Introduction
============
Information gathering on a target is a very important step in the process of evaluating the security of a remote host. This article will deal with many details you can get on a host starting from a simple domain name.

Note: This article will only deal with the information gathering part and won’t go in the process of evaluating the security of the host which I am using as an example here. Indeed I have choosen to use a real host so that this article is more meaningfull. It means I will stick with the legal part and not do any port scan (should be illegal in most countries). Remember that doing a security test on a host that you do not own is ILLEGAL, while searching for Open Source information is LEGAL.

Let’s play
============
Say we want to do dig for information from a target whose main website is http://www.911investigations.net. Nslookup will be the first tool we will be using.

——————————-
Launch nslookup from a command prompt. This can be done under linux or windows equally. I will use the windows nslookup client, because it has some functionnality lacking under the bind9 nslookup client (zone transfer for example). Under linux you could also use the dig utility, but I won’t cover it here (functionnality are equals).
——————————-
# nslookup

——————————-
We want to resolve the IP address of www.911investigations.net, no magic here
——————————-
> www.911investigations.net
Server: 192.168.10.1
Address: 192.168.10.1#53

Non-authoritative answer:
Name: www.911investigations.net
Address: 80.67.172.20

——————————-
Now that we have the IP address of www.911investigations.net, we should look at the reverse name corresponding to the IP address. Indeed when a hosting company gives its client an IP address, it also declares a reverse name, so that one can find the corresponding hostname for a given IP address.
Let’s look a the reverse for 80.67.172.20
——————————-
> 80.67.172.20
Server: 192.168.10.1
Address: 192.168.10.1#53

Name: arouet.globenet.org.
Address: 80.67.172.20

——————————-
It is important from here to understand what a virtual host is. You must know that modern web servers allows to host multiple websites on a single server, with a single IP address, but still be able to redirect the user to the right website given it’s FQDN (fully qualified domain name). This is called virtual hosting.
We now know that the reverse name for 80.67.172.20 is arouet.globenet.org. Let’s fire a web browser and look if there’s a website on this domain. Bingo it’s an administration panel (IMG:http://www.governmentsecurity.org/forum/style_emoticons/default/wink.gif) Let’s keep this aside and move on.
You may have noticed that on the preceding queries, nslookup says: “non-authoritative answer”. It means that we are querying a DNS server which is not authoritative for the domain and thus we are using the recursive DNS querying process. So let’s find what is the authoritative DNS for the zone 911investigations.net
——————————-
> set type=ns
> 911investigations.net
Server: 192.168.10.1
Address: 192.168.10.1#53

911investigations.net nameserver = arouet.globenet.org
911investigations.net nameserver = voltaire.globenet.org

——————————-
We already know arouet.globenet.org is our host. Let see who is voltaire.globenet.org.
——————————-
> set type=a
> voltaire.globenet.org
Server: 192.168.10.1
Address: 192.168.10.1#53

Non-authoritative answer:
Nanme: voltaire.globenet.org
Address: 80.67.172.13

——————————-
We have another DNS host address. [Note that having two DNS on the same subnet for one domain is not RFC compliant (IMG:http://www.governmentsecurity.org/forum/style_emoticons/default/wink.gif) Indeed if the gateway to that subnet was unavailable the host would not resolve. That's why RFCs recommend using DNS on separate subnets.] We are now going to try to do a zone transfer from those two DNS. A zone transfer allows to dump the zone content from the DNS. Usually DNS prevent zone transfers from non allowed IPs, but sometimes poorly configured DNS allows this. So let’s try.
——————————-
> server 80.67.172.20
Default server: 80.67.172.20
Address: 80.67.172.20

> ls -d 911investigations.net
[80.67.172.20]
*** Unable to give list for domain 911investigations.net : Query refused

——————————-
No luck here. Let’s try with the second DNS.
——————————-
> server 80.67.172.13
Default server: 80.67.172.13
Address: 80.67.172.13

> ls -d 911investigations.net
[80.67.172.13]
*** Unable to give list for domain 911investigations.net : Query refused

