SlideShare a Scribd company logo

Bidirectional link extraction

SensePost
SensePost

This document discusses techniques for footprinting targets without prior knowledge in order to identify non-obvious relationships. It describes a methodology involving expanding the scope of information through tools like BiLE to extract links, then reducing the scope through techniques like vetting domains by IP range, MX records, and WHOIS information. The goal is to iteratively expand and reduce the scope to develop a comprehensive understanding of connected domains and IP ranges related to the initial target.

Technology
1 of 28
Download to read offline
The Role of Non Obvious Relationships in the Foot Printing Process Roelof Temmingh & Charl van der Walt SensePost BlackHat windows Seattle USA 2003/02
Schedule Introduction Why are we excited about foot printing? The bigger picture Footprint methodology BiLE & friends Vet-IPRange Vet-MX Vet-whois Exp-whois Exp-TLD Vet-TLD
Introduction SensePost The speaker Objective of presentation
Why are we excited about foot printing? (it seems boring) As a security officer Know your perimeter Pressures from business As cyber criminal Firewalls frenzy/patches plenty Finding the one box, not the one bug As cyber terrorist “He pressed the button” Automated targeting
the bigger picture Foot printing is the very first phase Network Attack Footprinting Recon visiblity Penetration
Foot printing methodology Part I Expand / Reduce / Expand / Reduce Lots domains reduce Single domain EXPAND of w e really w ant domains
Foot printing methodology Part II DNS and ICMP reverse 255 IP resolution IP number : DNS name All domains netblocks forw ard tracerouter to Part I ! Start IP - End IP blocks target
Expanding domains The challenge With no prior knowledge, how do we link Blackhat.com with Defcon.org?? The thinking If you surf around enough you’ll find all relationships. Practically Find links from the site Find link to the site Technically Mirror site – extract links and mailto (from) Parse Google’s “link” output - who links to site (to) Repeat for 2nd degree
Expanding domains BiLE (Bi directional link extractor) How to use: perl BiLE.pl [website] [output file] [website] is a website name e.g. “www.sensepost.com” [output file] is where the results go Output: Creates a file named [output file] Output format: Source_site:Destination_site Typical output: www.2can2.com:www.business.com www.2computerguys.com:www.business.com www.3g.cellular.phonecall.net:www.business.com www.4-webpromotion.com:www.business.com www.4investinginfo.com:www.business.com www.4therapist.com:www.business.com
Expanding domains The thinking I can’t control who links to me, I control where I link to If you have one link and it’s to me, I have to be important to you If I link only to you I must consider you as important If we link to each other we must be friends Practically Algorithms & Math Technically Start with a seed value, compute nodes around it Repeat for 2nd degree
Expanding domains A (1/2 * 1 * 300)= 150 C (1/2 * 0.6 * 300)= 90 CoreSite 300 B (1/2 * 1 * 300) + (1/2 * 0.6 * 300)= 240
Expanding domains E 150 * 1/3 * 0.6 = D 30 150 * 1 *1 = F 150 90 *1/3 *1= 90 A 150 [3 in 1 out] 90 * 1/3 = 30 150+30 =180 C 90 [3 out] 150 * 1/3 * 0.6=30 90+30=120 I 240 * 1/3 * 1 = 80 CoreSite 300 B 240 [2 in 3 out] G H 240 * 1/2 * 0.6 = 240 * 1/3 * 1= 80 72
Part I Expanding domains
Expanding domains BiLE-weigh How to use: perl BiLE-weigh.pl [website] [input file] [output file] [website] is a website name e.g. www.sensepost.com [input file] is the output from BiLE [output file] is where the results go Output: Creates a file sorted by weight Output format: Site name:Weight Typical output: wwww.openbsd.org:7.49212171782761 www.nextgenss.com:7.34483195478955 www.sys-security.com:7.25768324873614 www.checkpoint.com:7.0138611250576 www.linuxjournal.com:6.79452957233751
BiLE produced WhiteHatHate hitlist when ran against www.blackhat.com: ☺ www.blackhat.com:50.3049528424648 www.blackhat.com:50.3049528424648 www.securityfocus.com:11.3150081121516 www.securityfocus.com:11.3150081121516 www.defcon.org:11.2060624907226 www.defcon.org:11.2060624907226 www.securite.org:9.67638979330349 www.securite.org:9.67638979330349 project.honeynet.org:9.65245677663783 project.honeynet.org:9.65245677663783 www.attrition.org:8.46145320129212 www.nmrc.org:8.31004885760989 www.nmrc.org:8.31004885760989 www.counterpane.com:8.21911119645071 www.scmagazine.com:8.16574297298595 www.scmagazine.com:8.16574297298595 www.infosecuritymag.com:7.92484572624653 www.infosecuritymag.com:7.92484572624653 www.convmgmt.com:7.89473684210526 www.convmgmt.com:7.89473684210526 www.argus-systems.com:7.66637407873695 www.argus- www.eeye.com:7.54444401342593 www.eeye.com:7.54444401342593 www.whitehatsec.com:7.53535602958039 www.whitehatsec.com:7.53535602958039 www.openbsd.org:7.49212171782761 www.openbsd.org:7.49212171782761 www.nextgenss.com:7.34483195478955 www.nextgenss.com:7.34483195478955 www.sys-security.com:7.25768324873614 www.sys- www.checkpoint.com:7.0138611250576 www.linuxjournal.com:6.79452957233751 www.linuxjournal.com:6.79452957233751 www.virusbtn.com:6.77886359051686 www.virusbtn.com:6.77886359051686 www.sqlsecurity.com:6.63899999339814 www.sqlsecurity.com:6.63899999339814 www.itsx.com:6.57476232632585 www.itsx.com:6.57476232632585 www.jjbsec.com:6.5624504711275 www.jjbsec.com:6.5624504711275 www.doxpara.com:6.52105355480091 www.doxpara.com:6.52105355480091 www.syngress.com:6.49850924368889 www.syngress.com:6.49850924368889 www.sensepost.com:6.48120884564563 www.sensepost.com:6.48120884564563
