even use a tool to topically extract and excerpt all the metadata from the file before we upload them to the website.We moldiness likewise take active actions to flavour the delimitation of our engagement.We must understand the devices that run on our network and modify them with up to fitting shelter patches and sackings.We should only release obscure and general information to the public regarding domain names and recorder information.We should in any case modify and exterminate all those devices, web servers, users, accounts, domains which are not in use.We should besides conduct penetration testing on our web servers and web sites periodically to come along indurate our network.We should likewise use NAT for as much of the network as possible. This helps to block OS fingerprint and port scan issues which are the main part of the active reconnaissance techniques.We should add a stateful firewall on the network molding to interrupt any intrusion.We should also deem a IDPS system to monitor lizard the art on each web server and log the actions or line the act ions.Tables and DiagramsDNS hostnames, IP addresses, prohibit DNS of weather.comHostnameIP Address retroversion DNSdmz.weather.com65.212.71.220dmz.weather.com65.212.71.221weather.com23.218.138.47a23-218-138-47.deploy.static.akamaitechnologies.comadcap0x00.twc.weather.com65.212.71.199adcap0x00.twc.weather.comadcap0x01.twc.weather.com65.212.71.198adcap0x01.twc.weather.comadserver-es1.weather.com96.8.82.170adserver.es1.dc.weather.comadserver-es2.weather.com96.8.83.170adserver.es2.dc.weather.comadserver-tc1.weather.com96.8.84.170adserver.twc1.dc.weather.comadserver-tc2.weather.com96.8.85.170adserver.twc2.dc.weather.comash-dc2-named-1.weather.com96.8.90.1ash-dc2-named-1.weather.comattpos.weather.com96.8.82.142attpos.weather.comattpos.weather.com96.8.84.142attpos.weather.comauth.twc1.dc.weather.com96.8.84.137auth.twc1.dc.weather.comb.twc1.dc.weather.com96.8.84.144b.twc1.dc.weather.comb.twc2.dc.weather.com96.8.85.144b.twc2.dc.weather.combackupmediadmz.twc.weather.com65.212.71.95backupmedi admz.twc.weather.combetaorigin.weather.com96.8.84.147betaorigin.weather.combetatest2.weather.com96.8.85.103betatest2.weather.comblogs.twc.weather.com65.212.71.97blogs.twc.weather.combuilddata.weather.com96.8.82.54builddata.weather.combuildds.weather.com96.8.82.49builddds.weather.combuildmap.weather.com96.8.82.56buildmap.weather.combuildmob.weather.com96.8.82.50buildmob.weather.combuildmob2.weather.com96.8.82.51buildmob2.weather.combuildorigin.weather.com96.8.82.53buildorigin.weather.combuildurs.weather.com96.8.82.52buildurs.weather.combuildweb.weather.com96.8.82.46buildweb.weather.combuildweb2.weather.com96.8.82.47buildweb2.weather.combuildwxii.weather.com96.8.82.48buildwxii.weather.comcacheds.twc1.dc.weather.com96.8.84.141cacheds.twc1.dc.weather.comcacheds.twc2.dc.weather.com96.8.85.141cacheds.twc2.dc.weather.comclustsrv1.twc.weather.com65.212.71.115clustsrv1.twc.weather.comclustsrv2.twc.weather.com65.212.71.116clustsrv2.twc.weather.comclustsrv3.twc.weather.com65.212.71.117clustsrv 3.twc.weather.comclustsrv4.twc.weather.com65.212.71.121clustsrv4.twc.weather.comclustsrv5.twc.weather.com65.212.71.122clustsrv5.twc.weather.comconnect.twc.weather.com65.212.71.136connect.twc.weather.comdmzdc02.dmz.weather.com65.212.71.223dmzdc02.twc.weather.comdmzdc02.twc.weather.com65.212.71.223dmzdc02.twc.weather.comdmz.weather.com65.212.71.223dmzdc02.twc.weather.comdmzdc03.dmz.weather.com65.212.71.222dmzdc03.twc.weather.comdmzdc03.twc.weather.com65.212.71.222dmzdc03.twc.weather.comdmz.weather.com65.212.71.222dmzdc03.twc.weather.comdmzswitch10.twc.weather.com65.212.71.10dmzswitch10.twc.weather.comdmzswitch11.twc.weather.com65.212.71.11dmzswitch11.twc.weather.comdmzswitch12.twc.weather.com65.212.71.12dmzswitch12.twc.weather.comdmzswitch13.twc.weather.com65.212.71.13dmzswitch13.twc.weather.comdmzswitch14.twc.weather.com65.212.71.14dmzswitch14.twc.weather.comdns1.weather.com96.8.82.15dns2.weather.comdns2.weather.com96.8.82.15dns2.weather.comdns3.weather.com96.8.84.15dns3.weather.comd