Apache Security - Ivan Ristic [166]
Organizational information
Your first goal is to learn as much as possible about the organization, so going to its public web site is a natural place to start. You are looking for the following information:
Names and positions
Email addresses
Addresses and telephone numbers, which reveal physical locations
Posted documents, which often reveal previous revisions, or information on who created them
The web site should be sufficient for you to learn enough about the organization to map out its network of trust. In a worst-case scenario (from the point of view of attacking them), the organization will trust itself. If it relies on external entities, there may be many opportunities for exploitation. Here is some of the information you should determine:
Size
The security posture of a smaller organization is often lax, and such organizations usually cannot afford having information security professionals on staff. Bigger companies employ many skilled professionals and possibly have a dedicated information security team.
Outsourcing
Organizations are rarely able to enforce their procedures when parts of the operations are outsourced to external entities. If parts of the organization are outsourced, you may have to expand your search to target other sites.
Business model
Do they rely on a network of partners or distributors to do the business? Distributors are often smaller companies with lax security procedures. A distributor may be an easy point of entry.
Domain name registration
Current domain name registration practices require significant private information to be provided to the public. This information can easily be accessed using the whois service, which is available in many tools, web sites, and on the command line.
There are many whois servers (e.g., one for each registrar), and the important part of finding the information you are looking for is in knowing which server to ask. Normally, whois servers issue redirects when they cannot answer a query, and good tools will follow redirects automatically. When using web-based tools (e.g., http://www.internic.net/whois.html), you will have to perform redirection manually.
Watch what information we can find on O'Reilly (registrar disclaimers have been removed from the output to save space):
$ whois oreilly.com
...
O'Reilly & Associates
1005 Gravenstein Hwy., North
Sebastopol, CA, 95472
US
Domain Name: OREILLY.COM
Administrative Contact -
DNS Admin - nic-ac@OREILLY.COM
O'Reilly & Associates, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
US
Phone - 707-827-7000
Fax - 707-823-9746
Technical Contact -
technical DNS - nic-tc@OREILLY.COM
O'Reilly & Associates
1005 Gravenstein Highway North
Sebastopol, CA 95472
US
Phone - 707-827-7000
Fax - - 707-823-9746
Record update date - 2004-05-19 07:07:44
Record create date - 1997-05-27
Record will expire on - 2005-05-26
Database last updated on - 2004-06-02 10:33:07 EST
Domain servers in listed order:
NS.OREILLY.COM 209.204.146.21
NS1.SONIC.NET 208.201.224.11
Domain name system
A tool called dig can be used to convert names to IP addresses or do the reverse, convert IP addresses to names (known as reverse lookup). An older tool, nslookup, is still popular and widely deployed.
$ dig oreilly.com any
; <<>> DiG 9.2.1 <<>> oreilly.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30773
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;oreilly.com. IN ANY
;; ANSWER SECTION:
oreilly.com. 20923 IN NS ns1.sonic.net.
oreilly.com. 20923 IN NS ns2.sonic.net.
oreilly.com. 20923 IN NS ns.oreilly.com.
oreilly.com. 20924 IN SOA ns.oreilly.com.
nic-tc.oreilly.com.
2004052001 10800 3600 604800 21600
oreilly.com. 20991 IN MX 20 smtp2.oreilly.com.
;; AUTHORITY SECTION:
oreilly.com. 20923 IN NS ns1.sonic.net.
oreilly.com. 20923 IN NS ns2.sonic.net.
oreilly.com.