Reducing domains The thinking There are too many sites/domains! Machines located close together on IP level could be related Practically & Technically Get the IP numbers of the sites you know are right / core site Get the other IP numbers If they are within a predefined range, hang on to them
reducing domains vet-IPRange How to use: perl vet-IPrange.pl [input file] [true domain file] [output file] <range> Input file file containing list of DNS names True site file contains list of DNS names to be compared to Output file file containing matched domains Range (optional) Flexibility in IP number match (default 32) Output / format: Site_name Issue: Virtually hosted sites (but these are interesting anyhow)
Reducing domains The thinking Mail for different domains can go to the same mail server roelof@sensepost.com/co.za/co.uk goes to the same mailbox/mail server Practically & Technically Get the IP numbers of MX records of domains you know are right Get the IP numbers of the MX records of the other domains If they are within a predefined range, hang on to them
reducing domains vet-MX How to use: perl vet-mx.pl [input file] [true domain file] [output file] <range> Input file file containing list of domains True domain file contains list of domains to be compared to Output file file containing matched domains Range (optional) Flexibility in IP number match (default 32) Output / format: Matched_domains
Reducing domains The thinking People use the same company name / name / telephone/fax number or address when registering different domains Practically Obtain the whois info for domains you know are right Snip stuff that stays the same – e.g last 4 digits of fax number Obtain whois info for the domains in question – match it Technically GeekTools whois proxy is your friend (Thanks Robb Ballard)
reducing domains vet-Whois How to use: perl vet-whois.pl [input file] [search terms file] [output file] Input file file containing list of domains Search terms file contains search terms – each on new line Output file file containing domains where whois info match Output / format: Matched_domains Problem: Amount of requests are limited Not all TLDs have whois servers (156 / 260 do) Pssst - did you know that Datamerica.com is not Black Hat’s ISP - its registered by Jeff
Expanding…Again The thinking If you registered blackhat.com you might also have registered blackhatconsulting.com and blackhatconference.net Practically Wildcard searches works on some whois servers Technically Wildcards support at whois.crsnic.net – .com, .net and .org. Only two other- .cz and .mil (whois.nic.cz / whois.nic.mil)
Expanding - Again Exp-whois How to use: perl exp-whois.pl [input file] [output file] Input file file containing list of domains Output file file containing domains expanded with whois wildcard Output / format: domains Problem: Does not return more than 50 entries – have to brute force Requests are limited
Expanding…Again The thinking If you registered blackhat.com you might also have registered blackhat.co.uk and blackhat.il Practically Look for same domain with different TLDs Technically Add domain.co/com/org/ac in front of all the TLDs Do nslookup –t any and see if you get something
Expanding - Again Exp-TLD How to use: perl exp-TLD.pl [input file] [output file] Input file file containing list of domains Output file file containing domains valid in other TLDs Output / format: domains Problem: TEMPLATE SITES!!
Reducing…one last time How do we handle these pesky DNS junk yards? · .cc· .co.cc· .co.cc· .ac.cc· .com.ki· .org.ki· .cx· .co.cx · com.cz· .ac.kz· .co.dk· .td· .com.tj· .tk· .com.tk· .co.tk· .ac.tk· .org.tk· co.tv· .co.nr· .com.nu· .com.vu· .org.vu· ac.gs · .ws· .com.ws· .org.ws· .ph· .com.ph· .co.ph· .ac.h· .org.ph· .co.pl· .org.com· .co.pt· .io· .co.io· .ac.io· .co.is vet-TLD.pl and baseline.pl does the following: Create TLD “blacklist” fingerprint database (consist of MD5 hash of IP number(s) of website and MX records) If its TLD not in “blacklist” then its pretty real If its TLD is in the list: If fingerprint match found in database – throw out else …rules apply…
Part II – from domains to Start:End IP numbers Why state the obvious? (and it’s in the paper!) Getting the IP numbers Zone transfer Brute force forward MX records Where reverse entries match - walking of blocks Identifying the boundaries Query of core routers Looking Glasses (Digex) Our quick tracerouter – TTL “prediction” Speed increase & work in progress Multi threading Asynchronous DNS – talker/listener split (in progress)
Conclusion Don’t you just love this part…? Foot printing is not an exact science There is no super recipe for always getting it right Order of tools are important and differ per client/target Automation might surprise you with its results Automation has patience/does not get bored Automation is thorough Automation only goes that far Tools are available on request. Send nice letters to research@sensepost.com