——————————-
No luck here either. Not many DNS allows zone transfer, but when they do, it’s fun! Imagine having access to all the hosts names for a given domain. That can be of great value!
Let’s search for some more informations. Querying an authoritative server with a “set type=any” option can be interesting.
——————————-
> server 80.67.172.20
Default server: 80.67.172.20
Address: 80.67.172.20

> set type=any
> 911investigations.net
Server : [80.67.172.20]
Address: 80.67.172.20

911investigations.net internet address = 80.67.172.20
911investigations.net
primary name server = arouet.globenet.org
responsible mail addr = root.arouet.globenet.org
serial = 2006042501
refresh = 21600 (6 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
911investigations.net nameserver = arouet.globenet.org
911investigations.net nameserver = voltaire.globenet.org
911investigations.net MX preference = 5, mail exchanger = voltaire.globenet.org

——————————-
So what can we learn from this query? Well the two interesting informations are the serial: 2006042501. This serial is used to tell to the secondary DNS when a zone was updated, so that it can duplicate the content. You could use any number here, and increase it only when you update a zone, but DNS admins are used to conform to a convention, which is to use the date when they updated the zone plus a trailing number. So 2006042501 is in fact 2006 April 25, 1st update of the day. So we know the zone was updated recently.
We already knew who where the two authoritatives nameservers for 911investigations.net, but now we also know the mail exchanger (MX) is voltaire.globenet.org. We already knew this host was potentially interesting, now we are sure it is. This would be worth to nmap this host, but that’s not the topic of this article.
I think this is enough with nslookup. We could get more informations from globenet.org, to search for its MX records, etc, but for the moment I will stick on our main target: 911investigations.net
We already know who is the hoster (globenet.org) but let’s verify with the RIR whois database.
Let’s surf to www.arin.net and search for our main IP: 80.67.172.20
——————————-

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2005-07-27

# ARIN WHOIS database, last updated 2006-06-16 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

——————————-
Oh, the 80.x IP netblock is delegated to the RIPE (Europe). So we should query the Ripe.net whois database instead. Let’s go the ripe.net
——————————-
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘80.67.172.0 - 80.67.172.127′

inetnum: 80.67.172.0 - 80.67.172.127
netname: GLOBENET
descr: Globenet network at Telehouse2 (Paris 11, France)
descr: Globenet
descr: 21 ter, rue Voltaire
descr: 75011 Paris
country: FR
admin-c: SB4267-RIPE
admin-c: BS993-RIPE
tech-c: NG243-RIPE
status: ASSIGNED PA “status:” definitions
mnt-by: GITOYEN-NCC
source: RIPE # Filtered

role: NOC Globenet
address: 21 Ter rue Voltaire
address: F-75011 Paris
phone: +33 (1) 43 70 30 51
fax-no: +33 (1) 43 72 15 77
e-mail: [email protected]
remarks: trouble: Email is preffered
admin-c: BS993-RIPE
tech-c: BS993-RIPE
nic-hdl: NG243-RIPE
mnt-by: Gitoyen-NCC
source: RIPE # Filtered

person: Stephane Bortzmeyer
address: Netaktiv
address: 223, rue de Charenton
address: 75012 Paris
phone: +33 1 40 02 92 22
fax-no: +33 1 40 02 01 02
e-mail: [email protected]
nic-hdl: SB4267-RIPE
mnt-by: Gitoyen-NCC
source: RIPE # Filtered

person: Benjamin Sonntag
address: Benjamin Sonntag
address: 17 rue Ernest Cresson
address: F-75014 Paris
phone: +33 8 70 71 18 05
e-mail: [email protected]
nic-hdl: BS993-RIPE
mnt-by: Gitoyen-NCC
source: RIPE # Filtered

% Information related to ‘80.67.160.0/19AS20766′

route: 80.67.160.0/19
descr: Route to Gitoyen
origin: AS20766
mnt-by: GITOYEN-NCC
source: RIPE # Filtered

——————————-
One valuable information is that the hosting company has the 80.67.172.0 - 80.67.172.127 IP range. If someone had to compromise a host to get into its target, that would be intelligent to scan that entire range, but I guess you already know how to go from here.
I almost forget on step: check the regular registrar database. You should always do it, maybe some valuable informations stays here. Fire up your telnet client. We will query directly the Internic whois database (we are searching a .net domain, so it’s managed by whatever registrar but in coordination with Internic whois databases).
——————————-
# telnet whois.internic.net 43
Trying 198.41.0.6…
Connected to whois.internic.net.
Escape character is ‘^]’.
help

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

<WHOIS help>
Select a sub-topic for help; ‘?’ (with no RETURN) for a list of options;
RETURN key to return to WHOIS.

