.

Reconnaissance step questions

<<

erojas66

Newbie
Newbie

Posts: 2

Joined: Sun Sep 09, 2007 10:52 am

Post Tue Jan 08, 2008 6:17 am

Reconnaissance step questions

Hello all, I'm new to the security arena and have a question regarding results from the reconnaissance step. After getting information about a client, I find that he has not been assigned IP address, at least, that's what it staes when I use various whois and dnslookup tools.

All articles I find discuss what to do after this step and it assumes the company has a range of IP addresses. Well, what do you do next when this is not the case? The company is using the ISPs hosting solution (web hosting and mail servers).

Is this as far as I can go with this "passive stage?".

Thanks a lot for your help,
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Tue Jan 08, 2008 7:20 am

Re: Reconnaissance step questions

I dont know what and why are you doing this but, the next logical step after reconn is scanning. Well if you did not get enough infomation in the first step maybe you need to go back and do it again and maybe try a different approach.

Hope this helps.
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Tue Jan 08, 2008 11:27 am

Re: Reconnaissance step questions

From your description, you have a company that's using an ISP services for Web Hosting and Mail.  Their connectivity to the internet is also probably through the ISP as well, so in theory, there are two different types of targets.

Your first target is going to be the web/mail server.  This is the IP address you should receive when you whois their web server.  Most likely, their web server and mail server are on the same box (most likely in a shared hosting configuration).  Your legitimate pen testing on this box will most likely be in the app pen testing arena, but you won't be "in the company" if you can get any access.

The second target is going to be the company connection to the internet  itself.  If the company is using a standard ISP for connectivity, they probably have a DHCP assigned address, and they are just like any average home user connected to the internet.  Performing black box recon against a target like this is difficult at best.

If you are testing assets owned by an ISP, used by a 3rd party company, make sure your written agreement has verbage that addresses any concerns of the ISP in case they come hunting you down.
Poking at security since 1986.  +++ATH
<<

erojas66

Newbie
Newbie

Posts: 2

Joined: Sun Sep 09, 2007 10:52 am

Post Tue Jan 08, 2008 12:16 pm

Re: Reconnaissance step questions

Thank you Rance your answer. This is what is happening with the information I collected. The client is using the ISP's web hosting solution, in fact, when I do a Reverse IP on their web server, it turns out this server is hosting 64+ other domains.

The funny thing is their email server is being hosted by a different ISP than the one hosting their web server. I have to get more experience in this field to understand if this is normal or is strange or if it's actually a good thing.

But your answer was right on the money as to what I was thinking. That in order for me to get more info on this client, I would be forced to recon the ISP's servers and I am not about to play around with ISPs unless I have a "get out of jail" card.

Thanks a lot for your help,

Ed...
<<

LSOChris

Post Tue Jan 08, 2008 6:47 pm

Re: Reconnaissance step questions

that is fairly common to see a hosted webpage and mail managed by the company.

you'll probably want to check what's around the class C of the mail server to see if its related to the org you are looking in to.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software