Recommended

Plaza Sendero Veracruz Puerto
Plaza Sendero Veracruz PuertoPlaza Sendero Veracruz Puerto
Plaza Sendero Veracruz Puerto
colonosdelpuerto
 
Ron Mueck Escultor Real
Ron Mueck Escultor RealRon Mueck Escultor Real
Ron Mueck Escultor Real
Armando Leonardo
 
Donia Lilly Artist Portfolio ~ Evocations Series
Donia Lilly Artist Portfolio ~ Evocations SeriesDonia Lilly Artist Portfolio ~ Evocations Series
Donia Lilly Artist Portfolio ~ Evocations Series
donialilly
 
R glez cmic_cualiacan2010
R glez cmic_cualiacan2010R glez cmic_cualiacan2010
R glez cmic_cualiacan2010
davidpc123
 
Lenso
LensoLenso
Lenso
Uli Kaiser
 
Hermoseamiento Jardín Calle Libertad
Hermoseamiento Jardín Calle LibertadHermoseamiento Jardín Calle Libertad
Hermoseamiento Jardín Calle Libertad
CreoAntofagasta
 
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, PerúOportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Giuliana Fumagalli
 
Miercoles 03 de junio
Miercoles 03 de junioMiercoles 03 de junio
Miercoles 03 de junio
josejavierlaricocarranza
 

Recommended

Plaza Sendero Veracruz Puerto
Plaza Sendero Veracruz PuertoPlaza Sendero Veracruz Puerto
Plaza Sendero Veracruz Puerto
colonosdelpuerto
 
Ron Mueck Escultor Real
Ron Mueck Escultor RealRon Mueck Escultor Real
Ron Mueck Escultor Real
Armando Leonardo
 
Donia Lilly Artist Portfolio ~ Evocations Series
Donia Lilly Artist Portfolio ~ Evocations SeriesDonia Lilly Artist Portfolio ~ Evocations Series
Donia Lilly Artist Portfolio ~ Evocations Series
donialilly
 