<OVERVIEW>
WHOIS is used to look up records in the registry database. Whois can provide
information about domains, nameservers, and registrars.

Enter a string to search the database. By default, WHOIS performs a very
broad search, looking in all record types for matches to your query in
these fields: domain name, nameserver name, nameserver IP address, and
registrar names. Use keywords to narrow the search (for example, ‘domain
root’).

WHOIS displays the results in one of two ways: as a full, detailed
display one-line summaries for single/multiple matches.

Often, the search finds more records than just the one wanted. Specify
both type and full name to look up a specific record (for example,
‘domain ibm.com’).

Specify only part of the search string to perform a “partial” search on domain.
Every domain STARTING with the string will be found. A trailing dot (or dots)
after your text or the PArtial keyword indicates a partial search. For
example, entering ‘mack.’ will find “Mack”, “Mackall”, “Mackay”, and so on.

Refer to the section “KEYWORD overview” for a description of the different
types of keywords WHOIS takes.

<KEYWORD overview>

WHOIS keywords fall into categories: those that specify the TYPE of
records to search, those that modify the interpretation of the input or
tell the type of output to produce, and those that are commands such as
HELP or QUIT.

The following keywords restrict a search to a certain TYPE of field in the
database:

domain
Finds a domain record. Find out domain name, registrar name,
whois server and URL, Nameserver name and IP Addresses, and updated
date. For example, “domain netsol.com”.

nameserver
Finds nameserver records. Find out nameserver name, registrar name,
IP addresses, Whois Server name and URL. For example,
‘nameserver DNS.SPRINTLINK.COM’ or ‘nameserver 101.198.1.101′.

registrar
Finds records for “registrar”. Find out Registrar name, mail
address, phone number and contact information. For example,
‘registrar Network Solutions, Inc.’

<Output keywords>
These keywords control the display of search results:

EXPand or ‘=’
Always expand the long display for a single match to
include all the subdisplays.

‘~’ Never show subdisplays. This is the opposite of ‘=’ or EXPand.

Full or ‘=’
Gives long display for every matching record.

SUMmary Always show a summary line for each match, even if there is
only one.

The following record types have these summary:

Record type Summary
——————- —————————-
domain domain name
nameserver nameserver name
registrar registrar name and whois server

a summary of the matching record is shown and the subdisplay follows
directly after.

<Updates, suggestions, bug reports>
For general questions, comments and suggestions, or bug reports
send email to [email protected]

>>> Last update of whois database: Sat, 17 Jun 2006 03:52:46 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar. Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (”VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

——————————-
Sorry for the long cut and paste, but it’s a MUST READ. From what we read above we know we can try: domain 911investigations.net
——————————-
domain 911investigations.net

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: 911INVESTIGATIONS.NET
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: VOLTAIRE.GLOBENET.ORG
Name Server: AROUET.GLOBENET.ORG
Status: REGISTRAR-LOCK
Updated Date: 30-oct-2005
Creation Date: 21-jun-2002
Expiration Date: 21-jun-2007

