The Ethical Hacker Network - Book: Metasploit: A Penetration Testers Guide (Jul, '11)

Tancred

Newbie

Offline

Posts: 13

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #30 on: July 21, 2011, 11:06:48 PM »

Awesome, was just curious because I'd had a similar issue. Can't wait til my physical copy arrives, but I wanted to pre-order so I could have it right away.


	Logged

hayabusa

Hero Member

Offline

Posts: 1630

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #31 on: July 23, 2011, 01:30:08 PM »

Paperback arrived in today's mail. Now I can mark it up... :-p


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

DragonGorge

Jr. Member

Offline

Posts: 83

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #32 on: April 23, 2012, 11:02:22 AM »

Wondered if I could get some questions answered on the whois/netcraft section of this book.

In the Passive Information gathering section of Chapter 3, the book lists a whois performed on secmaniac.net which results in domain servers of XX.DOMAINCONTROL.COM and goes on to say that these servers are not owned by secmaniac.net:
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: SECMANIAC.NET
      Created on: 03-Feb-10
      Expires on: 03-Feb-12
      Last Updated on: 03-Feb-10
   Domain servers in listed order:
      NS57.DOMAINCONTROL.COM
      NS58.DOMAINCONTROL.COM

1. How do we know these aren't owned by secmaniac? Is the tipoff the fact that it's "DOMAINCONTROL.COM" as opposed to "SECMANIAC.COM"?

The next section deals with NETCRAFT and lists the output below followed by an assertion that "this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range."
msf > whois 75.118.185.142
exec: whois 75.118.185.142
WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1)
   75.118.0.0 - 75.118.255.255
WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1)
   75.118.184.0 - 75.118.191.255

2. As before, I'm not clear on what in the printout indicates this is part of a residential range. I'm used to seeing 192.168.x.x but this one is new to me.

On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don't surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book's ip listing still comes up because the whois database hasn't been updated?


	Logged

sil

Hero Member

Offline

Posts: 549

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #33 on: April 23, 2012, 11:23:01 AM »

Quote from: DragonGorge on April 23, 2012, 11:02:22 AM

1. How do we know these aren't owned by secmaniac? Is the tipoff the fact that it's "DOMAINCONTROL.COM" as opposed to "SECMANIAC.COM"?

We know these aren't OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

whois -h whois.geektools.com domaincontrol.com

Then match up who owns those domains

Quote from: DragonGorge on April 23, 2012, 11:02:22 AM

2. As before, I'm not clear on what in the printout indicates this is part of a residential range. I'm used to seeing 192.168.x.x but this one is new to me.

You're confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

Quote from: DragonGorge on April 23, 2012, 11:02:22 AM

On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don't surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book's ip listing still comes up because the whois database hasn't been updated?

You assume his addresses remain the same over time. If you took a look at his domain's history, you can see he has changed it 2x since the book: http://toolbar.netcraft.com/site_report?url=http://www.secmaniac.com


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

DragonGorge

Jr. Member

Offline

Posts: 83

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #34 on: April 23, 2012, 02:32:05 PM »

Quote from: sil on April 23, 2012, 11:23:01 AM

We know these aren't OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

That was what I was getting at - without researching DOMAINCONTROL we wouldn't automatically know that it wasn't the same company that owned secmaniac.net, right?

Quote

You're confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

I'm confused by the line in the book that states "we can tell that this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range." To rephrase my question, how can we tell from the printout that this is a inside the author's home (part of a residential range) as opposed to a business?


	Logged

sil

Hero Member

Offline

Posts: 549

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #35 on: April 23, 2012, 03:12:51 PM »

Let's take an example IP from a business: (IP is random)

Code:

[root@kenji ~/]# whois -h whois.arin.net 74.95.180.0

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.95.180.0?showDetails=true&showARIN=false&ext=netref2
#

Comcast Business Communications, LLC CBC-PHILADELPHIA-33 (NET-74-95-160-0-1) 74.95.160.0 - 74.95.191.255
Comcast Business Communications, LLC CBC-CM-4 (NET-74-92-0-0-1) 74.92.0.0 - 74.95.255.255

What do we notice with my example? Comcast Business Communications, What about normal Comcast cable users?

Code:

[root@kenji ~]# whois -h whois.arin.net 67.175.82.0

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=67.175.82.0?showDetails=true&showARIN=false&ext=netref2
#

Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255
Comcast Cable Communications, Inc ILLINOIS-19 (NET-67-175-0-0-1) 67.175.0.0 - 67.175.127.255

Notice the differences? Now let's look at what Rel1k posts in his book:

Code:

[root@kenji ~/]# whois -h whois.arin.net 75.118.185.142

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=75.118.185.142?showDetails=true&showARIN=false&ext=netref2
#

WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1) 75.118.184.0 - 75.118.191.255
WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 - 75.118.255.255

Most BUSINESSES will have their business information posted on the whois. We see none of this, alongside that statement, there is no indicator of any business name or secmaniac or maniac or sec or any other worthwhile identifier to state this IP space belongs to the author. So let's see who owns the IP space and what type of business they are in: WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 - 75.118.255.255 Doesn't seem like a security company to me, its a cable provider (http://www.wowway.com/).