R glez cmic_cualiacan2010
R glez cmic_cualiacan2010R glez cmic_cualiacan2010
R glez cmic_cualiacan2010
davidpc123
 
Lenso
LensoLenso
Lenso
Uli Kaiser
 
Hermoseamiento Jardín Calle Libertad
Hermoseamiento Jardín Calle LibertadHermoseamiento Jardín Calle Libertad
Hermoseamiento Jardín Calle Libertad
CreoAntofagasta
 
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, PerúOportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Oportunidad de trabajo Jefe de planta. Agroindustria. Huacho, Lima, Perú
Giuliana Fumagalli
 
Miercoles 03 de junio
Miercoles 03 de junioMiercoles 03 de junio
Miercoles 03 de junio
josejavierlaricocarranza
 
Marketing Automation - Why, What, How
Marketing Automation - Why, What, HowMarketing Automation - Why, What, How
Marketing Automation - Why, What, How
Jonas Verhaeghe
 
Iberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special FocusIberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special Focus
Hogan Lovells BSTL
 
Procesamiento EMV con PRODUCTOS tranzware
Procesamiento EMV con PRODUCTOS tranzwareProcesamiento EMV con PRODUCTOS tranzware
Procesamiento EMV con PRODUCTOS tranzware
Asociación de Marketing Bancario Argentino
 
Cash webinar flyer
Cash webinar flyerCash webinar flyer
Cash webinar flyer
Meike Heidorn v. Koschitzky
 
Violines I (1) partitura
Violines I (1) partituraViolines I (1) partitura
Violines I (1) partitura
Vicente Umpiérrez Sánchez
 
Growth Uninterrupted with Security, Scalability and Simplicity
Growth Uninterrupted with Security, Scalability and SimplicityGrowth Uninterrupted with Security, Scalability and Simplicity
Growth Uninterrupted with Security, Scalability and Simplicity
PeopleWorks IN
 
Diputados especiales indígenas
Diputados especiales indígenasDiputados especiales indígenas
Diputados especiales indígenas
Claudio Vargas
 
Agni Indian Resaturant - Wine & Beverage List
Agni Indian Resaturant - Wine & Beverage ListAgni Indian Resaturant - Wine & Beverage List
Agni Indian Resaturant - Wine & Beverage List
Merry Martin
 
La Matière Sonore
La Matière Sonore La Matière Sonore
La Matière Sonore
adensamuel
 
Prepa de proyecto
Prepa de proyectoPrepa de proyecto
Prepa de proyecto
brian.nunez06
 
247 help alert en Espanol
247 help alert en Espanol247 help alert en Espanol
247 help alert en Espanol
Raul Bendezu
 
Guia Sistema 30 dias Colombia
Guia Sistema 30 dias ColombiaGuia Sistema 30 dias Colombia
Guia Sistema 30 dias Colombia
Carlos Uzcategui
 
Evolución del producto de turismo en bicicleta
Evolución del producto de turismo en bicicletaEvolución del producto de turismo en bicicleta
Evolución del producto de turismo en bicicleta
Chus Blázquez
 
Business Case Insyte
Business Case InsyteBusiness Case Insyte
Business Case Insyte
Ciro Alonso
 
Powerful Presentations
Powerful PresentationsPowerful Presentations
Powerful Presentations
Adomas Baltagalvis
 
Biografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopezBiografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopez
Pase San Jose
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 

More Related Content

Viewers also liked

Iberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special FocusIberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special Focus
Hogan Lovells BSTL
 
247 help alert en Espanol
247 help alert en Espanol247 help alert en Espanol
247 help alert en Espanol
Raul Bendezu
 
Business Case Insyte
Business Case InsyteBusiness Case Insyte
Business Case Insyte
Ciro Alonso
 
Biografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopezBiografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopez
Pase San Jose
 

Viewers also liked (16)

Marketing Automation - Why, What, How
Marketing Automation - Why, What, HowMarketing Automation - Why, What, How
Marketing Automation - Why, What, How
 
Iberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special FocusIberian Lawyer Magazine - Latin America Special Focus
Iberian Lawyer Magazine - Latin America Special Focus
 