>>> Last update of whois database: Sat, 17 Jun 2006 03:52:46 EDT <<<

——————————-
We are now querying the gandi.net whois database to get informations about the owner of the domain
——————————-
# telnet whois.gandi.net 43
Trying 217.70.177.37…
Connected to whois.gandi.net.
Escape character is ‘^]’.
911investigations.net
% GANDI Registrar whois database for .COM, .NET, .ORG., .INFO, .BIZ, .NAME
%
% Access and use restricted pursuant to French law on personal data.
% Copy of whole or part of the data without permission from GANDI
% is strictly forbidden.
% The sole owner of a domain is the entity described in the relevant
% ‘domain:’ record.
% Domain ownership disputes should be settled using ICANN’s Uniform Dispute
% Resolution Policy: http://www.icann.org/udrp/udrp.htm
%
% Acces et utilisation soumis a la legislation francaise sur
% les donnees personnelles.
% Copie de tout ou partie de la base interdite sans autorisation de GANDI.
% Le possesseur d’un domaine est l’entite decrite dans
% l’enregistrement ‘domain:’ correspondant.
% Un desaccord sur la possession d’un nom de domaine peut etre resolu
% en suivant la Uniform Dispute Resolution Policy de l’ICANN:
% http://www.icann.org/udrp/udrp.htm
%
% Date: 2006/06/17 17:59:41

domain: 911INVESTIGATIONS.NET
owner-name: Rapha�l MEYSSAN
owner-address: BP 35
owner-address: France
admin-c: TM255-GANDI
tech-c: RM271-GANDI
bill-c: TM255-GANDI
nserver: voltaire.globenet.org 80.67.172.13
nserver: arouet.globenet.org
reg_created: 2002-06-21 19:53:51
expires: 2007-06-21 19:53:51
created: 2002-06-22 01:53:52
changed: 2005-08-11 14:45:22

person: Thierry MEYSSAN
nic-hdl: TM255-GANDI
address: R�seau Voltaire
address: 93, rue de Maubeuge
address: France
phone: +33.199999999
fax: +33.199999999
e-mail: [email protected]
lastupdated: 2006-06-01 03:48:23

person: Rapha�l MEYSSAN
nic-hdl: RM271-GANDI
address: BP 35
address: France
phone: +33.148092054
fax: +33.148092015
e-mail: [email protected]
lastupdated: 2006-06-01 08:35:36

——————————-
You can see different domain names that could be interesting: voltairenet.org, messan.net. It’s too bad curent whois databases don’t allow search from a nic handle. A few years ago it was possible to query the network solutions whois database and get all the domains a nic handle was in charge of. I believe this is still possible at some ccTLD registrar.
I will go back to the Internic Whois server because it allows keyword search. Maybe there are others “911investigations” domains? To do a broad query just put a dot ‘.’ at the end of the name:
——————————-
911invest.

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

911INVESTORS.COM
911INVESTORDEALS.COM
911INVESTMENTS.NET
911INVESTMENTS.COM
911INVESTIGATIONS.NET
911INVESTIGATIONS.COM
911INVESTIGATION.NET
911INVESTIGATION.COM
911INVEST.COM

To single out one record, look it up with “xxx”, where xxx is one of the
of the records displayed above. If the records are the same, look them up
with “=xxx” to receive a full display for each record.

——————————-
I guess the “invest” and “investor” things are not interesting, but we have four 911investigation* domains. Do they belong to the same person, do they point to the same website? Or to a different virtual host? There are many ways to find out. Fire up your web browser, ping the host query the whois database, … Obviously here they don’t. One is a legitimate website, but the two others are domain squatting at the time of this writting.
This ability to search with keywords from the Internic whois servers has allowed a few companies to create their own databases of domains name, and they offer query interfaces to them. That will help us to find out if there are more domains hosted on the same IP than www.911investigations.net. We will first goto to http://www.domaintools.com/reverse-ip/ and just type in the IP 80.67.172.20 or 911investigations.net in the search field. Note: this site requires free registration.
——————————-
Search Results for 80.67.172.20