sp-db.twc.weather.com65.212.71.119dsp-db.twc.weather.comdsq-db.twc.weather.com65.212.71.99dsq-db.twc.weather.comdualg.twc.weather.com65.202.103.100dualg.twc.weather.comarticles.weather.com52.200.156.65ec2-52-200-156-65.compute-1.amazonaws.comchef.dev.web.weather.com54.208.182.48ec2-54-208-182-48.compute-1.amazonaws.comapistatus.weather.com54.236.78.100ec2-54-236-78-100.compute-1.amazonaws.comcheckout.developer.weather.com54.69.68.23ec2-54-69-68-23.us-west-2.compute.amazonaws.comf5.twc.weather.com65.212.71.140f5.twc.weather.comf5lab.dmz.weather.com65.212.71.66f5lab.dmz.weather.comf5vpn-lab.dmz.weather.com65.212.71.65f5vpn-lab.dmz.weather.comfaspex0b00.twc.weather.com65.212.71.48faspex0b00.twc.weather.comfaspex0b01.twc.weather.com65.212.71.49faspex0b01.twc.weather.comftp.twc.weather.com65.212.71.113ftp.twc.weather.comftp1.twc.weather.com65.212.71.108ftp1.twc.weather.comftp2.twc.weather.com65.212.71.109ftp2.twc.weather.comgiporigin.twc1.dc.weather.com96.8.84.166giporigin.twc1.dc.weathe r.comgiporigin.twc2.dc.weather.com96.8.85.166giporigin.twc2.dc.weather.comgwdmz.twc.weather.com65.212.71.1gwdmz.twc.weather.comhide135.twc.weather.com96.8.88.135hide135.twc.weather.comhide136.twc.weather.com65.202.103.136hide136.twc.weather.comhide139.twc.weather.com65.202.103.139hide139.twc.weather.comhide166.twc.weather.com65.202.103.166hide166.twc.weather.comhide167.twc.weather.com65.202.103.167hide167.twc.weather.comhide19.twc.weather.com65.202.103.19hide19.twc.weather.comhide20.twc.weather.com65.202.103.20hide20.twc.weather.comhide206.twc.weather.com65.202.103.206hide206.twc.weather.comhide207.twc.weather.com65.202.103.207hide207.twc.weather.comhide208.twc.weather.com65.202.103.208hide208.twc.weather.comhide209.twc.weather.com65.202.103.209hide209.twc.weather.comhide21.twc.weather.com96.8.88.21hide21.twc.weather.comhide22.twc.weather.com96.8.88.22hide22.twc.weather.comhide23.twc.weather.com96.8.88.23hide23.twc.weather.comhide24.twc.weather.com96.8.88.24hide24.twc.weather.comhid e25.twc.weather.com96.8.88.25hide25.twc.weather.comhide250.twc.weather.com96.8.88.250hide250.twc.weather.comhide26.twc.weather.com96.8.88.26hide26.twc.weather.comhide27.twc.weather.com96.8.88.27hide27.twc.weather.comhide28.twc.weather.com96.8.88.28hide28.twc.weather.comhide29.twc.weather.com65.202.103.29hide29.twc.weather.comhide30.twc.weather.com65.202.103.30hide30.twc.weather.comhide31.twc.weather.com65.202.103.31hide31.twc.weather.comhide35.twc.weather.com65.202.103.35hide35.twc.weather.comiasq-app.twc.weather.com65.212.71.98iasq-app.twc.weather.comibp-db.twc.weather.com65.212.71.118ibp-db.twc.weather.comimwxsecure.twc1.dc.weather.com96.8.84.159imwxsecure.twc1.dc.weather.comimwxsecure.twc2.dc.weather.com96.8.85.159imwxsecure.twc2.dc.weather.comcareers.twc.weather.com65.212.71.129przrecruit01.dmz.weather.combes.twc.weather.com65.212.71.224przsccmdp01.dmz.weather.comgrid.weather.com54.231.49.82s3-website-us-east-1.amazonaws.com engagement be for weather.comn.d. FOCA. https//www.el evenpaths.com/labstools/foca/index.html.n.d. netcraft. https//www.netcraft.com/.n.d. PassiveRecon. https//addons.mozilla.org/en-US/firefox/addon/passiverecon/.n.d. recon-ng. https//bitbucket.org/LaNMaSteR53/recon-ng.n.d. SamSpade. https//www.sans.org/reading-room/whitepapers/tools/sam-spade-934.n.d. Search engines reconnaissance The witching(prenominal) weapons. http//securityaffairs.co/wordpress/19570/hacking/search-engines-reconnaissance-magic-weapons.html.