Procesamiento EMV con PRODUCTOS tranzware
Procesamiento EMV con PRODUCTOS tranzwareProcesamiento EMV con PRODUCTOS tranzware
Procesamiento EMV con PRODUCTOS tranzware
 
Cash webinar flyer
Cash webinar flyerCash webinar flyer
Cash webinar flyer
 
Violines I (1) partitura
Violines I (1) partituraViolines I (1) partitura
Violines I (1) partitura
 
Growth Uninterrupted with Security, Scalability and Simplicity
Growth Uninterrupted with Security, Scalability and SimplicityGrowth Uninterrupted with Security, Scalability and Simplicity
Growth Uninterrupted with Security, Scalability and Simplicity
 
Diputados especiales indígenas
Diputados especiales indígenasDiputados especiales indígenas
Diputados especiales indígenas
 
Agni Indian Resaturant - Wine & Beverage List
Agni Indian Resaturant - Wine & Beverage ListAgni Indian Resaturant - Wine & Beverage List
Agni Indian Resaturant - Wine & Beverage List
 
La Matière Sonore
La Matière Sonore La Matière Sonore
La Matière Sonore
 
Prepa de proyecto
Prepa de proyectoPrepa de proyecto
Prepa de proyecto
 
247 help alert en Espanol
247 help alert en Espanol247 help alert en Espanol
247 help alert en Espanol
 
Guia Sistema 30 dias Colombia
Guia Sistema 30 dias ColombiaGuia Sistema 30 dias Colombia
Guia Sistema 30 dias Colombia
 
Evolución del producto de turismo en bicicleta
Evolución del producto de turismo en bicicletaEvolución del producto de turismo en bicicleta
Evolución del producto de turismo en bicicleta
 
Business Case Insyte
Business Case InsyteBusiness Case Insyte
Business Case Insyte
 
Powerful Presentations
Powerful PresentationsPowerful Presentations
Powerful Presentations
 
Biografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopezBiografías Candidatos a Diputados 2014 Oscar lopez
Biografías Candidatos a Diputados 2014 Oscar lopez
 

More from SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Bidirectional link extraction