41 Results for 80.67.172.20
Website DMOZ Yahoo
1. 911investigations.net 1 listings 0 listings
2. a-ipi.net 0 listings 0 listings
3. alia2.net 0 listings 0 listings
4. altercom.org 0 listings 0 listings
5. aschkar.org 0 listings 0 listings
6. asile.org 4 listings 1 listings
7. axisforpeace.com 0 listings 0 listings
8. axisforpeace.net 1 listings 0 listings
9. axisforpeace.org 0 listings 0 listings
10. desidela.net 0 listings 0 listings
11. effroyable-imposture.net 0 listings 0 listings
12. effroyableimposture.net 0 listings 0 listings
13. elsucre.net 0 listings 0 listings
14. felap.net 0 listings 0 listings
15. gulfinvestigations.net 1 listings 0 listings
16. iraqresistance.net 0 listings 0 listings
17. jeboycottedanone.com 0 listings 0 listings
18. lapenseelibre.org 0 listings 0 listings
19. liaison-rwanda.com 0 listings 0 listings
20. meyssan.com 0 listings 0 listings
21. meyssan.info 0 listings 0 listings
22. meyssan.net 0 listings 0 listings
23. meyssan.org 0 listings 0 listings
24. observatoriomedios.net 0 listings 0 listings
25. pentagate.info 0 listings 0 listings
26. periodicopcion.net 0 listings 0 listings
27. redvoltaire.com 0 listings 0 listings
28. redvoltaire.net 0 listings 0 listings
29. reseauvoltaire.com 0 listings 0 listings
30. reseauvoltaire.info 0 listings 0 listings
31. reseauvoltaire.net 0 listings 0 listings
32. reseauvoltaire.org 0 listings 0 listings
33. utpba.net 0 listings 0 listings
34. vo-is.net 0 listings 0 listings
35. voltairenet.com 0 listings 0 listings
36. voltairenet.info 0 listings 0 listings
37. voltairenet.net 0 listings 0 listings
38. voltairenet.org 4 listings 0 listings
39. voltairenetwork.com 0 listings 0 listings
40. voltairenetwork.net 0 listings 0 listings
41. x93.org 0 listings 0 listings

——————————-
Yeeeeeha! 41 hosts. After a few check in the whois records, you can see they belong to the same person. Fire up a browser and you can see these are almost all virtual hosts, with their own website. That’s lot’s of sites to check for SQL injections or PHP flaws (it seems most of those websites have custom PHP scripts, surely with a mySQL backend, a dream for nasty people like you! I guess the chance to find a hole on one of these is above 90%).
There are other services like this one. We should query all of them. For example http://webhosting.info which gives us 42 hosts (that one more!):
——————————-

80.67.172.20 - IP hosts 42 Total Domains …
Showing 1 - 42 out of 42

Domain Name
1 911INVESTIGATIONS.NET.
2 A-IPI.NET.
3 ALIA2.NET.
4 ALTERCOM.ORG.
5 ASCHKAR.ORG.
6 ASILE.ORG.
7 AXE-DE-LA-PAIX.NET.
8 AXEPOURLAPAIX.COM.
9 AXEPOURLAPAIX.NET.
10 AXEPOURLAPAIX.ORG.
11 AXIS-OF-PEACE.NET.
12 AXISFORPEACE.COM.
13 AXISFORPEACE.NET.
14 AXISFORPEACE.ORG.
15 DESIDELA.NET.
16 EFFROYABLE-IMPOSTURE.NET.
17 EFFROYABLEIMPOSTURE.NET.
18 ELSUCRE.NET.
19 FELAP.NET.
20 GULFINVESTIGATIONS.NET.
21 IRAQRESISTANCE.NET.
22 JEBOYCOTTEDANONE.COM.
23 LIAISON-RWANDA.COM.
24 MEYSSAN.COM.
25 MEYSSAN.INFO.
26 MEYSSAN.NET.
27 MEYSSAN.ORG.
28 OBSERVATORIOMEDIOS.NET.
29 PENTAGATE.INFO.
30 PERIODICOPCION.NET.
31 REDVOLTAIRE.COM.
32 REDVOLTAIRE.NET.
33 RESEAUVOLTAIRE.COM.
34 RESEAUVOLTAIRE.INFO.
35 RESEAUVOLTAIRE.NET.
36 RESEAUVOLTAIRE.ORG.
37 TOUNETTES.ORG.
38 UTPBA.NET.
39 VO-IS.NET.
40 VOLTAIRENETWORK.COM.
41 VOLTAIRENETWORK.NET.
42 X93.ORG.