Let's try this with Microsoft:

Code:

[root@kenji ~]# nslookup microsoft.com | sed -n '8p' | awk '{print "whois -h whois.arin.net "$2}' |sh|grep "^Org"|sort -u
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseEmail: abuse@microsoft.com
OrgAbuseEmail: abuse@msn.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: Abuse
OrgAbuseName: Hotmail Abuse
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN
OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN
OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN
OrgId: MSFT
OrgNOCEmail: noc@microsoft.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN
OrgName: Microsoft Corp
OrgTechEmail: iprrms@microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN

Notice two things 1) the information for the COMPANY and 2) the AMOUNT of information being returned. Most whois lookups will return A LOT of information for companies whereas for most ISPs, the return will be a line or two long. That's first. The second thing to notice is the names of the business itself or the association with the domain you are looking up and the return information.

Code:

[root@kenji ~/]# whois -h whois.arin.net 96.126.127.220

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=96.126.127.220?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 96.126.96.0 - 96.126.127.255
CIDR: 96.126.96.0/19
OriginAS:
NetName: LINODE-US
NetHandle: NET-96-126-96-0-1
Parent: NET-96-0-0-0-0
NetType: Direct Allocation
Comment: This block is used for static customer allocations.
RegDate: 2011-05-06
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-96-126-96-0-1

OrgName: Linode
OrgId: LINOD
Address: 329 E. Jimmie Leeds Road
Address: Suite A
City: Galloway
StateProv: NJ
PostalCode: 08205
Country: US
RegDate: 2008-04-24
Updated: 2010-08-31
Comment: http://www.linode.com
Ref: http://whois.arin.net/rest/org/LINOD

OrgNOCHandle: LNO21-ARIN
OrgNOCName: Linode Network Operations
OrgNOCPhone: +1-609-593-7103
OrgNOCEmail: support@linode.com
OrgNOCRef: http://whois.arin.net/rest/poc/LNO21-ARIN

OrgAbuseHandle: LAS12-ARIN
OrgAbuseName: Linode Abuse Support
OrgAbusePhone: +1-609-593-7103
OrgAbuseEmail: abuse@linode.com
OrgAbuseRef: http://whois.arin.net/rest/poc/LAS12-ARIN

OrgTechHandle: LNO21-ARIN
OrgTechName: Linode Network Operations
OrgTechPhone: +1-609-593-7103
OrgTechEmail: support@linode.com
OrgTechRef: http://whois.arin.net/rest/poc/LNO21-ARIN

RNOCHandle: LNO21-ARIN
RNOCName: Linode Network Operations
RNOCPhone: +1-609-593-7103
RNOCEmail: support@linode.com
RNOCRef: http://whois.arin.net/rest/poc/LNO21-ARIN

RTechHandle: LNO21-ARIN
RTechName: Linode Network Operations
RTechPhone: +1-609-593-7103
RTechEmail: support@linode.com
RTechRef: http://whois.arin.net/rest/poc/LNO21-ARIN

RAbuseHandle: LAS12-ARIN
RAbuseName: Linode Abuse Support
RAbusePhone: +1-609-593-7103
RAbuseEmail: abuse@linode.com
RAbuseRef: http://whois.arin.net/rest/poc/LAS12-ARIN

So who is this? What kind of company is it? I will let you answer this question now. It all boils down to power of logic and reasoning when unsure. You can i) Visit the website a whois returns to see more about the type of business associated with
the address and so forth.

This is THE BIGGEST REASON that I am a stickler for understanding the common grounds of networking and systems before even attempting to venture out into security.


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

DragonGorge

Jr. Member

Offline

Posts: 83

Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)

« Reply #36 on: April 26, 2012, 10:26:06 AM »

For the challenge on the current (as opposed to the book's) whois/netcraft results...

Performing a whois on secmaniac.net yields:

Code:

Domain name: secmaniac.net

Registrant Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent ()

   Fax:
   PMB 368, 14150 NE 20th St - F1
   C/O secmaniac.net
   Bellevue, WA 98007
   US

Administrative Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (vmhpxgmj@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O secmaniac.net
   Bellevue, WA 98007
   US

Technical Contact:
   Whois Privacy Protection Service, Inc.
   Whois Agent (vmhpxgmj@whoisprivacyprotect.com)
   +1.4252740657
   Fax: +1.4259744730
   PMB 368, 14150 NE 20th St - F1
   C/O secmaniac.net
   Bellevue, WA 98007
   US

Status: Locked

Name Servers:
   ns1.secmaniac.net
   ns2.secmaniac.net
   ns3.secmaniac.net
   ns4.secmaniac.net

Not a lot of company related info here (as opposed to what we'd get from yahoo.com) and the Netcraft query yields 96.126.127.220 for the ip and the owner of the netblock being Linode. Additionally, the "C/O secmaniac.net" would be a clue that we're dealing with some kind of hosting/proxy service.

So looking at the results of your previous posting on the 96.126.127.220 we again see a info pertaining to Linode and further inspection of Linode indicates this is a web hosting company, i.e. this is not a residential. Yes/No/Partial credit?

Curiously, doing a nslookup on secmaniac.net yields a different ip and doing yet another whois on that ip yields the following

Code:

> set type=any
> secmaniac.net

Non-authoritative answer:
Name: secmaniac.net
Address: 184.106.97.209

whois results:
Rackspace Hosting RACKS-8-NET-4 (NET-184-106-0-0-1) 184.106.0.0 - 184.106.255.255
Slicehost RACKS-8-1292257565649418 (NET-184-106-96-0-1) 184.106.96.0 - 184.106.99.255

Which appears to be yet another web/cloud hosting company.

However, I can ping 96.126.127.220 but not 184.106.97.209 so my conclusion would be that the nslookup info is stale and secmaniac.net has been moving around quite a bit since the book was written.

I'd still like to do the same analysis on a real residential site.


« Last Edit: April 26, 2012, 10:27:57 AM by DragonGorge »	Logged

Pages: 1 2 [3] Go Up

« previous next »