  • 1. The Role of Non Obvious Relationships in the Foot Printing Process Roelof Temmingh & Charl van der Walt SensePost BlackHat windows Seattle USA 2003/02
  • 2. Schedule Introduction Why are we excited about foot printing? The bigger picture Footprint methodology BiLE & friends Vet-IPRange Vet-MX Vet-whois Exp-whois Exp-TLD Vet-TLD
  • 3. Introduction SensePost The speaker Objective of presentation
  • 4. Why are we excited about foot printing? (it seems boring) As a security officer Know your perimeter Pressures from business As cyber criminal Firewalls frenzy/patches plenty Finding the one box, not the one bug As cyber terrorist “He pressed the button” Automated targeting
  • 5. the bigger picture Foot printing is the very first phase Network Attack Footprinting Recon visiblity Penetration
  • 6. Foot printing methodology Part I Expand / Reduce / Expand / Reduce Lots domains reduce Single domain EXPAND of w e really w ant domains
  • 7. Foot printing methodology Part II DNS and ICMP reverse 255 IP resolution IP number : DNS name All domains netblocks forw ard tracerouter to Part I ! Start IP - End IP blocks target
  • 8. Expanding domains The challenge With no prior knowledge, how do we link Blackhat.com with Defcon.org?? The thinking If you surf around enough you’ll find all relationships. Practically Find links from the site Find link to the site Technically Mirror site – extract links and mailto (from) Parse Google’s “link” output - who links to site (to) Repeat for 2nd degree
  • 9. Expanding domains BiLE (Bi directional link extractor) How to use: perl BiLE.pl [website] [output file] [website] is a website name e.g. “www.sensepost.com” [output file] is where the results go Output: Creates a file named [output file] Output format: Source_site:Destination_site Typical output: www.2can2.com:www.business.com www.2computerguys.com:www.business.com www.3g.cellular.phonecall.net:www.business.com www.4-webpromotion.com:www.business.com www.4investinginfo.com:www.business.com www.4therapist.com:www.business.com
  • 10. Expanding domains The thinking I can’t control who links to me, I control where I link to If you have one link and it’s to me, I have to be important to you If I link only to you I must consider you as important If we link to each other we must be friends Practically Algorithms & Math Technically Start with a seed value, compute nodes around it Repeat for 2nd degree
  • 11. Expanding domains A (1/2 * 1 * 300)= 150 C (1/2 * 0.6 * 300)= 90 CoreSite 300 B (1/2 * 1 * 300) + (1/2 * 0.6 * 300)= 240
  • 12. Expanding domains E 150 * 1/3 * 0.6 = D 30 150 * 1 *1 = F 150 90 *1/3 *1= 90 A 150 [3 in 1 out] 90 * 1/3 = 30 150+30 =180 C 90 [3 out] 150 * 1/3 * 0.6=30 90+30=120 I 240 * 1/3 * 1 = 80 CoreSite 300 B 240 [2 in 3 out] G H 240 * 1/2 * 0.6 = 240 * 1/3 * 1= 80 72
  • 14. Expanding domains BiLE-weigh How to use: perl BiLE-weigh.pl [website] [input file] [output file] [website] is a website name e.g. www.sensepost.com [input file] is the output from BiLE [output file] is where the results go Output: Creates a file sorted by weight Output format: Site name:Weight Typical output: wwww.openbsd.org:7.49212171782761 www.nextgenss.com:7.34483195478955 www.sys-security.com:7.25768324873614 www.checkpoint.com:7.0138611250576 www.linuxjournal.com:6.79452957233751
  • 15. BiLE produced WhiteHatHate hitlist when ran against www.blackhat.com: ☺ www.blackhat.com:50.3049528424648 www.blackhat.com:50.3049528424648 www.securityfocus.com:11.3150081121516 www.securityfocus.com:11.3150081121516 www.defcon.org:11.2060624907226 www.defcon.org:11.2060624907226 www.securite.org:9.67638979330349 www.securite.org:9.67638979330349 project.honeynet.org:9.65245677663783 project.honeynet.org:9.65245677663783 www.attrition.org:8.46145320129212 www.nmrc.org:8.31004885760989 www.nmrc.org:8.31004885760989 www.counterpane.com:8.21911119645071 www.scmagazine.com:8.16574297298595 www.scmagazine.com:8.16574297298595 www.infosecuritymag.com:7.92484572624653 www.infosecuritymag.com:7.92484572624653 www.convmgmt.com:7.89473684210526 www.convmgmt.com:7.89473684210526 www.argus-systems.com:7.66637407873695 www.argus- www.eeye.com:7.54444401342593 www.eeye.com:7.54444401342593 www.whitehatsec.com:7.53535602958039 www.whitehatsec.com:7.53535602958039 www.openbsd.org:7.49212171782761 www.openbsd.org:7.49212171782761 www.nextgenss.com:7.34483195478955 www.nextgenss.com:7.34483195478955 www.sys-security.com:7.25768324873614 www.sys- www.checkpoint.com:7.0138611250576 www.linuxjournal.com:6.79452957233751 www.linuxjournal.com:6.79452957233751 www.virusbtn.com:6.77886359051686 www.virusbtn.com:6.77886359051686 www.sqlsecurity.com:6.63899999339814 www.sqlsecurity.com:6.63899999339814 www.itsx.com:6.57476232632585 www.itsx.com:6.57476232632585 www.jjbsec.com:6.5624504711275 www.jjbsec.com:6.5624504711275 www.doxpara.com:6.52105355480091 www.doxpara.com:6.52105355480091 www.syngress.com:6.49850924368889 www.syngress.com:6.49850924368889 www.sensepost.com:6.48120884564563 www.sensepost.com:6.48120884564563