——————————-
http://www.domainsdb.net is also great but is down at the moment of this writting. Hope it will reappear soon. There is also: http://www.searchmee.com/web-info/ip-hunt.php which will give you the domains for a whole subnet not only your IP!! Here is an excerp of the results:
——————————-
[...] cut for briefness
80.67.172.2 www.federation-anarchiste.org (8) Pages Apache 2005-12-14 08:59:25
80.67.172.2 www.france-fdh.org (1) Pages Apache 2006-04-17 23:42:52
80.67.172.2 www.hanumann.org (1) Pages Apache 2005-07-29 00:39:56
80.67.172.2 www.maisondesmetallos.org (2) Pages Apache 2005-12-11 05:16:55
80.67.172.2 www.mamacoca.org (3) Pages Apache 2005-08-03 13:12:30
80.67.172.2 www.mediabenin.org (1) Pages Apache 2005-07-29 05:12:48
80.67.172.2 www.opal-vision.org (1) Pages Apache 2005-08-01 08:05:15
80.67.172.2 www.penelopes.org (4) Pages Apache 2006-04-22 17:29:53
80.67.172.2 www.pu-investigation.org (1) Pages Apache 2005-07-27 19:30:23
80.67.172.2 www.wise-paris.org (1) Pages Apache 2005-08-03 06:37:39
80.67.172.2 www.yam-pukri.org (1) Pages Apache 2005-07-28 19:55:29
80.67.172.6 www.vefblog.net (1) Pages 2005-08-27 10:16:14
aubenas.rsf.org (1) Pages Server Error 302 - http://www.rsf.org/rubrique.php3?id_rubrique=459/robots.txt 2005-07-31 00:24:07
www.internet.rsf.org (1) Pages Server Error 302 - http://www.rsf.org/rubrique.php3?id_rubrique=273/robots.txt 2005-07-29 17:04:39
www.rsf.fr (6) Pages 2006-03-28 03:14:40
www.rsfitalia.org (1) Pages Not in DNS 2005-07-29 15:14:20
iraqresistance.net (1) Pages Server Error 302 - http://www.iraqresistance.net/robots.txt 2005-07-28 23:48:31
www.effroyableimposture.net (1) Pages 2005-08-05 23:02:04
80.67.172.13 www.gulfinvestigations.net (1) Pages Apache 2005-07-29 17:46:13
80.67.172.13 www.redvoltaire.net (7) Pages Apache 2005-08-27 06:40:00
80.67.172.20 deephousemafia.org (1) Pages Server Error 302 - http://deephousemafia.org 2005-12-18 04:11:01
80.67.172.20 online.xthehun.com (1) Pages 2005-12-18 07:03:24
80.67.172.20 sweet-stuffs.diaryland.com (1) Pages Server Error 302 - http://www.diaryland.com/error.html 2005-12-17 21:40:14
80.67.172.20 www.911investigations.net (1) Pages Apache 2005-10-05 14:41:54
80.67.172.20 www.alia2.net (1) Pages Apache 2005-10-05 14:41:54
80.67.172.20 www.altercom.org (2) Pages Apache 2006-04-29 10:09:19
80.67.172.20 www.asile.org (3) Pages Apache 2006-06-08 01:26:06
80.67.172.20 www.axisforpeace.net (1) Pages Apache 2006-05-31 04:42:44
80.67.172.20 www.datona.com (1) Pages Apache/2.0.46 (Red Hat) 2005-12-17 20:36:50
80.67.172.20 www.document-doctor.co.uk (1) Pages Apache/1.3.33 (Unix) 2005-12-17 23:13:24
80.67.172.20 www.effroyable-imposture.net (2) Pages Apache 2005-10-05 11:14:14
80.67.172.20 www.engad.org (1) Pages Apache 2005-12-06 22:12:30
80.67.172.20 www.gehrigal.de (1) Pages Apache/1.3.33 (Unix) 2005-12-07 04:32:58
80.67.172.20 www.iraqresistance.net (1) Pages Apache 2005-10-05 16:49:16
80.67.172.20 www.pentagate.info (1) Pages Apache 2005-10-05 14:41:54
80.67.172.20 www.reseauvoltaire.net (17) Pages Apache 2005-10-05 11:14:14
80.67.172.20 www.setvoltaire.net (0) Pages 2005-08-24 08:54:55
80.67.172.20 www.shabakatvoltaire.net (0) Pages Apache 2005-10-05 14:41:54
80.67.172.20 www.siecvoltaire.net (0) Pages 2005-08-24 08:54:56
80.67.172.20 www.voltairenet.org (5) Pages Apache 2006-06-17 10:08:37
80.67.172.20 www.voltairenetwork.net (0) Pages 2005-08-24 08:54:54
80.67.172.23 www.no-log.org (0) Pages Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.0.54 OpenSSL/0.9.7e 2005-08-02 22:12:39
80.67.172.27 www.champagne-viticole.fr (1) Pages Apache/1.3.33 (Darwin) PHP/4.3.6 mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i 2006-05-20 08:51:54
80.67.172.27 www.egypt.edu (2) Pages Apache/1.3.33 (Darwin) PHP/4.3.6 mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b 2005-07-29 04:48:23
80.67.172.32 www.cnt-f.org (5) Pages Apache
[...] cut for briefness

——————————-
You could ask what is the use of knowing the domain names hosted on other IP of the same subnet? Well if someone could compromise a host located on the same subnet than your server, chances are high the computers are located on the same physical hub or switch (just look at the traceroute result) so this person could easily sniff the traffic going from and to your host.
Another database we should look at is the netcraft.com website. It has a reverse lookup database which is very interesting and can queried using keywords. We have to try with a search for “911investigations” at http://searchdns.netcraft.com/?host:
——————————-
Results for 911investigations

Found 1 site
Site Site Report First seen Netblock OS
1. www.911investigations.net Site Report April 2003 Globenet network at Telehouse2 (Paris 11, France) Linux

Copyright © Netcraft Ltd 2006

——————————-
Nothing much, but sometimes can be usefull. Now you can tell me that this process is quite boring… Having to query all these databases is painfull. There should be a tool to automate this process. Well you are right! There is a tool: revhosts.py! You can find it here: http://www.revhosts.net although the site is down at the moment.
Revhosts is a python tool written by Fabrice MOURRON <[email protected]>. It’s made of plugins, so it can be easily extended. Here is the results of revhosts.py (I am running 1.0.87 but it seems there is a newer version out on the official website which is down at the moment):
——————————-
# ./revhosts.py www.911investigations.net -e -v
Plugin [webhosting] in action . . .
Plugin [webhosting] return . . . . . [found 40 result(s)]
Plugin [MSN Search] in action . . .
Plugin [MSN Search] return . . . . . [found 10 result(s)]
Plugin [iphunt] in action . . .
Plugin [iphunt] return . . . . . [found 42 result(s)]
Plugin [SSL CNAME] in action . . . .
Timed out talking to 80.67.172.20:465, continue !
Timed out talking to 80.67.172.20:563, continue !
Timed out talking to 80.67.172.20:585, continue !
Timed out talking to 80.67.172.20:636, continue !
Timed out talking to 80.67.172.20:990, continue !
Timed out talking to 80.67.172.20:992, continue !
Timed out talking to 80.67.172.20:994, continue !
Plugin [SSL CNAME] return . . . . . [3 result(s)]
Verify, Hash and Sort in action . .

911investigations.net
a-ipi.net
altercom.org
aschkar.org
asile.org
axisforpeace.com
axisforpeace.net
axisforpeace.org
desidela.net
effroyable-imposture.net
effroyableimposture.net
elsucre.net
felap.net
gulfinvestigations.net
iraqresistance.net
jeboycottedanone.com
liaison-rwanda.com
mail.voltairenet.org
meyssan.com
meyssan.info
meyssan.net
meyssan.org
observatoriomedios.net
pentagate.info
periodicopcion.net
redvoltaire.com
redvoltaire.net
reseauvoltaire.com
reseauvoltaire.info
reseauvoltaire.org
utpba.net
vo-is.net
voltairenetwork.com
voltairenetwork.net
www.911investigations.net
www.altercom.org
www.asile.org
www.axisforpeace.net
www.effroyable-imposture.net
www.gulfinvestigations.net
www.pentagate.info
www.voltairenet.org