  • 16. Reducing domains The thinking There are too many sites/domains! Machines located close together on IP level could be related Practically & Technically Get the IP numbers of the sites you know are right / core site Get the other IP numbers If they are within a predefined range, hang on to them
  • 17. reducing domains vet-IPRange How to use: perl vet-IPrange.pl [input file] [true domain file] [output file] <range> Input file file containing list of DNS names True site file contains list of DNS names to be compared to Output file file containing matched domains Range (optional) Flexibility in IP number match (default 32) Output / format: Site_name Issue: Virtually hosted sites (but these are interesting anyhow)
  • 18. Reducing domains The thinking Mail for different domains can go to the same mail server roelof@sensepost.com/co.za/co.uk goes to the same mailbox/mail server Practically & Technically Get the IP numbers of MX records of domains you know are right Get the IP numbers of the MX records of the other domains If they are within a predefined range, hang on to them
  • 19. reducing domains vet-MX How to use: perl vet-mx.pl [input file] [true domain file] [output file] <range> Input file file containing list of domains True domain file contains list of domains to be compared to Output file file containing matched domains Range (optional) Flexibility in IP number match (default 32) Output / format: Matched_domains
  • 20. Reducing domains The thinking People use the same company name / name / telephone/fax number or address when registering different domains Practically Obtain the whois info for domains you know are right Snip stuff that stays the same – e.g last 4 digits of fax number Obtain whois info for the domains in question – match it Technically GeekTools whois proxy is your friend (Thanks Robb Ballard)
  • 21. reducing domains vet-Whois How to use: perl vet-whois.pl [input file] [search terms file] [output file] Input file file containing list of domains Search terms file contains search terms – each on new line Output file file containing domains where whois info match Output / format: Matched_domains Problem: Amount of requests are limited Not all TLDs have whois servers (156 / 260 do) Pssst - did you know that Datamerica.com is not Black Hat’s ISP - its registered by Jeff
  • 22. Expanding…Again The thinking If you registered blackhat.com you might also have registered blackhatconsulting.com and blackhatconference.net Practically Wildcard searches works on some whois servers Technically Wildcards support at whois.crsnic.net – .com, .net and .org. Only two other- .cz and .mil (whois.nic.cz / whois.nic.mil)
  • 23. Expanding - Again Exp-whois How to use: perl exp-whois.pl [input file] [output file] Input file file containing list of domains Output file file containing domains expanded with whois wildcard Output / format: domains Problem: Does not return more than 50 entries – have to brute force Requests are limited
  • 24. Expanding…Again The thinking If you registered blackhat.com you might also have registered blackhat.co.uk and blackhat.il Practically Look for same domain with different TLDs Technically Add domain.co/com/org/ac in front of all the TLDs Do nslookup –t any and see if you get something
  • 25. Expanding - Again Exp-TLD How to use: perl exp-TLD.pl [input file] [output file] Input file file containing list of domains Output file file containing domains valid in other TLDs Output / format: domains Problem: TEMPLATE SITES!!
  • 26. Reducing…one last time How do we handle these pesky DNS junk yards? · .cc· .co.cc· .co.cc· .ac.cc· .com.ki· .org.ki· .cx· .co.cx · com.cz· .ac.kz· .co.dk· .td· .com.tj· .tk· .com.tk· .co.tk· .ac.tk· .org.tk· co.tv· .co.nr· .com.nu· .com.vu· .org.vu· ac.gs · .ws· .com.ws· .org.ws· .ph· .com.ph· .co.ph· .ac.h· .org.ph· .co.pl· .org.com· .co.pt· .io· .co.io· .ac.io· .co.is vet-TLD.pl and baseline.pl does the following: Create TLD “blacklist” fingerprint database (consist of MD5 hash of IP number(s) of website and MX records) If its TLD not in “blacklist” then its pretty real If its TLD is in the list: If fingerprint match found in database – throw out else …rules apply…
  • 27. Part II – from domains to Start:End IP numbers Why state the obvious? (and it’s in the paper!) Getting the IP numbers Zone transfer Brute force forward MX records Where reverse entries match - walking of blocks Identifying the boundaries Query of core routers Looking Glasses (Digex) Our quick tracerouter – TTL “prediction” Speed increase & work in progress Multi threading Asynchronous DNS – talker/listener split (in progress)
  • 28. Conclusion Don’t you just love this part…? Foot printing is not an exact science There is no super recipe for always getting it right Order of tools are important and differ per client/target Automation might surprise you with its results Automation has patience/does not get bored Automation is thorough Automation only goes that far Tools are available on request. Send nice letters to research@sensepost.com