———————————————-
Found 42 VirtualHost(s) on 80.67.172.20 address
———————————————-

——————————-
Nice! Note that the -e option is used to get names from CNAME stored in SSL certificates if any are used on the host. From this session we have gathered the mail.voltairenet.org hostname, which we did not found before. Note: I had to disable the whois_sc plugin because the website changed from whois.sc to domainstoos.com and so needs a few tweakings that I am too lazy to do tonight.
Ok, we are approching the end of this article. One last step I would like to do is to find out if there is no hosts like admin.911investigations.net or webmail.911investigations.net or extranet.911investigations.net, … Of course I could try all these from a nslookup prompt but that would be damn long. So why not using a DNS “bruteforce resolver” which could take as an input a dictionnary and try to resolve all the hosts for us? You are lucky because I found one (if not it would be easy to make one…). The tool is Brutedomain, coded by erkan Akpolat [email protected]. The homepage used to be http://www.core.gen.tr/~serkan but now you can find it on http://packetstormsecurity.org. Taken from the source code of the file, this is the manual of Brutedomain:
This is a tool for bruteforcing domain names, which dont have reverse lookup.
Some examples:
* bd -i wordlist.txt superonline.com # Use the words from input file
* bd -s 2 -e 4 superonline.com # Generate words min 2 chars max 4 chars
* bd -p superonline.com # Prefined words
The tarball contains only a single .c file that you have to compile.
——————————-
# gcc brutedomain.c -Wall -ansi -o bd
# ./brutedomain -i hosts.txt 911investigations.net
admin.911investigations.net-> 80.67.172.20
dns.911investigations.net-> 80.67.172.20
extranet.911investigations.net-> 80.67.172.20
intranet.911investigations.net-> 80.67.172.20
ftp.911investigations.net-> 80.67.172.20
mail.911investigations.net-> 80.67.172.20
mysql.911investigations.net-> 80.67.172.20
news.911investigations.net-> 80.67.172.20
[...] cut for briefness

——————————-
You can see that whatever.911investigations.net resolves to 80.67.172.20. It means a wildcard has been set in the DNS for this domain. The bruteforce will be useless here. After a few tests it seems all the domains found earlier have a wildcard configured. I guess the server has a kind of “Admin panel” which automates the addition of a new domain, and sets up the DNS zones automatically with a wildcard by default. But there is one domain we could bruteforce for DNS entries: globenet.org, the domain name of the provider:
——————————-
# ./brutedomain -i hosts.txt globenet.org
ftp.globenet.org-> 80.67.172.48
mail.globenet.org-> 80.67.172.47
news.globenet.org-> 80.67.169.12
ns0.globenet.org-> 80.67.172.5
ns3.globenet.org-> 80.67.172.2
pop.globenet.org-> 80.67.172.47
smtp.globenet.org-> 80.67.172.47
sql.globenet.org-> 80.67.172.33
www.globenet.org-> 80.67.172.48
webmail.globenet.org-> 80.67.172.48
Have a nice day!

——————————-
That’s a good example, isn’t it? Note that I have done the scanning with a very small dictionnary.
——————————-

Conclusion
============
You can see that with a single domain name ‘911investigations.net’ we have gathered dozens of other domain names, with a lot of websites to look at. Each of these websites could have a security flaw which could led to the takeover of the whole server. We have also found the address of an admin panel and of the main services of the hosting company without ever using a port scan tool.
If you are interested in information gathering through DNS, DNSSec is definitively something you would like to look at. Simon has discovered a flaw in the implementation of DNSSec which allows to do complete zone transfers! He has released a tool called ‘Walker 3.8′ here http://josefsson.org/walker/. Too DNSSec is very rare. However you can test it with the .se root servers which have DNSSec enabled. It means with Walker 3.8 you can dump the whole .se zone and get all existing domains it contains!
Another tool to look at is DMitry (Deepmagic Information Gathering Tool) coded by kernel. Homepage: http://www.mor-pah.net. It can gather whois data, scan a host. I do not use it often but it’s an interesting tool.

Source : GovernementSecurity.com By EnoDr